bonienl Posted October 16, 2019 Share Posted October 16, 2019 15 minutes ago, climber455 said: Let me first say that setting this up was a breeze, you guys did a great job. One thing I noticed though is at when Wireguard is running, even if no clients are connected, it breaks network bridging to my VM. My windows VM internet traffic gets sent over a vpn that is configured on my router, this determination is made based on the IP address of the VM itself. When wireguard is in an active state the VM internet traffic is basically bypassing my router based config and sending traffic out my regular internet connection. When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection. I'm not entirely sure how this is happening, the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using. What kind of VPN access are you configuring on Unraid? Quote Link to comment
Xaero Posted October 16, 2019 Share Posted October 16, 2019 5 hours ago, nuhll said: Hahha, i found out one of the biggest issues.... I always run my mobile in energy saver mode... which prevents apps like wireguard from running correctly... YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode) So theres that mysteriom cleared... next question is, how to get my lokal DNS running. Tutorial on the internet say you can use your lokal DNS Server (which doesnt seem to work for me) if i set the DNS to 192.168.86.5 nothing works (local dns not, local ip not, internet not) I GOT IT WORKING 100% I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server - i guess it was blocking other DNS Servers?) Thats my Setup which seems to work for now with my own dns Server: Only problem left is, how to block youtube ads on mobile... on desktop i dont get any ads bc of pihole, but on mobile, even with pihole as dns server, i still get ads.. anyone any idea? You would want to use the remote tunnel option so that 0.0.0.0/24 is the AllowedIPs for the tunnel. This should capture all traffic from the remote device and send it through the DNS (your local router) You would want the DNS set to PiHole to get PiHole to filter it. Quote Link to comment
NewDisplayName Posted October 16, 2019 Share Posted October 16, 2019 (edited) 6 minutes ago, Xaero said: You would want to use the remote tunnel option so that 0.0.0.0/24 is the AllowedIPs for the tunnel. This should capture all traffic from the remote device and send it through the DNS (your local router) You would want the DNS set to PiHole to get PiHole to filter it. What are you talking about? Im using "remote tunneled access". Like i have it configured, it uses my pihole, please read my whole post. The problem is that blocking youtube ads via ONLY DNS is hard (not do able) Edited October 16, 2019 by nuhll Quote Link to comment
climber455 Posted October 16, 2019 Share Posted October 16, 2019 7 minutes ago, bonienl said: What kind of VPN access are you configuring on Unraid? I configured remote tunneled access for one device and remote access to LAN for another. Quote Link to comment
NewDisplayName Posted October 16, 2019 Share Posted October 16, 2019 2 minutes ago, climber455 said: I configured remote tunneled access for one device and remote access to LAN for another. My guess would be that you misconfigured the IPs? make screenshots from your settings Quote Link to comment
climber455 Posted October 16, 2019 Share Posted October 16, 2019 (edited) 17 minutes ago, nuhll said: My guess would be that you misconfigured the IPs? make screenshots from your settings The tunnel works correctly, it's just when it's active the VM that is running on Unraid bypasses the router configured VPN settings. Edited October 16, 2019 by climber455 Quote Link to comment
earhog Posted October 16, 2019 Share Posted October 16, 2019 22 minutes ago, bonienl said: With SSL enabled, it requires DNS to work properly. If the DNS server is not reachable when the tunnel is active, it makes the GUI not reachable. So how do I get my SSL back working? Quote Link to comment
bonienl Posted October 16, 2019 Share Posted October 16, 2019 26 minutes ago, bonienl said: When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection. You are testing this from the client (peer) side, right? When you activate the WG tunnel, it will send ALL traffic over the WG tunnel because you have selected "Remote tunneled access", you need "Remote server access". Change the type of the second (and first) peer to "Remote server access". Next reconfigure the client(s) with the updated changes. 29 minutes ago, bonienl said: the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using. You are thinking wrong Quote Link to comment
