Dynamix WireGuard VPN


bonienl

Recommended Posts

Just pinging from another computer on the same network. I was poking around the wg0.conf and although I don't know enough claim to know what I'm doing it appears the issue is coming from the PostUp=iptables command. Just for giggles I commented out the post up/down and started wireguard and my custom ip dockers continued to work. 

tower-diagnostics-20191013-1633.zip

Edited by SenorLoco
Link to comment

This is a really nice addition to unraid!

I'm so happy to be able to get rid of OpenVPN :)

 

I noticed that I must add the DNS server manually on the client(computer/phone).

Would it be possible to add the possibility to enter a DNS server manually into the GUI when configuring a Client(so no additional configuration is needed on the client)?

Edited by dannen
Link to comment
27 minutes ago, SenorLoco said:

Just pinging from another computer on the same network. I was poking around the wg0.conf and although I don't know enough claim to know what I'm doing it appears the issue is coming from the PostUp=iptables command. Just for giggles I commented out the post up/down and started wireguard and my custom ip dockers continued to work. 

tower-diagnostics-20191013-1633.zip 94.73 kB · 0 downloads

Couple of observations

1. UPnP is not working on your router. You can disable auto setting in WG settings (see advanced mode)

Oct 13 10:34:20 Tower upnpc: Failed to add port 51820/udp

2. When WG is enabled there is interference with eth0, which would explain the docker containers not being pingable.

Oct 13 10:34:20 Tower wireguard: Tunnel WireGuard-wg0 started
Oct 13 10:34:44 Tower kernel: eth0: renamed from veth1862cc6
Oct 13 10:34:44 Tower kernel: device br0 entered promiscuous mode
Oct 13 10:36:47 Tower kernel: device br0 left promiscuous mode
Oct 13 10:36:47 Tower kernel: veth1862cc6: renamed from eth0

Some things to try

a. Disable bonding for eth0 (see network settings) and use interface eth0 only

b. Disable VMs

 

Link to comment

Unraid uses a mechanism to automatically assign IP addresses to tunnel endpoints (both server and peers).

These IP addresses are taken from the subnet 10.253.0.0/24. Normally not needed to change this subnet unless it is already in use by the server or its peers.

 

Note subsequent WireGuard tunnels get the next /24 subnet, e.g. WG1 gets 10.253.1.0/24 to connect to its peers.

 

  • Thanks 1
Link to comment

So I have a problem using my vpn(tried both WireGuard and OpenVPN) with my MacBook, iPad and iPhone. They work perfectly when I’m not on my WiFi. So over cellular or someone else’s WiFi, the vpn works and all is well.

 

My server is remote, and my linux and windows computers work fine on my home WiFi with the vpn. It just seems that Apple devices don’t with my vpn and WiFi. I don’t get an error, it just says connected but it’s not.

 

Anyone have any ideas??? WireGuard and open vpn have the same effect, I know my vpn is setup correctly and other devices work on the same WiFi.

Edited by sittingmongoose
Link to comment
16 minutes ago, sittingmongoose said:

So I have a problem using my vpn(tried both WireGuard and OpenVPN) with my MacBook, iPad and iPhone. They work perfectly when I’m not on my WiFi. So over cellular or someone else’s WiFi, the vpn works and all is well.

 

My server is remote, and my linux and windows computers work fine on my home WiFi with the vpn. It just seems that Apple devices don’t with my vpn and WiFi. I don’t get an error, it just says connected but it’s not.

 

Anyone have any ideas??? WireGuard and open vpn have the same effect, I know my vpn is setup correctly and other devices work on the same WiFi.

This may come down to the client. My Note 9 get internet when connected to my wifi/wireguard but my laptop running pop os only gets lan and no outside internet when I'm connected.

Link to comment
1 minute ago, david279 said:

This may come down to the client. My Note 9 get internet when connected to my wifi/wireguard but my laptop running pop os only gets lan and no outside internet when I'm connected.

Those same clients work on other wifi networks though.  So I think its related to my router.  I just have no idea what's causing that.  Especially because other devices on that same router work fine with wireguard.  And when connected to my vpn with my iPhone, I can't connect to my server but general internet works.

Edited by sittingmongoose
Link to comment

Would it be possible to force a DNS server? Currently it looks like the client DNS is used no matter what, which means DNS leaks are a problem. It also means that hostname resolution for devices on the VPN doesn't work (for example http://<ServerName/ does not work, while http://<IP Address>/ does) 
Other than that seems pretty excellent so far.

Edit:
I tried adding DNS=<IP> in the wg0.conf and it didn't like it. Not sure what special sauce is needed.

Edited by Xaero
Link to comment
On 10/14/2019 at 3:32 AM, Xaero said:

I tried adding DNS=<IP> in the wg0.conf and it didn't like it. Not sure what special sauce is needed.

You should add the entry manually in the configuration of the client afterwards.

 

Update: there is now a DNS field in the peer configuration of Unraid

Edited by bonienl
Link to comment
22 hours ago, bonienl said:

You should add the entry manually in the configuration of the client afterwards.

Would it be possible to add this as an option in the GUI?
I'll do it manually for now; but that doesn't help much for QR code users. A slider in the advanced for "Force DNS" with an input field for the DNS IP would be sufficient, I think.

