Dynamix WireGuard VPN


bonienl

Recommended Posts

On 10/13/2019 at 4:55 PM, bonienl said:

You may need two entries:


Network       Mask            Gateway
10.253.0.0    255.255.255.0   Unraid LAN IP
peer-subnet   peer-mask       Unraid LAN IP

 

Are "peer-subnet" and "peer-mask" referring to the IP subnet and mask that Unraid is using, 192.168.1.0 and 255.255.255.0 in my case? (My Unraid has 192.168.1.15).

Link to comment
5 hours ago, ICDeadPpl said:

Are "peer-subnet" and "peer-mask" referring to the IP subnet and mask that Unraid is using, 192.168.1.0 and 255.255.255.0 in my case? (My Unraid has 192.168.1.15).

The peer-subnet + peer-mask are not necessary, just the tunnel-endpoints subnet.

(I have updated the original post)

Link to comment
On 10/13/2019 at 4:34 PM, bonienl said:

image.png.a7c586872b1589d9100c3648304d23c3.png

 

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

image.thumb.png.4df21f0ef2b3404e9b912d093a55c0bd.png

I dont understand. I didnt do anything like this.

 

And all works. VNC, HTTP, RDP?

 

I have a tripple NAT. Only thing i did was port forward!? Even my local DNS Server is working...?

 

I have the following nets: 192.168.0.*, 192.168.1.*, 192.168.2.*, (3 routers in a row) then wifi network 192.168.86.*


Unraid 192.168.86.2

PiHole 192.168.86.5

VPN (standard 10.253.0.10)

Edited by nuhll
Link to comment

Hello,

 

I must be close but cant figure out the last piece of the puzzle!

 

I have gotten wireguard working, but cannot access dockers not on the bridge network (aka docker's with their own IP)

 

cannot access dockers with there own IP (192.168.8.0/24).

I can access dockers on unraid's IP (192.168.8.151)

 

Wireguard network: 10.253.0.0/24

Router: 192.168.8.1

Unraid IP: 192.168.8.151 (network 192.168.8.0/24)

 

I have "remote tunnel access" enabled for my peer (the client has AllowedIPs=0.0.0.0/0 to tunnel all traffic thru the VPN tunnel)

 

Here's my pfSense static route:

 

Network               Gateway                         Interface

10.253.0.0/16         unRAID - 192.168.8.151           Vlan_Internal

 

What am I missing?

Edited by CrimsonTyphoon
added remote tunnel access
Link to comment

For this type of access it is recommended that the peer uses a DNS server which is reachable over the tunnel.

When your router (gateway) is acting as local DNS server to your LAN, then use its IP address as DNS server for the peer.

You can add DNS setting manually or if you update to the latest version of the plugin, it is configurable (still need to update the peer though)

 

How do you access the docker containers? Try this from the GUI -> Docker -> click container -> WebUI

Link to comment

Hmm, I use the pfSense as the DNS server, because i have custom entries pointing to my various dockers (sabnzbd.domain.com, sonarr.domain.com, etc.) They all sit behind my reverse proxy docker at 192.168.8.175. I have updated the latest version of the plugin to add the DNS settings.

 

Going directly to the domain (sabznbd.domain.com, thru reverse proxy) or accessing directly via IP (192.168.8.100) does not work. Through the WebUI it goes through the IP and does not work either :-/

 

Edit: Here is unRAID's routing table:

 

PROTOCOL	ROUTE				GATEWAY					METRIC	
IPv4		default				192.168.8.1 via br0			1	
IPv4		10.253.0.2			wg0					1	
IPv4		172.17.0.0/16			docker0					1	
IPv4		192.168.8.0/24			br0					1	
IPv4		192.168.122.0/24		virbr0					1	

 

Edited by CrimsonTyphoon
Link to comment

Can you do a traceroute (windows = tracert) from the peer to an IP address of the docker container

>tracert -d 10.0.101.100

Tracing route to 10.0.101.100 over a maximum of 30 hops

  1     3 ms     2 ms     2 ms  10.253.0.1
  2     2 ms     2 ms     2 ms  10.0.101.100

Trace complete.