climber455 Posted October 16, 2019 Share Posted October 16, 2019 Ok, i think there is a misunderstanding here. The tunnel is working fine for both clients, the VM is NOT a client. What is happening is that traffic from the VM that is running on Unraid gets routed incorrectly when the tunnel is turned on (in a active state). The VM does not go through the tunnel at all, it's completely separate, it's just running on Unraid. IP Address of the VM is 192.158.20.4, it goes to the router and out an OpenVPN connection configured there. When wireguard is activated the traffic from the VM is getting my ISP public address, not the VPN address it should be. So it looks like the VM is using Wireguard as it's gateway for some reason. See the screenshots. Without Wireguard running.... With Wireguard running, remember this isn't configured to use wireguard at all. Here is the routing table when the Wireguard server is running. Sorry for being dense, maybe my configuration is just off. Quote Link to comment
bonienl Posted October 16, 2019 Share Posted October 16, 2019 The default gateway is still your router (192.168.20.1) and VMs will still use that. The only destinations (remote peers) which go over the tunnel are the 10.253.0.X addresses. Quote Link to comment
climber455 Posted October 16, 2019 Share Posted October 16, 2019 Right, that's what my understanding is. However, when the server is active it appears that the traffic is going to Unraid first. If I set "local gateway uses NAT" to NO the problem goes away and clients can access the LAN but the remote tunneled access breaks. Just some observations for now. I know this is a work in progress. Quote Link to comment
blu3wh0 Posted October 16, 2019 Share Posted October 16, 2019 FYI, I got the remote tunnel to work without a problem after I cleared my config, updated the plugin, and reconfigured. Quote Link to comment
Lee B Posted October 18, 2019 Share Posted October 18, 2019 Hi All, look the plugin works great but I'm having issues being able to access any of the dockers I have set with a custom ip, I have seen this post mentioning routing but not sure how to accomplish this, any help will be appreciated, Also does this plugin work with netbios names? Quote https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/# Quote Link to comment
Xaero Posted October 18, 2019 Share Posted October 18, 2019 10 hours ago, Lee B said: Hi All, look the plugin works great but I'm having issues being able to access any of the dockers I have set with a custom ip, I have seen this post mentioning routing but not sure how to accomplish this, any help will be appreciated, Also does this plugin work with netbios names? I believe netbios would work with a netbios over tcp implementation. By default; probably not. Quote Link to comment
ljm42 Posted October 19, 2019 Author Share Posted October 19, 2019 (edited) On 10/16/2019 at 6:40 AM, nuhll said: I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server On 10/16/2019 at 9:31 AM, ljm42 said: I think you might be right about needing to specify a DNS server when in "Remote tunneled access" mode. I'll do some more testing When I was testing a few days ago, it seemed like I needed to add a DNS server for "Remote tunneled access" to work. Maybe i was just tired or something because my Android is currently connected using an unedited config file and it is working fine. All traffic is going through WireGuard without having to make any customizations. During this time I did upgrade the host from rc1 to rc3, which includes a newer version of WireGuard. So it is possible that made a difference. Edit - I did find a use case where you NEED to enter a DNS server for the tunnel. When my Windows laptop is connected to my home network via wifi, if I type "nslookup" it shows the DNS server is my local router. If I then make a "Remote tunneled access" connection to an Unraid system on another network, the router on my network is no longer available for DNS. So I have to include a DNS server in the WireGuard config. Specifying either the remote router or a global server like 8.8.8.8 work equally well. Edited October 19, 2019 by ljm42 Quote Link to comment
