Jump to content
ljm42

WireGuard quickstart

346 posts in this topic Last Reply

Recommended Posts

15 minutes ago, climber455 said:

Let me first say that setting this up was a breeze, you guys did a great job. One thing I noticed though is at when Wireguard is running, even if no clients are connected, it breaks network bridging to my VM. My windows VM internet traffic gets sent over a vpn that is configured on my router, this determination is made based on the IP address of the VM itself. When wireguard is in an active state the VM internet traffic is basically bypassing my router based config and sending traffic out my regular internet connection. When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection. I'm not entirely sure how this is happening, the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using.  

What kind of VPN access are you configuring on Unraid?

Share this post


Link to post
5 hours ago, nuhll said:

Hahha, i found out one of the biggest issues....

 

I always run my mobile in energy saver mode... which prevents apps like wireguard from running correctly... 

 

YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode)


So theres that mysteriom cleared... next question is, how to get my lokal DNS running. Tutorial on the internet say you can use your lokal DNS Server (which doesnt seem to work for me) if i set the DNS to 192.168.86.5 nothing works (local dns not, local ip not, internet not)

 

I GOT IT WORKING 100%

 

I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server - i guess it was blocking other DNS Servers?)

 

Thats my Setup which seems to work for now with my own dns Server:

1.thumb.png.c0640137e28ec20931c5ebdd12c3712f.png

Screenshot_20191016-154840.thumb.jpg.60c3ab756baeb75b76f519926678ff8d.jpg

Screenshot_20191016-154916.thumb.jpg.74de4814693f5b80a7db5a009eedd8cd.jpg

Screenshot_20191016-155020.thumb.jpg.93d2ca69ed36199ef30e79f8d4f9ac7d.jpg

 

 

 

Only problem left is, how to block youtube ads on mobile... on desktop i dont get any ads bc of pihole, but on mobile, even with pihole as dns server, i still get ads.. anyone any idea?

You would want to use the remote tunnel option so that 0.0.0.0/24 is the AllowedIPs for the tunnel. This should capture all traffic from the remote device and send it through the DNS (your local router) You would want the DNS set to PiHole to get PiHole to filter it.

Share this post


Link to post
6 minutes ago, Xaero said:

You would want to use the remote tunnel option so that 0.0.0.0/24 is the AllowedIPs for the tunnel. This should capture all traffic from the remote device and send it through the DNS (your local router) You would want the DNS set to PiHole to get PiHole to filter it.

What are you talking about?

 

Im using "remote tunneled access".

 

Like i have it configured, it uses my pihole, please read my whole post.

 

The problem is that blocking youtube ads via ONLY DNS is hard (not do able)

 

Edited by nuhll

Share this post


Link to post
7 minutes ago, bonienl said:

What kind of VPN access are you configuring on Unraid?

I configured remote tunneled access for one device and remote access to LAN for another. 

Share this post


Link to post
2 minutes ago, climber455 said:

I configured remote tunneled access for one device and remote access to LAN for another. 

My guess would be that you misconfigured the IPs? make screenshots from your settings

Share this post


Link to post
17 minutes ago, nuhll said:

My guess would be that you misconfigured the IPs? make screenshots from your settings

capture1.thumb.JPG.a745b13c3f83ce261714073a6a3e0fe9.JPG

The tunnel works correctly, it's just when it's active the VM that is running on Unraid bypasses the router configured VPN settings. 

capture2.JPG

Edited by climber455

Share this post


Link to post
22 minutes ago, bonienl said:

 

With SSL enabled, it requires DNS to work properly. If the DNS server is not reachable when the tunnel is active, it makes the GUI not reachable.

 

So how do I get my SSL back working?

Share this post


Link to post
26 minutes ago, bonienl said:

When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection.

You are testing this from the client (peer) side, right?

When you activate the WG tunnel, it will send ALL traffic over the WG tunnel because you have selected "Remote tunneled access", you need "Remote server access".

Change the type of the second (and first) peer to "Remote server access". Next reconfigure the client(s) with the updated changes.

29 minutes ago, bonienl said:

the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using.

You are thinking wrong :) 

Share this post


Link to post

Ok, i think there is a misunderstanding here. The tunnel is working fine for both clients, the VM is NOT a client. What is happening is that traffic from the VM that is running on Unraid gets routed incorrectly when the tunnel is turned on (in a active state).

The VM does not go through the tunnel at all, it's completely separate, it's just running on Unraid. IP Address of the VM is 192.158.20.4, it goes to the router and out an OpenVPN connection configured there. When wireguard is activated the traffic from the VM is getting my ISP public address, not the VPN address it should be. So it looks like the VM is using Wireguard as it's gateway for some reason. See the screenshots. 

 

Without Wireguard running....

capture3.JPG.51ff3380a536fdc1e898caf1b801997d.JPG

 

With Wireguard running, remember this isn't configured to use wireguard at all. 
Capture4.JPG.8e69e564d35acb4966075cfc837251fa.JPG

Here is the routing table when the Wireguard server is running.

 

image.thumb.png.2659ba9e0b57866ef99d3356cb117ecf.png

Sorry for being dense, maybe my configuration is just off. 

Share this post


Link to post

The default gateway is still your router (192.168.20.1) and VMs will still use that.

 

The only destinations (remote peers) which go over the tunnel are the 10.253.0.X addresses.

Share this post


Link to post

Right, that's what my understanding is. However, when the server is active it appears that the traffic is going to Unraid first. If I set "local gateway uses NAT" to NO the problem goes away and clients can access the LAN but the remote tunneled access breaks. Just some observations for now. I know this is a work in progress.  