Above is a traceroute from my laptop to one of my containers (pi-hole) with a custom IP address (10.0.101.100).

It goes over the tunnel and the container respond as well.

  • Thanks 1
Link to comment

Here you go:

 

On Wifi:

$ traceroute 192.168.8.175
 1?: [LOCALHOST]                      pmtu 1500
 1:  sabnzbd.domain.com                                        10.045ms reached
 1:  sabnzbd.domain.com                                       2.332ms reached
     Resume: pmtu 1500 hops 1 back 1

 

On Wireguard:

 

$ traceroute 192.168.8.75
 1?: [LOCALHOST]                      pmtu 1280
 1:  10.253.0.1                                           52.842ms
 1:  10.253.0.1                                           63.555ms
 2:  no reply
 3:  no reply
^C

I am not a network expert, but it seems that the unRaid server (10.253.0.1) gets the packet, but has no idea what to do with it and drops it? I do not see it blocked in my pfSense logs either. 

Link to comment
11 minutes ago, CrimsonTyphoon said:

it seems that the unRaid server (10.253.0.1) gets the packet, but has no idea what to do with

No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back.

 

Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer.

Edited by bonienl
Link to comment
16 hours ago, bonienl said:

No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back.

 

Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer.

Can you explain me why i dont need any new routes and it just works out of the box without any changes? U said it doesnt know a way back... but how is the requestet data (e.g. webtraffic) routed back to the mobile... then?

 

Also why is my (br0) pihole working, also without any extra rules...?

Link to comment
23 minutes ago, bonienl said:

I can't because I don't know your setup, which seems odd with so many routers chained. It may create different paths which do not exist in a 'regular' set up.

 

 

Router 1 192.168.1.1

Router 2 192.168.2.1

Router 3 (load balancer) 192.168.0.1

Google Wifi 192.168.86.1 (Gateway is 192.168.0.1)

Unraid 192.168.86.2

PiHole 192.168.86.5

 

All routers are standard setup WAN/LAN and all devices can talk to each other (but thats default)

 

Only thing i did was 1 port forward from router 1 -> router 3 (all dyndns go to router 1 only) -> Google Wifi -> Unraid

Edited by nuhll
Link to comment
On 10/20/2019 at 3:04 PM, bonienl said:

No, this means the wireguard tunnel receives the packet but the next-hop device (your pfsense) doesn't know the way back.

 

Ps. if the router doesn't know how to reach the destination, you get "destination unreachable" as answer.

 

@bonienl First and foremost, thank you for all of your help and your wonderful plugin! Everything you do for the community is greatly appreciated :-)

 

I did some troubleshooting but still no dice.

 

I turned off NAT in wireguard settings. Nothing works (no surprise there?)

When i do a nslookup, I get an error message, "Got recursion not available from 8.8.4.4, trying next server". Then it does not work and I get, "server cannot find sabnzbd.domain.com: Refused. This is interesting - I specifically put my pfsense router as the DNS server.

 

However, when I turn on NAT and do the same thing, it uses 8.8.8.8, and resolves sabnzbd.domain.com . Note: sabnzbd.domain.com will only resolve internally, as I have a domain override in pfSense. Therefore, even though it says its using 8.8.8.8 it is really using 192.168.8.1 (pfsense)

 

I did a packet capture on the lan port on pfSense:

 - When I visit a docker with it's own IP, I do not see the packet.

 - When I visit a docker with unraid's IP, I do not see the packet. This makes sense because unraid is not sending it the router and back, its routing it internally

 

Because I dont see the packet both times I am going to assume that the macvlan driver is blocking it as a docker security mechanism (again, I am not an expert in networking, so for all I know I am completely off base here). I actually had t his same problem with the OpenVPN docker, but gave up and just used OpenVPN on pfsense.

