SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 (edited) Just pinging from another computer on the same network. I was poking around the wg0.conf and although I don't know enough claim to know what I'm doing it appears the issue is coming from the PostUp=iptables command. Just for giggles I commented out the post up/down and started wireguard and my custom ip dockers continued to work. tower-diagnostics-20191013-1633.zip Edited October 13, 2019 by SenorLoco Quote Link to comment
dannen Posted October 13, 2019 Share Posted October 13, 2019 (edited) This is a really nice addition to unraid! I'm so happy to be able to get rid of OpenVPN I noticed that I must add the DNS server manually on the client(computer/phone). Would it be possible to add the possibility to enter a DNS server manually into the GUI when configuring a Client(so no additional configuration is needed on the client)? Edited October 13, 2019 by dannen Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 27 minutes ago, SenorLoco said: Just pinging from another computer on the same network. I was poking around the wg0.conf and although I don't know enough claim to know what I'm doing it appears the issue is coming from the PostUp=iptables command. Just for giggles I commented out the post up/down and started wireguard and my custom ip dockers continued to work. tower-diagnostics-20191013-1633.zip 94.73 kB · 0 downloads Couple of observations 1. UPnP is not working on your router. You can disable auto setting in WG settings (see advanced mode) Oct 13 10:34:20 Tower upnpc: Failed to add port 51820/udp 2. When WG is enabled there is interference with eth0, which would explain the docker containers not being pingable. Oct 13 10:34:20 Tower wireguard: Tunnel WireGuard-wg0 started Oct 13 10:34:44 Tower kernel: eth0: renamed from veth1862cc6 Oct 13 10:34:44 Tower kernel: device br0 entered promiscuous mode Oct 13 10:36:47 Tower kernel: device br0 left promiscuous mode Oct 13 10:36:47 Tower kernel: veth1862cc6: renamed from eth0 Some things to try a. Disable bonding for eth0 (see network settings) and use interface eth0 only b. Disable VMs Quote Link to comment
John_M Posted October 13, 2019 Share Posted October 13, 2019 I'm not trying to set this up right now but I'm trying to follow the discussion. What is the significance of the 10.253.0.0/24 subnet, which is used but not explained? Is it used by the tunnel? Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 Unraid uses a mechanism to automatically assign IP addresses to tunnel endpoints (both server and peers). These IP addresses are taken from the subnet 10.253.0.0/24. Normally not needed to change this subnet unless it is already in use by the server or its peers. Note subsequent WireGuard tunnels get the next /24 subnet, e.g. WG1 gets 10.253.1.0/24 to connect to its peers. 1 Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 Bonding was already off but disabling my VMs did work....although not really an option. 1 Quote Link to comment
sittingmongoose Posted October 13, 2019 Share Posted October 13, 2019 (edited) So I have a problem using my vpn(tried both WireGuard and OpenVPN) with my MacBook, iPad and iPhone. They work perfectly when I’m not on my WiFi. So over cellular or someone else’s WiFi, the vpn works and all is well. My server is remote, and my linux and windows computers work fine on my home WiFi with the vpn. It just seems that Apple devices don’t with my vpn and WiFi. I don’t get an error, it just says connected but it’s not. Anyone have any ideas??? WireGuard and open vpn have the same effect, I know my vpn is setup correctly and other devices work on the same WiFi. Edited October 13, 2019 by sittingmongoose Quote Link to comment
david279 Posted October 13, 2019 Share Posted October 13, 2019 16 minutes ago, sittingmongoose said: So I have a problem using my vpn(tried both WireGuard and OpenVPN) with my MacBook, iPad and iPhone. They work perfectly when I’m not on my WiFi. So over cellular or someone else’s WiFi, the vpn works and all is well. My server is remote, and my linux and windows computers work fine on my home WiFi with the vpn. It just seems that Apple devices don’t with my vpn and WiFi. I don’t get an error, it just says connected but it’s not. Anyone have any ideas??? WireGuard and open vpn have the same effect, I know my vpn is setup correctly and other devices work on the same WiFi. This may come down to the client. My Note 9 get internet when connected to my wifi/wireguard but my laptop running pop os only gets lan and no outside internet when I'm connected. Quote Link to comment
