Dynamix WireGuard VPN


bonienl

Recommended Posts

On 1/6/2020 at 5:34 PM, Selmak said:

First of all thanks for the wireguard gui creating a vpn has never been easier.

 

Like a lot of people here I couldn't access my dockers on custom IP address using the default macvlan network that unraid creates.

However there seems to be a workaround. I found this blog by Lars Kellogg-Stedman which describes the problem and a solution.          

 

Instead of letting unraid create the docker network do it yourself and use the --aux-address option.

Then create another macvlan network to communicate to the containers.

 

This is what I did.

I deleted the network that the unraid gui made then I set up my docker network with the following.


docker network create -d macvlan -o parent=br0 --subnet 192.168.1.0/24 --gateway 192.168.1.1 --ip-range 192.168.1.128/28 --aux-address 'host=192.168.1.223' mynet

Then I added the other macvlan and these ip routes. I also added them to the go file.


ip link add mynet-shim link br0 type macvlan  mode bridge
ip addr add 192.168.1.223/32 dev mynet-shim
ip link set mynet-shim up
ip route add 192.168.1.128/28 dev mynet-shim

Now I can access all my dockers :)

Hope this helps people and thank Lars for his blog.

 

On 1/6/2020 at 6:05 PM, bonienl said:

Interesting workaround. I'll have a look how to integrate with Unraid.

 

Hope you're all safe and indoors. With the additional time at home - and the AL I am on - I have more time to play with unRAID again. Just like old times.

 

Re the above post by @Selmak and the reply by @bonienl does anyone know if there has been any progress on a more permanent solution to being able to access containers with custom IP's through a Wireguard VPN connection?

 

It's a great piece of technology, however I use custom IP's allot to channel their connection through a VPN client which runs on my router (Merlin-ASUSWRT) which means I am stuck running OpenVPN-AS on a dedicated nix VM.

  • Like 1
Link to comment
  • 2 weeks later...

Is it possible that the server <-> server setting is bugged?

Problem with this setting it is also routing the local networks.

 

It gets the exact same config with routing networks as lan <-> lan

 

Its definitly an bug, in allowed IPs should only the IP adress of the server, but it also inserts the IP adress of the LAN network. (When you press the eye for the configuration)

Also it is completly useless to set anything into "Peer allowed IPs" it ignores anything i type into this field.

Edited by ryperx
Link to comment

Another problem i got, i cant get the "Remote access to server" Configuration not working, when i choose "Remote Tunneled Server" it works without a problem and it connects instant.

 

Cant anybody help?
The only config connection that is working, is when i choose Remote Tunneled Server. The other connections doesnt work.

What is the difference? I would prefer only to tunnel connections to the server through the vpn not everything

 

Edit:
I found out it isnt a problem that the tunnel is not working, the problem is that the ping from unraid to client doesnt work.

Edited by ryperx
Link to comment

Slowly i begin to understand how it works but i see a little security problem if someone uses only the predefined peer types without setting the firewall settings.

As i see when i set in the config "Allowed IPs" only the Server IP Adress it gets copied in the config.
When the user now adds another IPs adresses from the local network, these also works. So this would mean i need to create for every user an additional tunnel  (and set firewall rules for networks) when the user needs other wrigts in the network because the user could add additional routes every time?

 

Edit:
Dont know if i speak with myself here but ok^^

Found out the following, pinging from my unraid server to the Remote Connected Device dont work often or for example when only connections to my server would be allowed and so i tried to debug.

 

Found out the following.

At the moment I have 2 tunnels defined

Tunnel wg0

Network: 10.253.0.1

Server: 10.253.0.5 (yes this is on purpose)

 

Tunnel wg1

Network: 10.253.1.1

Server: 10.253.1.1

Client: 10.253.1.2

 

When i connect a client on tunnel wg1 and i try to ping the device after success connection it isnt working. Pinging from the client the server address (10.253.1.1) is working fine. In this moment it has in Peer allowed IPs only the Tunnel wg1 Gateway defined, what is correct as i understand.

When i define in the config on my client AllowedIPs also the default IP Gateway Adress (10.253.0.1/32) from Tunnel wg0, then the Ping from my unraid server to client is working. I really dont understand how this can be possible?? I didnt defined this IP anywhere on my unraid server at the moment, is it possible that wireguard still use this IP in the background? Pinging the IP Adress from my server results only in losses.

 

I really dont understand why this happens. As it looks the unraid server pings the IP adress of the client with the Adress from Tunnel wg0.

I checked the defined routes on the unraid server but they are defined correctly as i see.

 

Also found another Bug: As i see it doesnt matter what i type into Peer allowed IPs, it will be ignored when i export the config with the eye.