ljm42 Posted October 19, 2019 Author Share Posted October 19, 2019 16 hours ago, Lee B said: look the plugin works great but I'm having issues being able to access any of the dockers I have set with a custom ip, I have seen this post mentioning routing but not sure how to accomplish this, any help will be appreciated, I don't use dockers with custom IPs. The best information is in this thread, I'd suggest following the discussion over there rather than starting a new one 16 hours ago, Lee B said: Also does this plugin work with netbios names? Not that I can see. As mentioned in the OP, I'd suggest using a hosts file if you must have name resolution. You could possibly use the LAN's DNS server, but that doesn't make sense for split tunneling. Quote Link to comment
ljm42 Posted October 19, 2019 Author Share Posted October 19, 2019 On 10/16/2019 at 1:24 PM, climber455 said: Right, that's what my understanding is. However, when the server is active it appears that the traffic is going to Unraid first. On the VM, try running "tracert www.google.com" in various configurations and see what changes. That will show you the path that the system is taking to get out to Google. Quote Link to comment
climber455 Posted October 19, 2019 Share Posted October 19, 2019 1 hour ago, ljm42 said: On the VM, try running "tracert www.google.com" in various configurations and see what changes. That will show you the path that the system is taking to get out to Google. This from the VM. First trace is with the wireguard server inactive. The first IP is the gateway of the VPN. The second trace is with wireguard active. The VM isn't hitting the IP of the VPN gateway, it's using the router as the gateway. Quote Link to comment
ljm42 Posted October 19, 2019 Author Share Posted October 19, 2019 9 minutes ago, climber455 said: This from the VM. First trace is with the wireguard server inactive. The first IP is the gateway of the VPN. The second trace is with wireguard active. The VM isn't hitting the IP of the VPN gateway, it's using the router as the gateway. OK, so 192.168.20.1 is the direct IP of your router, without using VPN. And 10.8.0.1 is some sort of VPN running on your router? I see no evidence of Unraid being used as a gateway or anything super strange like that. I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed. Quote Link to comment
climber455 Posted October 19, 2019 Share Posted October 19, 2019 1 hour ago, ljm42 said: OK, so 192.168.20.1 is the direct IP of your router, without using VPN. And 10.8.0.1 is some sort of VPN running on your router? I see no evidence of Unraid being used as a gateway or anything super strange like that. I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed. You are correct. The vm running on unraid gets its ip from the router based on mac address, 192.168.20.4 in this case. The router sends traffic from 192.168.20.4 over the VPN. So activating wireguard on unraid is changing the ip of the vm? Seems weird. Maybe I'll try to statically assign the ip to the vm and test again. Quote Link to comment
climber455 Posted October 19, 2019 Share Posted October 19, 2019 2 hours ago, ljm42 said: OK, so 192.168.20.1 is the direct IP of your router, without using VPN. And 10.8.0.1 is some sort of VPN running on your router? I see no evidence of Unraid being used as a gateway or anything super strange like that. I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed. So i got this sorted. If I add the IP address of the unraid server to my "route over vpn" policy on the router it works. It seems that when wireguard is active the VM manager of unraid sends all traffic from those VMs out the unraid internet connection regardless of policies set on the router. Quote Link to comment
bonienl Posted October 20, 2019 Share Posted October 20, 2019 See also this explanation Quote Link to comment
climber455 Posted October 20, 2019 Share Posted October 20, 2019 It looks like unraid is proxying my VM traffic when Wireguard is running. Quote Link to comment
bonienl Posted October 20, 2019 Share Posted October 20, 2019 24 minutes ago, climber455 said: It looks like unraid is proxying my VM traffic when Wireguard is running. Need more info. I have multiple VMs all reachable when wireguard is active Quote Link to comment
david279 Posted October 20, 2019 Share Posted October 20, 2019 1 hour ago, climber455 said: It looks like unraid is proxying my VM traffic when Wireguard is running. I saw something like this too. I run pihole in a Vm and when the NAT setting in wireguard is set to yes all the clients in pihole have the name of unRAID server. The Pihole is ran in a ubuntu VM on my unRAID server. Once i set NAT to No all the correct client names returned to normal. Now i run wireguard with NAT set to No and enabled a static route on my route for wireguard to my unRAID server and all is good now. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.