superloopy1 Posted October 18, 2019 Share Posted October 18, 2019 I dont understand any of this so am waiting for spaceinvaderone's video to come along ;>)) 1 Quote Link to comment
ICDeadPpl Posted October 20, 2019 Share Posted October 20, 2019 On 10/13/2019 at 4:55 PM, bonienl said: You may need two entries: Network Mask Gateway 10.253.0.0 255.255.255.0 Unraid LAN IP peer-subnet peer-mask Unraid LAN IP Are "peer-subnet" and "peer-mask" referring to the IP subnet and mask that Unraid is using, 192.168.1.0 and 255.255.255.0 in my case? (My Unraid has 192.168.1.15). Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 5 hours ago, ICDeadPpl said: Are "peer-subnet" and "peer-mask" referring to the IP subnet and mask that Unraid is using, 192.168.1.0 and 255.255.255.0 in my case? (My Unraid has 192.168.1.15). The peer-subnet + peer-mask are not necessary, just the tunnel-endpoints subnet. (I have updated the original post) Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 I have added a new field to the peer configuration called "Peer DNS server" This field allows to overwrite the current DNS server setting at the peer when the WireGuard tunnel is activated. Quote Link to comment
NewDisplayName Posted October 20, 2019 Share Posted October 20, 2019 (edited) On 10/13/2019 at 4:34 PM, bonienl said: LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination. This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations. By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server. Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar). I dont understand. I didnt do anything like this. And all works. VNC, HTTP, RDP? I have a tripple NAT. Only thing i did was port forward!? Even my local DNS Server is working...? I have the following nets: 192.168.0.*, 192.168.1.*, 192.168.2.*, (3 routers in a row) then wifi network 192.168.86.* Unraid 192.168.86.2 PiHole 192.168.86.5 VPN (standard 10.253.0.10) Edited October 20, 2019 by nuhll Quote Link to comment
CrimsonTyphoon Posted October 20, 2019 Share Posted October 20, 2019 (edited) Hello, I must be close but cant figure out the last piece of the puzzle! I have gotten wireguard working, but cannot access dockers not on the bridge network (aka docker's with their own IP) I cannot access dockers with there own IP (192.168.8.0/24). I can access dockers on unraid's IP (192.168.8.151) Wireguard network: 10.253.0.0/24 Router: 192.168.8.1 Unraid IP: 192.168.8.151 (network 192.168.8.0/24) I have "remote tunnel access" enabled for my peer (the client has AllowedIPs=0.0.0.0/0 to tunnel all traffic thru the VPN tunnel) Here's my pfSense static route: Network Gateway Interface 10.253.0.0/16 unRAID - 192.168.8.151 Vlan_Internal What am I missing? Edited October 20, 2019 by CrimsonTyphoon added remote tunnel access Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 20 minutes ago, CrimsonTyphoon said: What am I missing? What "type of access" do you use for the peer? Quote Link to comment
CrimsonTyphoon Posted October 20, 2019 Share Posted October 20, 2019 (edited) 15 minutes ago, bonienl said: What "type of access" do you use for the peer? I have "remote tunnel access" enabled for my peer (the client has AllowedIPs=0.0.0.0/0 to tunnel all traffic thru the VPN tunnel) Updated OP to reflect this Edited October 20, 2019 by CrimsonTyphoon Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 For this type of access it is recommended that the peer uses a DNS server which is reachable over the tunnel. When your router (gateway) is acting as local DNS server to your LAN, then use its IP address as DNS server for the peer. You can add DNS setting manually or if you update to the latest version of the plugin, it is configurable (still need to update the peer though) How do you access the docker containers? Try this from the GUI -> Docker -> click container -> WebUI Quote Link to comment
CrimsonTyphoon Posted October 20, 2019 Share Posted October 20, 2019 (edited) Hmm, I use the pfSense as the DNS server, because i have custom entries pointing to my various dockers (sabnzbd.domain.com, sonarr.domain.com, etc.) They all sit behind my reverse proxy docker at 192.168.8.175. I have updated the latest version of the plugin to add the DNS settings. Going directly to the domain (sabznbd.domain.com, thru reverse proxy) or accessing directly via IP (192.168.8.100) does not work. Through the WebUI it goes through the IP and does not work either :-/ Edit: Here is unRAID's routing table: PROTOCOL ROUTE GATEWAY METRIC IPv4 default 192.168.8.1 via br0 1 IPv4 10.253.0.2 wg0 1 IPv4 172.17.0.0/16 docker0 1 IPv4 192.168.8.0/24 br0 1 IPv4 192.168.122.0/24 virbr0 1 Edited October 20, 2019 by CrimsonTyphoon Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 Can you do a traceroute (windows = tracert) from the peer to an IP address of the docker container >tracert -d 10.0.101.100 Tracing route to 10.0.101.100 over a maximum of 30 hops 1 3 ms 2 ms 2 ms 10.253.0.1 2 2 ms 2 ms 2 ms 10.0.101.100 Trace complete. Above is a traceroute from my laptop to one of my containers (pi-hole) with a custom IP address (10.0.101.100). It goes over the tunnel and the container respond as well. 1 Quote Link to comment