EDIT:
For people who do set the DNS manually in the client configs and want the QR code updated as well:

cd /etc/wireguard/peers
qrencode -o peer-<hostname>-wg#-*.png < peer-<hostname>-wg#-*.conf (where # is the wg profile and * is the peer number)



This will update the png manually. Edited by Xaero
Link to comment
10 hours ago, bonienl said:

I'll have a look

FYI, I was able to get this working properly manually with only the following data for all profile types:

DNS=<Local-IP> in the [Interface] section of the peer config.
<Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config.

A single DNS field and some rudimentary logic should sort whether or not the DNS is already included in the range.

From there I manually regenerated the QR codes and moved on. Of course I can't touch those peers in the GUI now without ruining everything, but it works as is.
 

  • Thanks 1
Link to comment
26 minutes ago, Xaero said:

FYI, I was able to get this working properly manually with only the following data for all profile types:

DNS=<Local-IP> in the [Interface] section of the peer config.
<Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config.

To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else?

Link to comment
3 minutes ago, ljm42 said:

To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else?

I'd like to do something like this to force VPN clients through Pihole - running on a RPi on LAN and set as DNS on my router.  unRAID DNS point to Cloudflare.  Perhaps I'll give @Xaero 's suggestion a try once I have WireGuard setup tomorrow.

Link to comment
1 hour ago, ljm42 said:

To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else?

The DNS server on my local lan, in this case my ISP provided cable modem gateway. Though eventually that will be replaced with OPNSense, now that I've tested everything works that way.

Also, do note that you need to edit the peer configuration files manually in /etc/wireguard/peers
Afterwards you can regenerate the QR code using my instructions above, so that you can provide users with a QR code or the ZIP.
 

Edited by Xaero
Link to comment
7 hours ago, mraneri said:

10.0.2.1 is my router

10.0.2.6 is my Unraid server

 

10.20.0.2 and 10.20.0.3 are peers

 

I can connect to 10.0.2.6 and 10.0.2.1 from both peers, but I can't figure out the routing to be able to get to a docker with its own IP (10.0.2.3).

I'm not currently running any VMs.

Screenshot_20191015-070909.png

In the [Peer] section for the PEER configuration file that you want to have access to 10.0.2.3 make sure that 10.0.2.3/32 is in the list of AllowedIPs.
If it's not, the tunnel won't send traffic to it.

Link to comment
5 hours ago, Xaero said:

In the [Peer] section for the PEER configuration file that you want to have access to 10.0.2.3 make sure that 10.0.2.3/32 is in the list of AllowedIPs.
If it's not, the tunnel won't send traffic to it.

Does it go on the server side of the peer config or the client side? I tried both and nothing changed. I can access other IPs on the network, just not custom IPs from Unraid.

Link to comment

Needs to go on the client side peer config
Add to the list with 
AllowedIPs=1.2.3.4/32, 5.6.7.8/32

Once set in the client config you do have to stop/start the wireguard server. Make sure the config on the client is updated as well (changing it on the server doesn't change it on the device(s) that have that peer config loaded, so you'd have to reload it onto those devices.
Once it's loaded onto the devices, the server has been restarted and you connect, try pinging the IP you are trying to access.
It should at least ping if it's routable.

Link to comment
48 minutes ago, Xaero said:

Needs to go on the client side peer config
Add to the list with 
AllowedIPs=1.2.3.4/32, 5.6.7.8/32

Once set in the client config you do have to stop/start the wireguard server. Make sure the config on the client is updated as well (changing it on the server doesn't change it on the device(s) that have that peer config loaded, so you'd have to reload it onto those devices.
Once it's loaded onto the devices, the server has been restarted and you connect, try pinging the IP you are trying to access.
It should at least ping if it's routable.

Pinging 10.0.2.3 I get this:

Quote

:/ $ ping 10.0.2.3
PING 10.0.2.3 (10.0.2.3) 56(84) bytes of data.
From 10.0.2.6: icmp_seq=1 Destination Host Unreachable
From 10.0.2.6: icmp_seq=2 Destination Host Unreachable
From 10.0.2.6: icmp_seq=3 Destination Host Unreachable

 

Link to comment
On 10/14/2019 at 10:55 PM, Xaero said:

FYI, I was able to get this working properly manually with only the following data for all profile types:

DNS=<Local-IP> in the [Interface] section of the peer config.
<Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config.

From there I manually regenerated the QR codes and moved on. 

Thanks, this worked beautifully for me. 

 

As with my local LAN, I want WireGuard connected clients to go through Pihole as my DNS.  I am running Pihole on a Raspberry Pi on the local LAN and setting its IP address as the DNS in the peer configurations as mentioned above and regenerating QR code works.

 

Now the only problem left to resolve (There are posts on this already in these forums that I just need to read) is access via WireGuard to docker container webUIs that have IP addresses on a VLAN that is different than the unRAID server LAN subnet.

Edited by Hoopster
Link to comment
3 hours ago, Hoopster said:

Thanks, this worked beautifully for me. 

 

As with my local LAN, I want WireGuard connected clients to go through Pihole as my DNS.  I am running Pihole on a Raspberry Pi on the local LAN and setting its IP address as the DNS in the peer configurations as mentioned above and regenerating QR code works.

 

Now the only problem left to resolve (There are posts on this already in these forums that I just need to read) is access via WireGuard to docker container webUIs that have IP addresses on a VLAN that is different than the unRAID server LAN subnet.

I think the latter can be achieved with one more routing rule; I just haven't sat down to figure it out.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.