Dynamix WireGuard VPN


bonienl

Recommended Posts

On 10/26/2019 at 12:33 AM, Hoopster said:

Here's what I currently have.  It appears I initially made a typo and had 192.168.3.1 as both the subnet and Gateway address. That was a mistake in the subnet entry, it's always the little things. Since that only shows up in Advanced view, I failed to check that when troubleshooting.  Thank you, thank you for catching that. 👍

 

I did not assign a DHCP pool because I wanted to manually assign an IP address to each container. 

 

image.thumb.png.ecbfc33aba60c78bf2913116d7f35594.png

 

I did also change the Docker VLAN address assignment from 'Automatic' to 'None"

 

IT WORKS NOW!!!  Thank you.

 

This traceroute looks a lot better. 😁

image.png.8b697fd67e9c479484609c7d4af46de8.png

 

I hope all this helps someone else.

Hey, can you please post a summary on what to do exactly to get it working? (maybe pictures of everything you changed?)

 

Im a bit confused. 

Edited by nuhll
Link to comment
19 hours ago, nuhll said:

Hey, can you please post a summary on what to do exactly to get it working?

This is my scenario. @bonienl Please correct anything erroneous in this post.  I am not a networking expert and am explaining things according to my understanding with my functioning WireGuard, router, and unRAID configuration.

  1. The unRAID server is on the 192.168.1.x subnet and the server IP address is 192.168.1.10
  2. Pi-hole is running on a Raspberry Pi on the same subnet as the unRAID server.  Its IP address is 192.168.1.60
  3. I have a dedicated VLAN (192.168.3.x) for docker containers with their own IP address.  This appears as Custom: br0.3 in the Docker networks
  4. I want Pi-hole as my DNS for WireGuard connected clients just as it is on my LAN
  5. I want to be able to access the WebUIs of the docker containers on the 192.168.3.x subnet from a WireGuard remote session

Caveat:  Docker containers with custom IP addresses on br0 WILL NOT be accessible via WireGuard.  This is an intentional design of Docker which isolates bridged networks on the same interface (eth0) as the server host LAN.  In order for Docker containers to be accessible via WireGuard remote sessions, they must be on a VLAN (br0.3 in my case) or a different NIC, e.g. eth1.

 

I only use IPv4.  If you use IPv6, you will need to appropriately configure that protocol as well.

 

Step 1 - If your router/switches support VLANs configure VLANs.  If they do not, make sure eth1 (or another NIC) is enabled and configured.

 

Disable VM Manager (Settings --> VM Manager), Disable Docker (Settings --> Docker), Enable VLANs and create a Docker VLAN in unRAID Settings --> Network Settings.

Note: the IPv4 Address Assignment should be 'None'

 

image.thumb.png.1c693e81bd26ba12ca068f1565752058.png

 

Step 2: In Settings --> Docker configure the appropriate custom network; br0.X or br1

 

image.thumb.png.90cf038a1999aab7e2bf6c69815b1918.png

 

Since I want to assign a static IP address to each docker container on the br0.3 VLAN, I did not assign any DHCP pool addresses.

 

Step 3: If your router and switches support VLANs, configure a VLAN on the router.  If your router/switches do not support VLANs, you will need to use a separate NIC in your unRAID server for any docker containers which need a custom IP address.

 

Note:  My router is the Ubiquiti USG.  Other routers will have a similar configuration if VLANs are supported

 

image.thumb.png.920f989fff333fdf1b21419301cb35eb.png

 

I want to assign a static IP address to my docker containers on the 192.168.3.x subnet and have specified the DHCP range as 192.168.3.100 - 150.  DHCP from the router and DHCP from Docker do not communicate with one another.  If you do assign a range of DHCP pool addresses in Docker, they should not be the same addresses as the router DHCP range, if using DHCP.  I assign static addresses in the 3.100 - 3.150 range to the containers, so this is not an issue.

 

Note: The first DHCP Name Server is set to the Pi-hole IP address.  This is only for LAN connected clients and will not make Pi-hole the DNS server for WireGuard connected clients.

 

Step 4: Make sure no firewall or routing rules restrict traffic between the unRAID server LAN and the Docker VLAN.  By default, the USG passes traffic between all "Corporate" LANs/VLANs so no additional configuration is needed. Other routers may require that you explicitly allow such traffic.

 

My LAN IN and LAN OUT Firewall rules are identical which allow traffic in and out of all Corporate LANs.

 

image.thumb.png.2e70f4aac9e63b6c193ab07a8bf89d53.png

 

The last network in the screen shot above is 10.253.0.0/24.  This is the default WireGuard network and appears here because I defined a static route between this network and the unRAID server.  While you are in your router configuration screens, you should do this as seen below.