Testet this with server <-> server and Remote access to Server. Its funny because the setting is mandatory but it doesnt matter what i type in there^^

 

Feature request

What i would be searching for would be a setting custom, without anything set beforehand in the allowed IPs

Edited by ryperx
Link to comment
12 hours ago, ryperx said:

As i see it doesnt matter what i type into Peer allowed IPs, it will be ignored when i export the config with the eye.

Lots of questions here, maybe this tidbit will help:

 

The "Peer allowed IPs" setting in the interface goes in the server config file /boot/config/wireguard/wg0.conf. It is rare to need to edit this field, the main reason is for lan to lan connections as described here:

 

The "Peer type of access" dropdown affects the values of "AllowedIPs" that is sent to clients. this is a convenience setting only, as the client can change it to whatever they want.

 

If you haven't seen the WireGuard quickstart guide yet, it has a lot of good info:

 

  • Like 1
Link to comment

Thanks for your response :)

 

7 hours ago, ljm42 said:

Lots of questions here, maybe this tidbit will help:

 

The "Peer allowed IPs" setting in the interface goes in the server config file /boot/config/wireguard/wg0.conf. It is rare to need to edit this field, the main reason is for lan to lan connections as described here:

Ah ok, so it is a setting for the client on the server and of course this would help in that way.

 

My biggest problem with the wireguard plugin and the configuration is that i dont understand the peer settings in general.

Is it for the client where i export the configuration or is it for the client on the server?

 

Quote

The "Peer type of access" dropdown affects the values of "AllowedIPs" that is sent to clients. this is a convenience setting only, as the client can change it to whatever they want.

 

If you haven't seen the WireGuard quickstart guide yet, it has a lot of good info:

 

 

It is really confusing for example the server <-> server configuration i configure the client on the server for connecting another server. This had me confused the most because i didnt understand that i configure there something for the client on the server and the export feature is more or less useless, but still why is there my LAN ip adress in the exportet configuration when i use server <-> server configuration.

Also what is confusing me is that i can type in a private shared key into the config on the peer in the server <-> configuration or generate one.

It is necessary to type in the public key from the second server and i needed so much time to figure out that this peer configuration is setting the client on the server and is not needed for exporting.

 

When i use for example another configuration "Remote access to LAN" the settings looks exactly the same and i configure the settings for the client (laptop example) which i can export, but there is the problem when i set another IP adresses in allowed peer IP adresses nothing get exportet, only the hardcoded addresses it would be cool if it works when i type in another allowed ip adresses and it get exportet.

 

I think it would be much more understandable when there are 2 different peer configuration, one for creating for the client on the server and one for creating connections for the external clients that will connect. Or maybe i doesnt understand the concept^^

 

 

Do you have an idea why there is this "pinging" problem i described in my second post? Why my client needs a connection to the gateway of the first tunnel?

To reproduce:

Create 2 tunnels and specify on tunnel 2 a peer configuration and allow only allowed peer connections to the gateway of tunnel 2.

The ping on the unraid server to client will not work, when i add the gateway from tunnel 1 to the configuration the ping is working?

Edited by ryperx
Link to comment

I haven't read the last few pages so maybe this work around to access docker containers has already been posted. I added the following to to my iptables on my router.

 

iptables -t nat -A PREROUTING -d 192.168.20.13 -j DNAT --to 192.168.2.13
iptables -t nat -A POSTROUTING -s 192.168.2.13 -d 10.253.0.0/24 -j SNAT --to 192.168.20.13

192.168.2.13 in this case is my actual pihole docker. 192.168.20.13 is a fake private network IP address. You can choose any private ip address that's not actually used on your network. I just chose to turn 2 to 20 for simplicity.

 

then set your peer dns in wireguard to the fake ip address

peerdns.PNG.77917d03330e806316b5690661db8a49.PNG

 

What happens:

1. when a request comes in on the fake address unraid doesn't know where to route it so sends it to your default gateway

2. your router sees the fake destination and changes it to your real pihole and routes it

3. pihole responds to the default gateway because it doesn't know where 10.253.0.0/24 is

4. the router sees the POSTROUTING rule and changes the source IP from pihole to the fake IP so your device gets the response from the same fake IP it requested it from.

 

This also means if you want to go to the admin interface it's at the fake ip 192.168.20.13/admin in my case. This should work for all dockers, you just have to add entries in iptables for each. 

 

Now that I think of it, i should have added -s 10.253.0.0/24 to the PREROUTING so it was only rerouting for the wireguard ips, but that shouldn't hurt anything.

Link to comment
19 hours ago, ryperx said:

It is really confusing for example the server <-> server configuration i configure the client on the server for connecting another server. 

Rough instructions for server to server:  setup WireGuard on one server using the "Server to Server access" option, then download the config file and on the other server choose "Import Tunnel"

 

19 hours ago, ryperx said:

Also what is confusing me is that i can type in a private shared key into the config on the peer in the server <-> configuration or generate one.