CrimsonTyphoon Posted October 20, 2019 Share Posted October 20, 2019 Here you go: On Wifi: $ traceroute 192.168.8.175 1?: [LOCALHOST] pmtu 1500 1: sabnzbd.domain.com 10.045ms reached 1: sabnzbd.domain.com 2.332ms reached Resume: pmtu 1500 hops 1 back 1 On Wireguard: $ traceroute 192.168.8.75 1?: [LOCALHOST] pmtu 1280 1: 10.253.0.1 52.842ms 1: 10.253.0.1 63.555ms 2: no reply 3: no reply ^C I am not a network expert, but it seems that the unRaid server (10.253.0.1) gets the packet, but has no idea what to do with it and drops it? I do not see it blocked in my pfSense logs either. Quote Link to comment
bonienl Posted October 20, 2019 Author Share Posted October 20, 2019 (edited) 11 minutes ago, CrimsonTyphoon said: it seems that the unRaid server (10.253.0.1) gets the packet, but has no idea what to do with No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back. Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer. Edited October 20, 2019 by bonienl Quote Link to comment
NewDisplayName Posted October 21, 2019 Share Posted October 21, 2019 16 hours ago, bonienl said: No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back. Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer. Can you explain me why i dont need any new routes and it just works out of the box without any changes? U said it doesnt know a way back... but how is the requestet data (e.g. webtraffic) routed back to the mobile... then? Also why is my (br0) pihole working, also without any extra rules...? Quote Link to comment
bonienl Posted October 21, 2019 Author Share Posted October 21, 2019 7 hours ago, nuhll said: Can you explain me why I can't because I don't know your setup, which seems odd with so many routers chained. It may create different paths which do not exist in a 'regular' set up. Quote Link to comment
NewDisplayName Posted October 21, 2019 Share Posted October 21, 2019 (edited) 23 minutes ago, bonienl said: I can't because I don't know your setup, which seems odd with so many routers chained. It may create different paths which do not exist in a 'regular' set up. Router 1 192.168.1.1 Router 2 192.168.2.1 Router 3 (load balancer) 192.168.0.1 Google Wifi 192.168.86.1 (Gateway is 192.168.0.1) Unraid 192.168.86.2 PiHole 192.168.86.5 All routers are standard setup WAN/LAN and all devices can talk to each other (but thats default) Only thing i did was 1 port forward from router 1 -> router 3 (all dyndns go to router 1 only) -> Google Wifi -> Unraid Edited October 21, 2019 by nuhll Quote Link to comment
CrimsonTyphoon Posted October 22, 2019 Share Posted October 22, 2019 (edited) On 10/20/2019 at 3:04 PM, bonienl said: No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back. Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer. @bonienl First and foremost, thank you for all of your help and your wonderful plugin! Everything you do for the community is greatly appreciated :-) I did some troubleshooting but still no dice. I turned off NAT in wireguard settings. Nothing works (no surprise there?) When i do a nslookup, I get an error message, "Got recursion not available from 8.8.4.4, trying next server". Then it does not work and I get, "server cannot find sabnzbd.domain.com: Refused. This is interesting - I specifically put my pfsense router as the DNS server. However, when I turn on NAT and do the same thing, it uses 8.8.8.8, and resolves sabnzbd.domain.com . Note: sabnzbd.domain.com will only resolve internally, as I have a domain override in pfSense. Therefore, even though it says its using 8.8.8.8 it is really using 192.168.8.1 (pfsense) I did a packet capture on the lan port on pfSense: - When I visit a docker with it's own IP, I do not see the packet. - When I visit a docker with unraid's IP, I do not see the packet. This makes sense because unraid is not sending it the router and back, its routing it internally Because I dont see the packet both times I am going to assume that the macvlan driver is blocking it as a docker security mechanism (again, I am not an expert in networking, so for all I know I am completely off base here). I actually had t his same problem with the OpenVPN docker, but gave up and just used OpenVPN on pfsense. Going to try to make a new vlan, and assign unraid to it somehow so it wireguard only uses that interface? Back to the drawing board I suppose (although since I have to stop the array, gotta wait until the server is not in use :-) ) Edited October 22, 2019 by CrimsonTyphoon typo Quote Link to comment