Share this post


Link to post

FYI, I got the remote tunnel to work without a problem after I cleared my config, updated the plugin, and reconfigured.

Share this post


Link to post
10 hours ago, Lee B said:

Hi All, 

 

look the plugin works great but I'm having issues being able to access any of the dockers I have set with a custom ip, I have seen this post mentioning routing but not sure how to accomplish this, any help will be appreciated,

 

Also does this plugin work with netbios names?

 

I believe netbios would work with a netbios over tcp implementation. By default; probably not.

Share this post


Link to post
On 10/16/2019 at 6:40 AM, nuhll said:

I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server

 

On 10/16/2019 at 9:31 AM, ljm42 said:

I think you might be right about needing to specify a DNS server when in "Remote tunneled access" mode. I'll do some more testing

 

When I was testing a few days ago, it seemed like I needed to add a DNS server for "Remote tunneled access" to work.  Maybe i was just tired or something :) because my Android is currently connected using an unedited config file and it is working fine. All traffic is going through WireGuard without having to make any customizations.

 

During this time I did upgrade the host from rc1 to rc3, which includes a newer version of WireGuard. So it is possible that made a difference.

 

 

Edit - I did find a use case where you NEED to enter a DNS server for the tunnel.

 

When my Windows laptop is connected to my home network via wifi, if I type "nslookup" it shows the DNS server is my local router. If I then make a "Remote tunneled access" connection to an Unraid system on another network, the router on my network is no longer available for DNS. So I have to include a DNS server in the WireGuard config. Specifying either the remote router or a global server like 8.8.8.8 work equally well.

Edited by ljm42

Share this post


Link to post
16 hours ago, Lee B said:

look the plugin works great but I'm having issues being able to access any of the dockers I have set with a custom ip, I have seen this post mentioning routing but not sure how to accomplish this, any help will be appreciated,

I don't use dockers with custom IPs. The best information is in this thread, I'd suggest following the discussion over there rather than starting a new one

 

16 hours ago, Lee B said:

Also does this plugin work with netbios names?

Not that I can see. As mentioned in the OP, I'd suggest using a hosts file if you must have name resolution. You could possibly use the LAN's DNS server, but that doesn't make sense for split tunneling.

Share this post


Link to post
On 10/16/2019 at 1:24 PM, climber455 said:

Right, that's what my understanding is. However, when the server is active it appears that the traffic is going to Unraid first.

On the VM, try running "tracert www.google.com" in various configurations and see what changes. That will show you the path that the system is taking to get out to Google.

Share this post


Link to post
1 hour ago, ljm42 said:

On the VM, try running "tracert www.google.com" in various configurations and see what changes. That will show you the path that the system is taking to get out to Google.

This from the VM. First trace is with the wireguard server inactive. The first IP is the gateway of the VPN. The second trace is with wireguard active. The VM isn't hitting the IP of the VPN gateway, it's using the router as the gateway. 

 

image.png.e76b06005d40ca8600ac787c92769d70.thumb.png.34aff632da14c30bea6607c39895d883.png

Share this post


Link to post
9 minutes ago, climber455 said:

This from the VM. First trace is with the wireguard server inactive. The first IP is the gateway of the VPN. The second trace is with wireguard active. The VM isn't hitting the IP of the VPN gateway, it's using the router as the gateway. 

OK, so 192.168.20.1 is the direct IP of your router, without using VPN.
And 10.8.0.1 is some sort of VPN running on your router?

 

I see no evidence of Unraid being used as a gateway or anything super strange like that.

 

I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed.

Share this post


Link to post
1 hour ago, ljm42 said:

OK, so 192.168.20.1 is the direct IP of your router, without using VPN.
And 10.8.0.1 is some sort of VPN running on your router?

 

I see no evidence of Unraid being used as a gateway or anything super strange like that.

 

I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed.

You are correct. The vm running on unraid gets its ip from the router based on mac address, 192.168.20.4 in this case. The router sends traffic from 192.168.20.4 over the VPN. So activating wireguard on unraid is changing the ip of the vm? Seems weird. Maybe I'll try to statically assign the ip to the vm and test again. 

Share this post


Link to post
2 hours ago, ljm42 said:

OK, so 192.168.20.1 is the direct IP of your router, without using VPN.
And 10.8.0.1 is some sort of VPN running on your router?

 

I see no evidence of Unraid being used as a gateway or anything super strange like that.

 

I would look closer at how your router determines whether to send traffic through 10.8.0.1 or 192.168.20.1. Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed.

So i got this sorted. If I add the IP address of the unraid server to my "route over vpn" policy on the router it works. It seems that when wireguard is active the VM manager of unraid sends all traffic from those VMs out the unraid internet connection regardless of policies set on the router. 

Share this post


Link to post
24 minutes ago, climber455 said:

It looks like unraid is proxying my VM traffic when Wireguard is running. 

Need more info.

I have multiple VMs all reachable when wireguard is active 

Share this post


Link to post
1 hour ago, climber455 said:

It looks like unraid is proxying my VM traffic when Wireguard is running. 

I saw something like this too. I run pihole in a Vm and when the NAT setting in wireguard is set to yes all the clients in pihole have the name of unRAID server. The Pihole is ran in a ubuntu VM on my unRAID server. Once i set NAT to No all the correct client names returned to normal. Now i run wireguard with NAT set to No and enabled a static route on my route for wireguard to my unRAID server and all is good now.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.