Dynamix WireGuard VPN


bonienl

Recommended Posts

1 hour ago, GermanGramatikov said:

Hello itimpi,

 

I know that people do not like to read long posts that is why I tried to write it as short as possible but let me try again:

  • My Wireguard stopped working
  • there was a new tab in plugins page called "Errors" (forgot to make screenshot it is already gone)
  • in it it said that wireguard has an issue and the only button available was "Delete" which I pressed
  • Now I don't have wiregurad and I cannot install it
  • Help please?

There is nothing to install if you are on 6.10.3 as it Wireguard is now built in so deleting the old plugin was the correct thing to do.   Are you saying that you do not have Settings->VPN Manager where you now configure Wireguard?

Link to comment
21 hours ago, itimpi said:

There is nothing to install if you are on 6.10.3 as it Wireguard is now built in so deleting the old plugin was the correct thing to do.   Are you saying that you do not have Settings->VPN Manager where you now configure Wireguard?

Well yes, unfortunately I don't have any wireguard plugin at the moment and there is no way to install it again other then reverting back to 6.9.9 installing it and then upgrading again to 6.10.3 and I believe that someone would know how to install it directly without having to do this exercise that is why I decided to ask here. Thanks for looking into it!

Screenshot 2022-08-13 215704.jpg

Link to comment
29 minutes ago, GermanGramatikov said:

Well yes, unfortunately I don't have any wireguard plugin at the moment and there is no way to install it again other then reverting back to 6.9.9 installing it and then upgrading again to 6.10.3 and I believe that someone would know how to install it directly without having to do this exercise that is why I decided to ask here. Thanks for looking into it!

Screenshot 2022-08-13 215704.jpg

It's not under the Tools menu which you show in the screenshot.  As Itimpi mentioned, in unRAID 6.10.3, you should find it in the Settings menu as VPN Manager.

 

image.png.2fa2ddddebd728cfe9a336a84dd109a9.png

 

It is no longer a plugin so it is not in Plugins either.

Edited by Hoopster
Link to comment
12 hours ago, Hoopster said:

It's not under the Tools menu which you show in the screenshot.  As Itimpi mentioned, in unRAID 6.10.3, you should find it in the Settings menu as VPN Manager.

 

image.png.2fa2ddddebd728cfe9a336a84dd109a9.png

 

It is no longer a plugin so it is not in Plugins either.

Hi Hoopster and itimpi, then I need to apologize for wasting your time as that's true it is there and it slipped my mind to look in there.

 

Please take my sincere apologizes. 

Link to comment
  • 4 weeks later...

Hey I am having an issue where I have my client set to Remote Tunnelled Access and I just leave the vpn enabled. However when I am on the same network as my server I can access my mapped Windows Share on unraid and the admin console. When I leave the network I cannot access the Windows Share anymore but still can access the Admin Console. What should I do? When I turn on network discovery the server does not show so I cannot remap the network drive. 

Link to comment
On 10/25/2019 at 11:01 AM, bonienl said:

I did (a lot of) testing and made line traces to monitor what is happening exactly.

 

1. If you have docker containers with a custom IP address assigned to br0 (the management interface of Unraid) then containers will never be reachable thru WG. The reason: the tunnel terminates on the host, but docker doesn't allow communication between host (Unraid) and containers. The solution: create a separate interface or VLAN for docker containers

 

2. When the setting "Local gateway uses NAT" is set to YES, it will cause Unraid to use its own LAN address as source for communication to other devices on the LAN network. I am going to change the name of this setting, because it has nothing to do with the local gateway (router). With NAT enabled on the Unraid server, all devices respond directly to Unraid (i.e. not via the default gateway). In my testing, however, the NAT setting causes issues when talking to containers with custom IP addresses. These reply wrongly and consequently are not reachable, but any other device in the LAN works correctly, just not containers.

 

3. When the setting "Local gateway uses NAT" is set to NO, it will cause Unraid to use the WG tunnel address as source for communication. In this case the default gateway (your router) needs a static route added to point tunnel addresses back to the Unraid server. With this set up both docker containers and other devices are reachable.

 

4. I have issues when using UPnP on my router (Ubiquiti) and ended up making manual forwarding port rules instead. User mistake, UPnP is working correctly with Ubiquiti.

 

 

I have an Unraid server setup with services like WireGuard VPN, Home Assistant, Nginx Proxy Manager. The setup is as follows: WireGuard is running as "Remote tunneled access" with DNS server (192.168.1.1) which is my router. Home Assistant is running as a Docker on the same server. Nginx Proxy Manager is running as a Docker (Host) on the same server, here I have Nginx Reverse Proxy for Home Assistant (home.example.com).