Hoopster Posted October 22, 2019 Share Posted October 22, 2019 (edited) I've been looking for the magic sauce that allows the UIs of the docker containers I have assigned to a VLAN to be accessible via WireGuard. I can, of course, access all the UIs for containers running in host or bridge mode on the 192.168.1.x subnet. Nothing on br0.3 (192.168.3.x subnet) is accessible. I have a static route defined in the router from the WireGuard VPN tunnel to the unRAID eth0 interface: The router allows traffic between the 192.168.1.x and 192.168.3.x networks. There are no firewall rules blocking that traffic. The WireGuard peer configuration picks up the 192.168.3.x subnet as an allowed IP range. What am I missing? Edited October 22, 2019 by Hoopster Quote Link to comment
Dimtar Posted October 22, 2019 Share Posted October 22, 2019 I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device? Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning. Quote Link to comment
NewDisplayName Posted October 22, 2019 Share Posted October 22, 2019 (edited) 33 minutes ago, Dimtar said: I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device? Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning. If you need, i dont know, but i guess yes. (I think you can only connect one time at the same time) If you should, ofc. Edited October 22, 2019 by nuhll Quote Link to comment
NewDisplayName Posted October 22, 2019 Share Posted October 22, 2019 5 hours ago, CrimsonTyphoon said: @bonienl First and foremost, thank you for all of your help and your wonderful plugin! Everything you do for the community is greatly appreciated 🙂 I did some troubleshooting but still no dice. I turned off NAT in wireguard settings. Nothing works (no surprise there?) When i do a nslookup, I get an error message, "Got recursion not available from 8.8.4.4, trying next server". Then it does not work and I get, "server cannot find sabnzbd.domain.com: Refused. This is interesting - I specifically put my pfsense router as the DNS server. However, when I turn on NAT and do the same thing, it uses 8.8.8.8, and resolves sabnzbd.domain.com . Note: sabnzbd.domain.com will only resolve internally, as I have a domain override in pfSense. Therefore, even though it says its using 8.8.8.8 it is really using 192.168.8.1 (pfsense) I did a packet capture on the lan port on pfSense: - When I visit a docker with it's own IP, I do not see the packet. - When I visit a docker with unraid's IP, I do not see the packet. This makes sense because unraid is not sending it the router and back, its routing it internally Because I dont see the packet both times I am going to assume that the macvlan driver is blocking it as a docker security mechanism (again, I am not an expert in networking, so for all I know I am completely off base here). I actually had t his same problem with the OpenVPN docker, but gave up and just used OpenVPN on pfsense. Going to try to make a new vlan, and assign unraid to it somehow so it wireguard only uses that interface? Back to the drawing board I suppose (although since I have to stop the array, gotta wait until the server is not in use 🙂 ) What exactly is the problem? Quote Link to comment
bonienl Posted October 22, 2019 Author Share Posted October 22, 2019 8 hours ago, CrimsonTyphoon said: I did some troubleshooting but still no dice. 7 hours ago, Hoopster said: What am I missing? Test with the setting "Local gateway uses NAT" set to NO. Quote Link to comment
bonienl Posted October 22, 2019 Author Share Posted October 22, 2019 3 hours ago, Dimtar said: I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device? Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning. Yes, you need to create two peers. Both can be active/used at the same time. Quote Link to comment
Hoopster Posted October 22, 2019 Share Posted October 22, 2019 3 hours ago, bonienl said: 10 hours ago, Hoopster said: What am I missing? Test with the setting "Local gateway uses NAT" set to NO. Sorry, failed to mention that I had already set that to "No" Quote Link to comment
mraneri Posted October 22, 2019 Share Posted October 22, 2019 I cannot figure out how to get my phone to see the pi-hole docker container on 10.0.2.3. I have the DNS configured on the client side. Setting NAT doesn't seem to change anything either. I can see other physical nodes on the network, just not the docker assigned a custom IP. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.