Dynamix WireGuard VPN


bonienl

Recommended Posts

With the release of Unraid 6.8 comes support for WireGuard VPN connections.

At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This approach allows for quick updates and enhancements without dependency on Unraid version releases.


People starting with WireGuard should read the quick-start guide written by @ljm42. See

Please use his topic only to ask questions about using and setting up WireGuard.

The GUI has online help as well, please have a look at this too.

 

Use this topic to report any issues or bugs or proposed enhancements for the WireGuard functionality. This way things stay grouped together.

 

Thanks

Edited by bonienl
  • Like 2
  • Thanks 3
Link to comment
6 hours ago, hotio said:

"Remote tunneled access" gives an invalid QR code

I see.  If you choose "remote access to LAN" then the IP Address is added to the config properly:

[Interface]
PrivateKey=<snip>
Address=10.253.0.2/32

But if you choose the "remote tunneled access" option, the config is invalid:

[Interface]
PrivateKey=<snip>
Address=/128

 

Link to comment

I'm not sure if I've got something configured wrong or if it is working as designed but wireguard is working fine and clients can connect without issue however when wireguard is active I am unable to access any dockers that have a custom ip address (Custom : br0). As soon as I deactivate wireguard those dockers are accessible. Do I have something setup wrong or will they not work together?

Link to comment
1 minute ago, bonienl said:

Dockers with a custom network (unique IP address) have the router as gateway. It requires additional routing on the gateway itself to make containers reachable over VPN.

I know squat about networking, but isn't Remote Access To LAN supposed to accomplish this?

Link to comment

image.png.a7c586872b1589d9100c3648304d23c3.png

 

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

image.thumb.png.4df21f0ef2b3404e9b912d093a55c0bd.png

 

It is also needed to disable the "Local Server uses NAT" setting (switch on advanced view).

 

Edited by bonienl
  • Like 2
  • Thanks 1
  • Haha 1
Link to comment

I understand why wireguard clients could have problems connecting to dockers with a custom ip, but why would that behavior change for devices that are on the same LAN (not using wireguard).  If I try to ping one of the dockers with a custom ip from within the LAN (from 192.168.1.160 -> 192.168.1.99) the ping times out, but with wireguard inactive the ping is fine.

Link to comment

I've tried multiple options for 'Peer type of access' if that is what you're referring to and it happens no matter what is selected.  Actually I just deleted everything and setup a very basic server...just generated the keypair, applied changed and activated the server and as soon as I hit activate I was unable to ping a custom ip docker

Link to comment
3 minutes ago, bonienl said:

The WireGuard VPN tunnel should have no effect on the reachability of local devices on the same LAN.

What kind of connection are you trying to set up?

 

yea is the same issue i am having. When wire guard is active i cannot connect to dockers with a custom ip. This is from my normal network not the vpn. The connection times out. 

Link to comment
22 minutes ago, SenorLoco said:

default via 192.168.1.1 dev br0 

10.253.0.2 dev wg0 scope link 

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 

192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10 

192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

 

That looks alright.

From where are you pinging the docker containers?

Can you also post diagnostics?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.