 

Step 5: Define a static route between the WireGuard network and the unRAID server.

 

image.thumb.png.901a6cac2cd25ebd586f6c662214e686.png

 

Step 6:  If UPnP is disabled on your router (as it is in mine), you will need a port forwarding rule for the WireGuard port.

Note: The default WireGuard Port is 51820.  I had used this port in a WG test on a different server on my LAN, so, I am using port 51830 for my main unRAID server.

 

image.png.a48d9c5cb45d44e435d457c74502004b.png

 

That's it for the router side of things, so now its on to WireGuard configuration.

 

Step 7:  Configure the WireGuard VPN and Peers in Settings --> VPN Manager as per the instructions in the WireGuard Quickstart.

 

1975914448_WGConfig.thumb.png.6a84bdf6f4884f11665f1a28bd454f76.png

 

Note:  The local endpoint is the public IP address or DDNS name of your unRAID server and the port specified should match the port in the router port forwarding rule if UPnP is disabled.  Make sure the static route indicated is also present in your router configuration.

 

I have entered the IP address of Pi-hole on the Raspberry Pi as the Peer DNS Server.  With my configuration, WireGuard connected clients benefit from Pi-hole ad filtering.

 

When a peer connects to the server via WireGuard, the WebUIs of docker containers running in host or bridge mode are accessible without the VLAN configuration.  For Docker containers on custom br0.x networks, the above configuration is necessary. Alternatively, they can exist on br1 or another NIC.

 

image.png.df418fba087e46417434117b633b3a2b.png

 

If everything is properly configured, a traceroute (tracert in Windows), from a connected peer to a custom docker IP address will result in an output similar to the following:

 

image.png.0f1b36b1e45d196e429a497ff9140259.png

 

 

A WireGaurd Peer configuration will look something like this:

Note that Pi-hole is the DNS server and the docker VLAN (192.168.3.0/24) appears in the allowed IPs.

 

WG Peer Config.png

 

I hope all of this is helpful to someone.

Edited by Hoopster
  • Like 5
  • Thanks 1
Link to comment
On 10/13/2019 at 8:34 AM, bonienl said:

image.png.a7c586872b1589d9100c3648304d23c3.png

 

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

image.thumb.png.4df21f0ef2b3404e9b912d093a55c0bd.png

 

It may also be needed to disable UPnP and NAT settings (switch on advanced view) and configure a port forwarding rule manually on your router.

 

THANK THANK THANK you for this I was trying to set a backup connection on my second unraid server and wireguard connects but i cannot surf my internal lan i borked my primary wg config so unraid is unpingable so have to find a way to stop wg while my system is running a parity check I was racking my brain on trying to configure static routes on my USG4p

Link to comment

I am sure I am missing something, and I see in the help that you need to turn off "Local server uses NAT:" if you want to access docker containers via their IP.

 

The issue I have with turning that off is my router has other route rules so if I disable NAT in wireguard the wireguard client IP makes it to the router and is not handled correctly on those other routes (other site to site connections).

 

I have docker containers in their own vlan, and can correctly ping them from the unraid host (goes via the router).

 

What I cannot figure out is why if you leave NAT on does it not work, as the traffic to the container from wireguard should still go via the router (using unraid's IP as the return) ? 

Link to comment

You can only get VPN -> br0 working when you use the tut some posts above and use extra nic and vlan magic.

 

pretty disappointed in the latest RCs, not even VMs are working.

 

anyway, i noticed android updates (for apps) are not working over VPN, any solution for that? It just stops at "waiting to download". If i disconnect VPN, update is working.

Edited by nuhll
Link to comment
  • 2 weeks later...

So I had everything working. Updated only the plugin and now only my first peer can ever get a handshake. And even though I get a handshake - the WebUI, no LAN or server hosted content is accessible, and neither is the internet.

I just want a relatively easy to use VPN for myself and the people I have accessing it and I cannot figure out what I'm doing wrong now. I didn't touch any configuration other than updating wireguard from the original release to the one from November. 