sittingmongoose Posted October 13, 2019 Share Posted October 13, 2019 (edited) 1 minute ago, david279 said: This may come down to the client. My Note 9 get internet when connected to my wifi/wireguard but my laptop running pop os only gets lan and no outside internet when I'm connected. Those same clients work on other wifi networks though. So I think its related to my router. I just have no idea what's causing that. Especially because other devices on that same router work fine with wireguard. And when connected to my vpn with my iPhone, I can't connect to my server but general internet works. Edited October 13, 2019 by sittingmongoose Quote Link to comment
Xaero Posted October 14, 2019 Share Posted October 14, 2019 (edited) Would it be possible to force a DNS server? Currently it looks like the client DNS is used no matter what, which means DNS leaks are a problem. It also means that hostname resolution for devices on the VPN doesn't work (for example http://<ServerName/ does not work, while http://<IP Address>/ does) Other than that seems pretty excellent so far. Edit: I tried adding DNS=<IP> in the wg0.conf and it didn't like it. Not sure what special sauce is needed. Edited October 14, 2019 by Xaero Quote Link to comment
bonienl Posted October 14, 2019 Author Share Posted October 14, 2019 (edited) On 10/14/2019 at 3:32 AM, Xaero said: I tried adding DNS=<IP> in the wg0.conf and it didn't like it. Not sure what special sauce is needed. You should add the entry manually in the configuration of the client afterwards. Update: there is now a DNS field in the peer configuration of Unraid Edited October 20, 2019 by bonienl Quote Link to comment
sittingmongoose Posted October 14, 2019 Share Posted October 14, 2019 For future people having my issue. The problem was that my network IP was the same for my remote and home network. 192.168.50.* and that's why it wasn't working on my apple devices. Quote Link to comment
Xaero Posted October 14, 2019 Share Posted October 14, 2019 (edited) 22 hours ago, bonienl said: You should add the entry manually in the configuration of the client afterwards. Would it be possible to add this as an option in the GUI? I'll do it manually for now; but that doesn't help much for QR code users. A slider in the advanced for "Force DNS" with an input field for the DNS IP would be sufficient, I think. EDIT: For people who do set the DNS manually in the client configs and want the QR code updated as well: cd /etc/wireguard/peers qrencode -o peer-<hostname>-wg#-*.png < peer-<hostname>-wg#-*.conf (where # is the wg profile and * is the peer number) This will update the png manually. Edited October 15, 2019 by Xaero Quote Link to comment
bonienl Posted October 14, 2019 Author Share Posted October 14, 2019 (edited) On 10/14/2019 at 8:25 PM, Xaero said: Would it be possible to add this as an option in the GUI? I'll have a look ... done Edited October 20, 2019 by bonienl 1 Quote Link to comment
Xaero Posted October 15, 2019 Share Posted October 15, 2019 10 hours ago, bonienl said: I'll have a look FYI, I was able to get this working properly manually with only the following data for all profile types: DNS=<Local-IP> in the [Interface] section of the peer config. <Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config. A single DNS field and some rudimentary logic should sort whether or not the DNS is already included in the range. From there I manually regenerated the QR codes and moved on. Of course I can't touch those peers in the GUI now without ruining everything, but it works as is. 1 Quote Link to comment
ljm42 Posted October 15, 2019 Share Posted October 15, 2019 26 minutes ago, Xaero said: FYI, I was able to get this working properly manually with only the following data for all profile types: DNS=<Local-IP> in the [Interface] section of the peer config. <Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config. To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else? Quote Link to comment
Hoopster Posted October 15, 2019 Share Posted October 15, 2019 3 minutes ago, ljm42 said: To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else? I'd like to do something like this to force VPN clients through Pihole - running on a RPi on LAN and set as DNS on my router. unRAID DNS point to Cloudflare. Perhaps I'll give @Xaero 's suggestion a try once I have WireGuard setup tomorrow. Quote Link to comment
Xaero Posted October 15, 2019 Share Posted October 15, 2019 (edited) 1 hour ago, ljm42 said: To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else? The DNS server on my local lan, in this case my ISP provided cable modem gateway. Though eventually that will be replaced with OPNSense, now that I've tested everything works that way. Also, do note that you need to edit the peer configuration files manually in /etc/wireguard/peers Afterwards you can regenerate the QR code using my instructions above, so that you can provide users with a QR code or the ZIP. Edited October 15, 2019 by Xaero Quote Link to comment