 

Going to try to make a new vlan, and assign unraid to it somehow so it wireguard only uses that interface? Back to the drawing board I suppose (although since I have to stop the array, gotta wait until the server is not in use :-) )

 

 

Edited by CrimsonTyphoon
typo
Link to comment

I've been looking for the magic sauce that allows the UIs of the docker containers I have assigned to a VLAN to be accessible via WireGuard.  I can, of course, access all the UIs for containers running in host or bridge mode on the 192.168.1.x subnet.  Nothing on br0.3 (192.168.3.x subnet) is accessible.

 

I have a static route defined in the router from the WireGuard VPN tunnel to the unRAID eth0 interface:

 

image.thumb.png.83a3cb8697cd14a1875e90c300a489e2.png

 

The router allows traffic between the 192.168.1.x and 192.168.3.x networks.  There are no firewall rules blocking that traffic.

 

The WireGuard peer configuration picks up the 192.168.3.x subnet as an allowed IP range.

 

wireguard peer config.png

 

What am I missing?

Edited by Hoopster
Link to comment

I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device?

 

Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning.

Link to comment
33 minutes ago, Dimtar said:

I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device?

 

Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning.

If you need, i dont know, but i guess yes. (I think you can only connect one time at the same time)

 

If you should, ofc.

Edited by nuhll
Link to comment
5 hours ago, CrimsonTyphoon said:

 

@bonienl First and foremost, thank you for all of your help and your wonderful plugin! Everything you do for the community is greatly appreciated 🙂

 

I did some troubleshooting but still no dice.

 

I turned off NAT in wireguard settings. Nothing works (no surprise there?)

When i do a nslookup, I get an error message, "Got recursion not available from 8.8.4.4, trying next server". Then it does not work and I get, "server cannot find sabnzbd.domain.com: Refused. This is interesting - I specifically put my pfsense router as the DNS server.

 

However, when I turn on NAT and do the same thing, it uses 8.8.8.8, and resolves sabnzbd.domain.com . Note: sabnzbd.domain.com will only resolve internally, as I have a domain override in pfSense. Therefore, even though it says its using 8.8.8.8 it is really using 192.168.8.1 (pfsense)

 

I did a packet capture on the lan port on pfSense:

 - When I visit a docker with it's own IP, I do not see the packet.

 - When I visit a docker with unraid's IP, I do not see the packet. This makes sense because unraid is not sending it the router and back, its routing it internally

 

Because I dont see the packet both times I am going to assume that the macvlan driver is blocking it as a docker security mechanism (again, I am not an expert in networking, so for all I know I am completely off base here). I actually had t his same problem with the OpenVPN docker, but gave up and just used OpenVPN on pfsense.

 

Going to try to make a new vlan, and assign unraid to it somehow so it wireguard only uses that interface? Back to the drawing board I suppose (although since I have to stop the array, gotta wait until the server is not in use 🙂 )

 

 

What exactly is the problem?

Link to comment
3 hours ago, Dimtar said:

I think the answer is yes but I just wanted to ask and confirm. If I have two devices, say an iPhone and a Windows Laptop, should I setup a peer for each device?

 

Thanks for the plugin, I feel like it takes something very complex and makes it pretty manageable after a little learning.

Yes, you need to create two peers.

Both can be active/used at the same time.

Link to comment

I cannot figure out how to get my phone to see the pi-hole docker container on 10.0.2.3. I have the DNS configured on the client side. 

Setting NAT doesn't seem to change anything either.

I can see other physical nodes on the network, just not the docker assigned a custom IP.

 

 

Screenshot_20191022-130514.thumb.png.58c546e897a7f2af8f90f2af41a332e2.pngScreenshot_20191022-130401.thumb.png.d32a9e4e423604189736730af4e3efdc.pngRoutes.PNG.9bbbc20decc5888d37489619a1c5f24d.PNGVPN.thumb.PNG.513744d4082fad1731a0d41069b53c57.PNG

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.