Not sure what all should be posted so here's the censored wireguard config(s) for the half-working peer:
/etc/wireguard/wg0.conf:


[Interface]
#include=/webGui/include/update.wireguard.php
#file=/etc/wireguard/wg0.conf
#cfg=/etc/wireguard/wg0.cfg
#cmd=update
#name=Blackhole
#vtun=wg0
#wg=active
#subnets1=192.168.1.74, 10.253.0.1
#subnets2=192.168.1.0/24, 10.253.0.1
#shared1=192.168.1.74, 10.253.0.0/24
#shared2=192.168.1.0/24, 10.253.0.0/24
#internet=192.168.1.74:51820
#Home
PrivateKey=
Address=10.253.0.1
ListenPort=51820
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
#
PublicKey=
PresharedKey=
AllowedIPs=10.253.0.0/24, 192.168.1.74, 192.168.1.254

 


/etc/wireguard/peers/etc/wireguard/peers/peer-Blackhole-wg0-1.conf:


[Interface]
#
PrivateKey=
Address=10.253.0.2/32
DNS=192.168.1.254

[Peer]
#Home
PresharedKey=
PublicKey=
Endpoint=dyndns:51820
AllowedIPs=192.168.1.0/24, 10.253.0.0/24



I feel like an IPTables rule is missing, but I don't know enough to figure out what it is. My reasoning is that the result of attempting to ping the DNS server (192.168.1.254) results in a Destination Host Unreachable from 10.253.0.1 (the unraid server) 
The handshake completes so I know the peer keys and endpoints are right, something on the routing side is wrong.

 

Edited by Xaero
Link to comment
  • 4 weeks later...
On 11/19/2019 at 9:19 PM, Xaero said:

So I had everything working. Updated only the plugin and now only my first peer can ever get a handshake. And even though I get a handshake - the WebUI, no LAN or server hosted content is accessible, and neither is the internet.

I just want a relatively easy to use VPN for myself and the people I have accessing it and I cannot figure out what I'm doing wrong now. I didn't touch any configuration other than updating wireguard from the original release to the one from November. 

I feel like an IPTables rule is missing, but I don't know enough to figure out what it is. My reasoning is that the result of attempting to ping the DNS server (192.168.1.254) results in a Destination Host Unreachable from 10.253.0.1 (the unraid server) 
The handshake completes so I know the peer keys and endpoints are right, something on the routing side is wrong.

 

 

I had essentially the exact same experience as you. Even further than that, upon filling in my Allowed IPs and applying the change, it crashed my server and I couldn't get it back up. I ended up having to revert back to an old restore point just to get the server and Unraid working again.

 

Really not sure what went wrong either, but for now I'm just happy with my server back up.

Link to comment
On 11/2/2019 at 7:44 PM, Hoopster said:

This is my scenario. @bonienl Please correct anything erroneous in this post.  I am not a networking expert and am explaining things according to my understanding with my functioning WireGuard, router, and unRAID configuration.

  1. The unRAID server is on the 192.168.1.x subnet and the server IP address is 192.168.1.10
  2. Pi-hole is running on a Raspberry Pi on the same subnet as the unRAID server.  Its IP address is 192.168.1.60
  3. I have a dedicated VLAN (192.168.3.x) for docker containers with their own IP address.  This appears as Custom: br0.3 in the Docker networks
  4. I want Pi-hole as my DNS for WireGuard connected clients just as it is on my LAN
  5. I want to be able to access the WebUIs of the docker containers on the 192.168.3.x subnet from a WireGuard remote session

Caveat:  Docker containers with custom IP addresses on br0 WILL NOT be accessible via WireGuard.  This is an intentional design of Docker which isolates bridged networks on the same interface (eth0) as the server host LAN.  In order for Docker containers to be accessible via WireGuard remote sessions, they must be on a VLAN (br0.3 in my case) or a different NIC, e.g. eth1.

 

I only use IPv4.  If you use IPv6, you will need to appropriately configure that protocol as well.

 

 

For those of you struggling to get WireGuard working with the Pi-hole docker container, this should be wholly unnecessary. I reproduced the problem on my unRAID VM and came up with an alternative solution that doesn't require anything nearly as exotic as a VLAN or an additional interface. All you need to do is convert the Pi-hole container to a host network type instead of the ipvlan you normally set up. Instructions here:

 

 

As a bonus, I have seen sporadic reports of the Pi-hole container failing to start due to "dnsmasq: failed to create listening socket for port 53: Address already in use". This same solution should fix that problem.

  • Thanks 1
Link to comment
15 hours ago, T0rqueWr3nch said:

For those of you struggling to get WireGuard working with the Pi-hole docker container, this should be wholly unnecessary.

I already had VLANs setup for other reasons, so taking advantage of it for WireGuard/Pihole/Custom IP Docker access was no big deal.  I am glad you found a way that works for those who can't or don't want to create VLANs.