The only private key that Unraid requires is the "Local private key". Entering the "peer private keys" in Unraid is an optional convenience feature so you can completely manage your clients from within the Unraid gui. You are welcome to manage your private keys elsewhere and only provide Unraid with the "peer public keys" if you like.

 

19 hours ago, ryperx said:

why is there my LAN ip adress in the exportet configuration when i use server <-> server configuration.

So that each server can access the other using the typical IP address that you are used to using. If you want to use the tunnel IP instead you can.

 

19 hours ago, ryperx said:

My biggest problem with the wireguard plugin and the configuration is that i dont understand the peer settings in general.

Is it for the client where i export the configuration or is it for the client on the server?

The peer section of the gui writes some data to peer portion of the server's /boot/config/wireguard/wg0.conf file and some data gets exported to the peer config files. Different things are needed in each.

 

Keep in mind that the plugin is a front-end for WireGuard, it simply provides a gui for putting data into the various config files and then starts the WireGuard tunnels.

 

If you would like to really understand what is going on behind the scenes you should read through some general "how to setup WireGuard" tutorials, then you'll have a better idea of what each of those config files does (and a better appreciation for the gui :) )
 

Link to comment

Ok i will learn more about Wireguard.

6 hours ago, ljm42 said:

So that each server can access the other using the typical IP address that you are used to using. If you want to use the tunnel IP instead you can.

This is the only part what isnt correct as i understand, the server <-> server config exports the same settings as the lan <-> lan settings.

So in the server <-> server configuration should be only the IP adress of the opponent wireguard/unraid server for example 192.168.1.1/32 and not the opponent LAN 192.168.1.0/24

 

Link to comment

@ljm42  I have another little problem with the server <-> server connection.

When the connection is established it works fine and from every server i can ping the opponent server from both sides.

 

The problem, after some time one server cant ping the other server and the connection is lost and cant be established from this server. I need to press the ping button on the opponent server and the tunnel works again (ping from both servers work)

Anybody has an idea?

Link to comment
14 hours ago, ryperx said:

The problem, after some time one server cant ping the other server and the connection is lost and cant be established from this server. I need to press the ping button on the opponent server and the tunnel works again (ping from both servers work)

If the connection can only be established from one end, then something is wrong with the other end's peer endpoint host:port setting or the port forward. When everything is working properly, either end should be able to establish the tunnel.

Edited by ljm42
Link to comment
On 5/1/2020 at 1:45 AM, ryperx said:

This is the only part what isnt correct as i understand, the server <-> server config exports the same settings as the lan <-> lan settings.

So in the server <-> server configuration should be only the IP adress of the opponent wireguard/unraid server for example 192.168.1.1/32 and not the opponent LAN 192.168.1.0/24

 

I think you are right.

 

@bonienl , can you take a look at the Server to Server option? The peer config file contains the entire LAN:

AllowedIPs=10.253.2.1/32, 192.168.10.0/24

Pretty sure that should just contain the local IP of the server:

AllowedIPs=10.253.2.1/32, 192.168.10.51/32

 

Edited by ljm42
  • Like 1
Link to comment
9 hours ago, ljm42 said:

If the connection can only be established from one end, then something is wrong with the other end's peer endpoint host:port setting or the port forward. When everything is working properly, either end should be able to establish the tunnel.

I found the problem, on the opponent side was the ping on the wan port disabled, so i think wireguard needs to ping the WAN IP from the other side and the choosen udp port to work.

Link to comment
On 5/3/2020 at 1:52 AM, ryperx said:

I found the problem, on the opponent side was the ping on the wan port disabled, so i think wireguard needs to ping the WAN IP from the other side and the choosen udp port to work.

The Ping buttons are not part of normal operation, they are just there to aid in troubleshooting. Although as you said they can fail for reasons not related to WireGuard.

 

If the tunnel has dropped it should start automatically whenever either side tries to access a remote resource. If it can only be started from one end, then you need to check the peer endpoint settings and port forwards for the other end.

Link to comment
  • 2 weeks later...

Goal: Connect to networks so that an Xbox at another location can see (as if it was on the same LAN) my unraid Minecraft server.

 

Issue:  The Xbox One version of Minecraft can only seen servers run by individuals on the same LAN.  Not via entering a remote server address.  Our extended family member only has the Xbox version of Minecraft

 

Current Setup: Both locations have there own unraid server with wireguard setup so that I can initiate wireguard from a phone or a PC on both.  However, I can't seem to figure out how to set-it up so that: 

 

1. the two unraid servers connect directly and setup as one LAN

2. the remote Xbox can see the Minecraft server as if it were on the LAN. Does it need to be on the same IP domain?

 

Edited by dubbly
Link to comment

wireguard is running perfect ansich on unraid.  i can access my bitwarden container which for now runs still on my old nas i can access the old nas. and my router.

