Jump to content
bonienl

Dynamix WireGuard VPN

139 posts in this topic Last Reply

Recommended Posts

With the release of Unraid 6.8 comes support for WireGuard VPN connections.

At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This approach allows for quick updates and enhancements without dependency on Unraid version releases.


People starting with WireGuard should read the quick-start guide written by @ljm42. See

Please use his topic only to ask questions about using and setting up WireGuard.

The GUI has online help as well, please have a look at this too.

 

Use this topic to report any issues or bugs or proposed enhancements for the WireGuard functionality. This way things stay grouped together.

 

Thanks

Edited by bonienl
  • Like 2
  • Thanks 1

Share this post


Link to post

"Remote tunneled access" gives an invalid QR code, because of a missing IP, only "/128" is put in the config.

Share this post


Link to post

Do you use IPv6?

If not, change network settings to IPv4 only.

 

Share this post


Link to post

I'm running on a fully working ipv4/ipv6 network, however I've got "Network protocol" set to "IPV4 Only" on the unraid server. So afaik that's what you suggest.

Share this post


Link to post
6 hours ago, hotio said:

"Remote tunneled access" gives an invalid QR code

I see.  If you choose "remote access to LAN" then the IP Address is added to the config properly:

[Interface]
PrivateKey=<snip>
Address=10.253.0.2/32

But if you choose the "remote tunneled access" option, the config is invalid:

[Interface]
PrivateKey=<snip>
Address=/128

 

Share this post


Link to post
16 hours ago, ljm42 said:

But if you choose the "remote tunneled access" option, the config is invalid:

Fixed

Share this post


Link to post

I'm not sure if I've got something configured wrong or if it is working as designed but wireguard is working fine and clients can connect without issue however when wireguard is active I am unable to access any dockers that have a custom ip address (Custom : br0). As soon as I deactivate wireguard those dockers are accessible. Do I have something setup wrong or will they not work together?

Share this post


Link to post

Dockers with a custom network (unique IP address) have the router as gateway. It requires additional routing on the gateway itself to make containers reachable over VPN.

Share this post


Link to post
1 minute ago, bonienl said:

Dockers with a custom network (unique IP address) have the router as gateway. It requires additional routing on the gateway itself to make containers reachable over VPN.

I know squat about networking, but isn't Remote Access To LAN supposed to accomplish this?

Share this post


Link to post

I failed to be as specific as I should have...when wireguard is active I can't even access those dockers from my unraid server.

Share this post


Link to post
1 minute ago, Squid said:

I know squat about networking, but isn't Remote Access To LAN supposed to accomplish this?

Yes, in combination with additional routing rules on your router (defines the return path)

Share this post


Link to post

Maybe the help text / pic should get updated to reflect this?

Share this post


Link to post

image.png.a7c586872b1589d9100c3648304d23c3.png

 

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

image.thumb.png.4df21f0ef2b3404e9b912d093a55c0bd.png

 

It may also be needed to disable UPnP and NAT settings (switch on advanced view) and configure a port forwarding rule manually on your router.

 

Edited by bonienl
  • Like 1
  • Haha 1

Share this post


Link to post

OK  Since I'm sure I'm not the only one who has no real clue about what to enter here, any hints?  Sorry for being so dense :( 

image.png.7467c5d5d595ebdd55e305b46fa7c672.png

Share this post


Link to post

You need this entry:

Network       Mask            Gateway
10.253.0.0    255.255.0.0   Unraid LAN IP

Updated: just route the tunnel addresses from your router to the Unraid server

Edited by bonienl

Share this post


Link to post

So this is why my custom ip docker where not working.....Turned off wireguard and back all good. Gonna figure this one out...

Share this post


Link to post

The challenge is to make routing complete, because the VPN tunnel lives on the Unraid server, while other devices in the LAN have the router as gateway.

Share this post


Link to post

I understand why wireguard clients could have problems connecting to dockers with a custom ip, but why would that behavior change for devices that are on the same LAN (not using wireguard).  If I try to ping one of the dockers with a custom ip from within the LAN (from 192.168.1.160 -> 192.168.1.99) the ping times out, but with wireguard inactive the ping is fine.

Share this post


Link to post

The WireGuard VPN tunnel should have no effect on the reachability of local devices on the same LAN.

What kind of connection are you trying to set up?

 

Share this post


Link to post

I've tried multiple options for 'Peer type of access' if that is what you're referring to and it happens no matter what is selected.  Actually I just deleted everything and setup a very basic server...just generated the keypair, applied changed and activated the server and as soon as I hit activate I was unable to ping a custom ip docker

Share this post


Link to post
3 minutes ago, bonienl said:

The WireGuard VPN tunnel should have no effect on the reachability of local devices on the same LAN.

What kind of connection are you trying to set up?

 

yea is the same issue i am having. When wire guard is active i cannot connect to dockers with a custom ip. This is from my normal network not the vpn. The connection times out. 

Share this post


Link to post

For those having local issues, please post the output of (open a terminal session)

ip route

 

Share this post


Link to post

default via 192.168.1.1 dev br0 

10.253.0.2 dev wg0 scope link 

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 

192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10 

192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

 

Share this post


Link to post
22 minutes ago, SenorLoco said:

default via 192.168.1.1 dev br0 

10.253.0.2 dev wg0 scope link 

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 

192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10 

192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

 

That looks alright.

From where are you pinging the docker containers?

Can you also post diagnostics?

Share this post


Link to post

default via 192.168.29.1 dev br0 metric 212 
10.253.0.2 dev wg0 scope link 
10.253.0.3 dev wg0 scope link 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.29.0/24 dev br0 proto kernel scope link src 192.168.29.140 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

 

 

tower-diagnostics-20191013-1619.zip

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.