mraneri Posted October 15, 2019 Share Posted October 15, 2019 10.0.2.1 is my router 10.0.2.6 is my Unraid server 10.20.0.2 and 10.20.0.3 are peers I can connect to 10.0.2.6 and 10.0.2.1 from both peers, but I can't figure out the routing to be able to get to a docker with its own IP (10.0.2.3). I'm not currently running any VMs. Quote Link to comment
Xaero Posted October 15, 2019 Share Posted October 15, 2019 7 hours ago, mraneri said: 10.0.2.1 is my router 10.0.2.6 is my Unraid server 10.20.0.2 and 10.20.0.3 are peers I can connect to 10.0.2.6 and 10.0.2.1 from both peers, but I can't figure out the routing to be able to get to a docker with its own IP (10.0.2.3). I'm not currently running any VMs. In the [Peer] section for the PEER configuration file that you want to have access to 10.0.2.3 make sure that 10.0.2.3/32 is in the list of AllowedIPs. If it's not, the tunnel won't send traffic to it. Quote Link to comment
mraneri Posted October 15, 2019 Share Posted October 15, 2019 5 hours ago, Xaero said: In the [Peer] section for the PEER configuration file that you want to have access to 10.0.2.3 make sure that 10.0.2.3/32 is in the list of AllowedIPs. If it's not, the tunnel won't send traffic to it. Does it go on the server side of the peer config or the client side? I tried both and nothing changed. I can access other IPs on the network, just not custom IPs from Unraid. Quote Link to comment
Xaero Posted October 15, 2019 Share Posted October 15, 2019 Needs to go on the client side peer config Add to the list with AllowedIPs=1.2.3.4/32, 5.6.7.8/32 Once set in the client config you do have to stop/start the wireguard server. Make sure the config on the client is updated as well (changing it on the server doesn't change it on the device(s) that have that peer config loaded, so you'd have to reload it onto those devices. Once it's loaded onto the devices, the server has been restarted and you connect, try pinging the IP you are trying to access. It should at least ping if it's routable. Quote Link to comment
mraneri Posted October 16, 2019 Share Posted October 16, 2019 48 minutes ago, Xaero said: Needs to go on the client side peer config Add to the list with AllowedIPs=1.2.3.4/32, 5.6.7.8/32 Once set in the client config you do have to stop/start the wireguard server. Make sure the config on the client is updated as well (changing it on the server doesn't change it on the device(s) that have that peer config loaded, so you'd have to reload it onto those devices. Once it's loaded onto the devices, the server has been restarted and you connect, try pinging the IP you are trying to access. It should at least ping if it's routable. Pinging 10.0.2.3 I get this: Quote $ ping 10.0.2.3 PING 10.0.2.3 (10.0.2.3) 56(84) bytes of data. From 10.0.2.6: icmp_seq=1 Destination Host Unreachable From 10.0.2.6: icmp_seq=2 Destination Host Unreachable From 10.0.2.6: icmp_seq=3 Destination Host Unreachable Quote Link to comment
Hoopster Posted October 17, 2019 Share Posted October 17, 2019 (edited) On 10/14/2019 at 10:55 PM, Xaero said: FYI, I was able to get this working properly manually with only the following data for all profile types: DNS=<Local-IP> in the [Interface] section of the peer config. <Local-IP>/32 included in the AllowedIPs= of the [Peer] section of the peer config. From there I manually regenerated the QR codes and moved on. Thanks, this worked beautifully for me. As with my local LAN, I want WireGuard connected clients to go through Pihole as my DNS. I am running Pihole on a Raspberry Pi on the local LAN and setting its IP address as the DNS in the peer configurations as mentioned above and regenerating QR code works. Now the only problem left to resolve (There are posts on this already in these forums that I just need to read) is access via WireGuard to docker container webUIs that have IP addresses on a VLAN that is different than the unRAID server LAN subnet. Edited October 17, 2019 by Hoopster Quote Link to comment
Xaero Posted October 17, 2019 Share Posted October 17, 2019 3 hours ago, Hoopster said: Thanks, this worked beautifully for me. As with my local LAN, I want WireGuard connected clients to go through Pihole as my DNS. I am running Pihole on a Raspberry Pi on the local LAN and setting its IP address as the DNS in the peer configurations as mentioned above and regenerating QR code works. Now the only problem left to resolve (There are posts on this already in these forums that I just need to read) is access via WireGuard to docker container webUIs that have IP addresses on a VLAN that is different than the unRAID server LAN subnet. I think the latter can be achieved with one more routing rule; I just haven't sat down to figure it out. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.