Link to comment

Hi Guys,

 

I've spent hours on this to work this out when it comes to dockers on custom IP, but no joy at all. (this is not really wireguard issue as openVPN has same issue)

 

Here is my setup:

 

PF Sense router as VM from unraid. Currently has Intel NIC with 4 ports bypassed.

 

Socket 0 - WAN

Socket 1 - LAN1 (192.168.1.0/24)

Socket 2 - LAN20 (192.168.20.0/24)

Socket 3 - Not used

uPnP - Disabled

Port forwarding 51820 to 192.168.1.10 UDP enabled.

 

Socket 1 goes to switch to feed my house and one wire back to Unraid to ETH1.

Socket 2 goes to unraid to ETH2. (i know i just could do VLAN instead, but I like physical wire instead)

 

UNRAID SERVER

ETH0 - unraid server running on this socket using static IP 192.168.1.10

ETH1 - used for docker containers only using static IP 192.168.20.10

 

ETH0 and ETH1  are not anyhow connected to each other (bounding what I mean). See routing table below as well.

1699757647_routingtable.thumb.png.2b332642c9348c4ba70ce8e0cbe705e5.png

 

Firewall rule on LAN20 is simple for sake of troubleshooting. Everything allowed from any source to any destination any port or protocol.

Firewall rule on LAN1 allows 10.253.0.0/24 to 192.168.1.0/24.

I have 192.168.1.10 setup as simple gateway in PF Sense.

I am static routing anything from 10.253.0.0 to 192.168.1.10 as i have NAT in Wireguard DISABLED. See screenshot.

routing.thumb.png.d6973ff969ee6a4c320ca806ee713a75.png

 

If i missed something from my setup please do not hesitate to ask.

 

Docker has two networks setups. br0 and br1.

 

So what works in terms of local network only.

My PC is on LAN1 (192.168.1.50), i can access all dockers on LAN20 i can access router gateway on LAN20 as well so locally everything works perfectly on local network.

 

Whats working:

When i connect with wireguard android app to my unraid from my phone using remote tunneled access over 4G network.

 

I can:

Access unraid on 192.168.1.10

Access unraid on 192.168.20.10

Access router admin page on 192.168.1.1

Access router admin page on 192.168.20.1

I can browse internet using Unraid's WAN IP.

 

I can't from my phone over 4G:

All dockers on LAN20 network (bridged dockers are working)

Ping my PC from on 192.168.1.50

 

Trace route is same like in the past posts basically it stops at 10.253.0.2 and doesn't go further.

 

What is really funny and weird is that i can ping my router on both LAN1 and LAN20 but i cannot ping my PC on 192.168.1.50 so it clearly indicates that not just dockers but any devices on network (except PFsense and Unraid, because basically one physical BOX)

 

What i believe i have correct:

LANs on router (if not i wouldn't be able to access dockers locally)

Firewall rules (same as above i wouldn't be able to access anything in between network LAN1 and LAN20)

Docker network settings. (If this wouldn't be right i wouldn't be able to access dockers locally from LAN1 to LAN20)

 

What i didn't try yet:

VMs are on br0 and trying to move them to br1 instead, but I am not sure what it will do to PFSense since its my main router.

 

I am not afraid to try anything as i can access unraid on localhost. Any suggestions are welcome.

 

 

 

 

Edited by Korshakov
Link to comment

Edit: I dont think this has anything to do with the plugin itself. I signed in on unraid localhost and tried to ping anything on network, nothing would get reply other than reply from from router. I dont understand.... I can access unraid from any network, but unraid cant access any network other than gateways.  

 

Edit: so I've tried to replace my pfsense VM with my old physical router. When I tunnel to unraid I can now ping onto any device in network. Because my old router doesn't support vlans or multiple networks I can't really try out dockers on different network or vlan.

 

Any suggestions? 

Edited by Korshakov
Link to comment
6 hours ago, arostad said:

I really love this implementation of WireGuard on unRAID but am I missing something or is it just not possible to tunnel IPv4 AND IPv6 over the same tunnel? I was running my previous WireGuard setup this way right from ubuntu server and it work perfect.

Right now you need to set up two separate tunnels, one for IPv4 and the other for IPv6.

I will look into a future update to combine IPv4 and IPv6 over the same tunnel.

  • Like 1
Link to comment
3 hours ago, bonienl said:

Good news. An update of the Dynamix WireGuard plugin is available.

This version supports mixed IPv4 and IPv6 tunnels.

It has quite extensive updates and corrections and users are encouraged to update.

Give it a try ...

I updated and can no longer connect.

 

My bad.  After updating the Wireguard plugin I reset my router and my IP address changed.  Once I fixed that, all is set.

 

 

Edited by dlandon
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.