 

i installed nextcloud on my unraid. but when i use my android phone to connect to nextcloud via wireguard it says cant find server.

I have wireguard setup as remote tunneled access.

 

When i start openvpn ( which runs on my pfsense box) and i do the same it works. Im trying to replace openvpn for wireguard. and leave openvpn as a second option for just in case.

Link to comment
9 hours ago, KoNeko said:

wireguard is running perfect ansich on unraid.  i can access my bitwarden container which for now runs still on my old nas i can access the old nas. and my router.

 

i installed nextcloud on my unraid. but when i use my android phone to connect to nextcloud via wireguard it says cant find server.

I have wireguard setup as remote tunneled access.

 

When i start openvpn ( which runs on my pfsense box) and i do the same it works. Im trying to replace openvpn for wireguard. and leave openvpn as a second option for just in case.

If you are sure the tunnel is up and running, then it is mostly likely a DNS resolution issue. By default, the DNS on your LAN is not exported to the WireGuard tunnel. You can try filling in the "Peer DNS server" field with your network's DNS server. I haven't done much with this though.

Link to comment
On 5/16/2020 at 9:31 AM, dubbly said:

Goal: Connect to networks so that an Xbox at another location can see (as if it was on the same LAN) my unraid Minecraft server.

 

Issue:  The Xbox One version of Minecraft can only seen servers run by individuals on the same LAN.  Not via entering a remote server address.  Our extended family member only has the Xbox version of Minecraft

 

Current Setup: Both locations have there own unraid server with wireguard setup so that I can initiate wireguard from a phone or a PC on both.  However, I can't seem to figure out how to set-it up so that: 

 

1. the two unraid servers connect directly and setup as one LAN

2. the remote Xbox can see the Minecraft server as if it were on the LAN. Does it need to be on the same IP domain?

 

LAN to LAN connections are possible:  

 

However, this does not merge the two LANs into one, it creates a tunnel to pass the traffic between them.

 

There is no way to give the Xbox an IP address on the tunnel unless you can run the WireGuard client on the Xbox. I doubt that is possible.

Link to comment

Why would this work great on my Android phone, but not on my Windows 10 laptop?

It was super easy to get the plugin installed and setup. Within minutes, my Android phone was working perfectly connected through LTE and wireguard to my home network. Surprised at how shockingly easy it was, I set it up on my Windows 10 laptop. I disconnect my phone from wireguard, set up a hotspot to share my LTE connection with my laptop and connect. My laptop works as expected without wireguard, but when I connect through the VPN, I never get access to my home network. Some ideas in other places didn't work. 4 hours later and I must be missing something. Any ideas for me to try?

Link to comment
23 hours ago, ljm42 said:

If you are sure the tunnel is up and running, then it is mostly likely a DNS resolution issue. By default, the DNS on your LAN is not exported to the WireGuard tunnel. You can try filling in the "Peer DNS server" field with your network's DNS server. I haven't done much with this though.

i did fill in my DNS ip on the peer DNS server.

Link to comment

Is there still no possibility to only route specific docker traffic through a wireguard connection ?. I really only need wireguard for my ruTorrent traffic, but when enabling wireguard using my mullvad.net provider the vpn screws up a lot of my other containers network like plex, lms, homeassistant. If not, is this something that someone is working on ?

Link to comment
  • 3 weeks later...
On 5/21/2020 at 10:54 PM, ljm42 said:

If you are sure the tunnel is up and running, then it is mostly likely a DNS resolution issue. By default, the DNS on your LAN is not exported to the WireGuard tunnel. You can try filling in the "Peer DNS server" field with your network's DNS server. I haven't done much with this though.

i always use IP address to access anything on my network not the DNS name.  so the router is 192.168.X.X the other nas is also an it the unraid server has an IP. Everything on my network is also visitable via the hostname i made like router.home and unraid.home etc.

 

But everything running on unraid/docker (think vms too didnt try that yet) with its custom ip's on the dockers i cant access via wireguard.

when i start openVPN i can access everything on my network even the custom ip's on my unraid docker.

-----

 

Im using Remote Tunneled access.

 

Did some reading and saw i had to put " Host access to custom networks on Enabled"  i did that

i had to add a static  route on my router (pfsense)  Remark: docker containers on custom networks need static routing 10.253.0.0/24 to 192.168.1.60 I did that.

image.png.84504deecfa30431cb5e0e23a637ae97.png

(Its currently disabled because it isnt working.)

i had to add the gateway also on my pfsense which i did or i could not make this static route.

 

also had to put local server uses NAT on wireguard to NO. which i also did.

 

deactivated wireguard and enabled it again. Tried it on my phone on 4G. No internet at all and no network access.

 

To get it working again i had to redo everything to last state to get it normally working again.

 

Im at a lost on how to fix it.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.