I can without any issues reach Home Assistant when I am in my local network and when I use an external network. It is reachable from anywhere, as I want it to be.

But as soon as I connect to my WireGuard VPN tunnel it is no longer possible to reach the domain (home.example.com). It just times out.

From what I read in your post the issue is similar to what you describe. But I run my Home Assistant docker as Host, not Bridge. How come I have the same issue?

Is there any solution to this?

Link to comment
  • 3 weeks later...

I have set up transmission to use an IP whitelist and with internal IP addresses it works fine; 192.168.x.x etc. However when I connect with a VPN it won't let me access it.  Wireguard gives me a 10.0.x.x address, and if I add that to the whitelist it still blocks me.

 

Does this mean I don't actually have a 10.0.x.x address or am I doing something wrong?

Link to comment
  • 1 month later...

OK - so have Wireguard working when I use my external IP (explicitly) in the configuration.

When I replace the IP with my duck DNS domain, it does not work.

I get the message to the side:

"Remark: The Local endpoint resolves to 31.53.XXX.XXX. In most cases, this should be your public WAN IPv4 instead: 109.153.XXX.XX"

 

Again - works fine if I use the 109.153.XXX.XX in the Wireguard setup. but not fine when I use mydomaninname.duckdns.org.

Ideas on what the issue might be?

Link to comment
  • 2 months later...
21 hours ago, machineglow said:

re: connecting to dockers via VPN,

 

Does anyone have a workaround if we don't have the ability to add a custom route to the router.  I run eero  wifi and they simply don't support this capability.  

 

 

 

The only way the built-in WireGuard client can access Docker containers on custom IPs is by adding custom routes to the router. If you cannot do that then you either need to disable the custom container IPs or use a different VPN solution.

Link to comment
On 11/10/2022 at 11:13 AM, TexasDave said:

OK - so have Wireguard working when I use my external IP (explicitly) in the configuration.

When I replace the IP with my duck DNS domain, it does not work.

I get the message to the side:

"Remark: The Local endpoint resolves to 31.53.XXX.XXX. In most cases, this should be your public WAN IPv4 instead: 109.153.XXX.XX"

 

Again - works fine if I use the 109.153.XXX.XX in the Wireguard setup. but not fine when I use mydomaninname.duckdns.org.

Ideas on what the issue might be?

 

Based on what you've written it sounds like your duckdns domain does not resolve to the correct IP address.

Link to comment
7 hours ago, ljm42 said:

 

The only way the built-in WireGuard client can access Docker containers on custom IPs is by adding custom routes to the router. If you cannot do that then you either need to disable the custom container IPs or use a different VPN solution.

thanks for the clarification.  looks like i'll have to try something else.  do you think there are weird routing issues if I spin up a separate VPN service running in docker or VM?

Link to comment

My unRAID01 server is in one location and my unRAID02 server is in another location.  I use Wireguard to connect the two servers together.  All good.  If the router at the unRAID01 location (router01) goes down and comes back up or if the router at the unRAID02 location (router02) goes down and comes back up the tunnel becomes disconnected.  It doesn't matter which router goes down, the tunnel is disconnected.  So, if router01 goes down the tunnel is lost but if I jiggle the tunnel (deactivate it and then reactivate it) the tunnel reconnects and life goes on.  Likewise, if router02 goes down and if I jiggle the tunnel (deactivate/reactivate) it comes back.

 

Unfortunately I'm not a Linux guy which is why I like unRAID.  I don't really need to be a Linux guy for it to all work.  But, I was hoping that someone here might be able to create an "auto-jiggler" script.  A script that can be scheduled to check if a tunnel is active and if it's not then deactivate and reactivate the tunnel.  Any takers?

Link to comment
  • 2 months later...

Someone know where the info for the Kill switch is?

 

I've looked in the folder 

/boot/config/wireguard/wg*.conf

I don't see anything in the .conf file that looks like a kill switch.

I was hoping for something like this:

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

 

Should I add a script at boot to add those or it's now completely unnecessary?

 

Thank for any help ☺ 

Link to comment
  • 7 months later...

So my wireguard is connecting fine as remote tunneled access. I can reach my unraid box and my gateway and WAN, non docker hosts. However I can't access any of the docker IP's. The whole network is flat 192.168.1.x/24, so my reachable hosts and docker are the same IP range.

I see a note 

Remark: docker containers on custom networks need static routing 10.253.0.0/24 to 192.168.1.99

Not sure what I need to change?

I did try adding a custom route on my router, but didn't seem to help.

I can I have wireguard just get an IP from the DHCP server instead or set aside a small pool from my existing private space?

Edited by Bushibot
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.