Dynamix WireGuard VPN

bonienl

By bonienl
in Plugin Support

Recommended Posts

Bushibot Apprentice

Bushibot

Posted
Posted (edited)

image.thumb.png.af980d0d3976e09e033e2920d264c62f.pngsame issue with docker access. screen shot of my router with the static route for wireguard. 

root@nas-mass:~# ip route
default via 192.168.1.1 dev br0 
10.253.0.2 dev wg0 scope link 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.31.200.0/24 dev br-6340e4198bc5 proto kernel scope link src 172.31.200.1 linkdown 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.99 metric 1 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

Not sure what I'm missing. nat disabled in wg config. I tried adding the static route a could other way too with no luck.

Docker network is all the 192.168.1.x same as the gateway and other devices getting DHCP from the gateway. 

 

Also see the route in the wireguard config.

Address=10.253.0.1 ListenPort=51821 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started';/usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped';/usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200 PostUp=ip -4

Quote

route add 192.168.1.0/24 via 192.168.1.1 dev br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 192.168.1.0/24 via 192.168.1.1 dev br0 table 200

 

Edited by Bushibot
Link to comment
  • Replies 607
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

bonienl
bonienl

With Unraid containers may have either fixed addresses or dynamic addresses when used on a custom (macvlan) network. To ensure that "any" container can be accessed by the host, I took the approac

Hoopster
Hoopster

This is my scenario. @bonienl Please correct anything erroneous in this post.  I am not a networking expert and am explaining things according to my understanding with my functioning WireGuard, router

bonienl
bonienl

With the release of Unraid 6.8 comes support for WireGuard VPN connections. At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This appr

Posted Images

Bushibot Apprentice

Bushibot

Posted
Posted (edited)
On 11/19/2023 at 3:43 PM, Bushibot said:

image.thumb.png.af980d0d3976e09e033e2920d264c62f.pngsame issue with docker access. screen shot of my router with the static route for wireguard. 

root@nas-mass:~# ip route
default via 192.168.1.1 dev br0 
10.253.0.2 dev wg0 scope link 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.31.200.0/24 dev br-6340e4198bc5 proto kernel scope link src 172.31.200.1 linkdown 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.99 metric 1 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

Not sure what I'm missing. nat disabled in wg config. I tried adding the static route a could other way too with no luck.

Docker network is all the 192.168.1.x same as the gateway and other devices getting DHCP from the gateway. 

 

Also see the route in the wireguard config.

Address=10.253.0.1 ListenPort=51821 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started';/usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped';/usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200 PostUp=ip -4

 

So the answer is this is all correct BUT 

In docker config you need to enable "host access to custom networks". Settings, docker, set enable to no to bring down hosts, turn off advanced config.

Which is documented here, off the beaten path of the main config. There are MANY reedit and other posts asking this quest.

Edited by Bushibot
Link to comment
  • 2 months later...
baconshrimp Noob

baconshrimp

Posted
Posted
On 4/17/2022 at 5:16 AM, JackieWu said:

@ax77 Not a problem, thanks for response.

I some kind of "solved" my problem, now i can acess my docker container with custom static ip address in the complex network ( wireguard no NAT, "Remote tunneled aceess" mode, "Host access to custom networks" enabled). The key is that adding static route to every deive (docker container or compter) you want to access.

for example, in the complex network, suppose you have a Emby container with static ip address, if you want to access to Emby webui, you should open contaier's Console window in Unraid DOCKER tab and enter comman line below(10.10.10.3 is my unraid ip address and you should replace it with yours) : 

ip route add 10.253.0.0/24 via 10.10.10.3

and that's it, after adding a static route to container, now you can access your Emby container's webui. 

But, there are some limitations:

  • after restarting container, static route disappear, so unfortunately you should add it again every time you restart your container ( but there is a way to get through this, see below ).
  • not every container have "ip" command, for example,  linuxserver's jellyfin image dose not include "ip" command in it's docker image, so i have to install "ip" command first ( like "apt update && apt install iproute2" ) and then add static route.

Fortunately, if you are using LinuxServer docker image, there is a way to reduce those troubles, as linuxserver.io said

So you can simply go to the custom-cont-init.d folder ( in docker container or host map path ) and create a bash scripts to add static route like this: 

#!/bin/bash
ip route add 10.253.0.0/24 via 10.10.10.3

if Container dose not have "ip" command: 

#!/bin/bash
apt update && apt install -y iproute2 && ip route add 10.253.0.0/24 via 10.10.10.3

And now static route persists even restarting container.

So that's all, this is the way i get around, it's not a perfect method, but at least i can access my container with static ip address now, i hope someone can solve this problem perfectly in some day.

 

(Sorry for my English, its not my native language.)


THANK YOU! This is exactly what I needed to be able to access a Pi-Hole container on a custom IP. In my case, the container kept the added route so I didn't have to do anything else after doing 

ip route add 10.253.0.0/24 via 192.168.0.x

to persist it.

Link to comment
  • 4 weeks later...
vw-kombi Enthusiast

vw-kombi

Posted
Posted

am i right that the original instructions for the docker ip access as per below are no good anymore with the later unraid release :

 

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

It is also needed to disable the "Local Server uses NAT" setting (switch on advanced view).

Link to comment
  • 1 month later...
kiwijunglist Rookie

kiwijunglist

Posted
Posted (edited)

Thanks for the plugin.  I have wireguard VPN working well and can access my server and my dockers and my dockers on different IP and my LAN.

 

My setup is as follows

 

Wireguard

Local tunnel network pool 10.2.253.0.0/24

Local access tunnel address: 10.253.0.1

Local endpoint: My Fixed IP address of my WAN

Local server uses NAT: No

 

Local Network / Unifi

192.168.1.0/24 (DHCP range .10 - .199)

Unraid IP address 192.168.1.173

Static Route for wireguard VPN: Destination Network 10.253.0.0/24 Next Hop: 192.168.1.173

 

Unraid Docker

Ducker custom network type: ipvlan

Host access to custom networks: enabled

I have a container running borg backup server, it uses custom: br0 network with fixed IP address 192.168.1.201

 

I am able to access my server, my bridge docker containers via server_ip:port and also I'm able to access my dockers on fixed IP address as well 🙂

 

QUESTION: How to restrict a wireguard client to only access one IP address (or docker) on my network?

I want to setup a server to server tunnel with my brothers server using wireguard.  I want to limit access so that my brother can only access 192.168.1.201 (the borgbackup server container) and nothing else.  I'm not sure of the best way to make that happen.  Whether it is something I can setup in wireguard, or if I have to setup some kind of firewall in unifi and if so how do I go about doing that?

 

Basically I want my brother to be able to SSH my borgserver container only (borgserver uses SSH to communicate to make backups).

 

Thanks

Edited by kiwijunglist
Link to comment
kiwijunglist Rookie

kiwijunglist

Posted
Posted

Additionally I tried to use "Local tunnel firewall:" in the unraid wireguard vpn settings page, but it didn't do anything.

 

I know I could always just change Allowed IPs in the wireguard client settings, but that is not very secure as the client could just change that setting themselves.

Link to comment
ljm42 Experienced

ljm42

Posted
Posted
On 4/13/2024 at 3:29 AM, kiwijunglist said:

Additionally I tried to use "Local tunnel firewall:" in the unraid wireguard vpn settings page, but it didn't do anything.

 

Keep playing with this, it should do what you want. The only other option is to change the IP in the client config but as you said it is not exactly secure.

 

If you can't get it to work, try hosting VPN on your Unifi device instead. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing