Dynamix WireGuard VPN


bonienl

510 posts in this topic Last Reply

Recommended Posts

Warning for those of you who live on the edge of iOS updates and loaded the iOS 15 beta.

 

From what I can tell, WireGuard VPNs don't presently work. I was able to get my backup VPN, which is a simple L2TP connection, working - but WireGuard is dead in the water.

 

I did attempt to reprovision via QR code, but I think this is an issue outside of all of us.

Link to post
  • Replies 509
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

With the release of Unraid 6.8 comes support for WireGuard VPN connections. At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This appr

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.   This is

With Unraid containers may have either fixed addresses or dynamic addresses when used on a custom (macvlan) network. To ensure that "any" container can be accessed by the host, I took the approac

Posted Images

On 5/14/2021 at 12:57 PM, Xaero said:

So I'm trying to set up something slightly more "advanced" in terms of firewalling for the VPN.

I have two tunnels configured, one which is only me, and I don't actively use this tunnel intentionally. It's my backup way in.
My second tunnel is where all of my actual endpoint users connect. Ideally, I want them to have access to:
10.253.0.1 (Unraid on the Wireguard side), 192.168.252.72 (Unraid on the local LAN side), 192.168.252.254 (Local DNS) and no other local IP addresses.
How can I set this up with a blacklist or whitelist? Currently I'm whitelisting the above addresses, but with 0.0.0.0/0 and ::0 in their peer configs, and DNS pointing to 192.168.252.254 the result is they have access to my server, and my DNS - but nothing else on the internet.

If I switch to blacklist, I'd have to blacklist each individual IP address (from what I can gather) from 192.168.252.1 - 192.168.252.72 and then from .73 to .253. And then I'd have to repeat that for the wireguard subnet.

Is there a simpler way to implement this type of access restriction that I'm overlooking?

Does anyone have any input on this?
Not super familiar with iptables and such; but this seems like the only way to approach it?

Link to post

As of Wireguard App version: 1.0.13 (24) - iOS/iPadOS 15 and macOS Monterey now work properly. If you did NOT remove your configuration, it's an in place update and things will work. Otherwise import your tunnels from QR Code or Archive and you'll be good to go!

Link to post

I'm having some trouble accessing my docker containers when I connect to Unraid through Wireguard. I'm using an IOS device to test this. I can access the Unraid web gui with https (randomcharacters.unraid.net:8443) or http (192.168.1.x:8443). I use a reverse proxy to access various docker containers (dockercontainer.mysubdomain.duckdns.org). This works when I'm directly connected to my local network, but not over Wireguard. I've tried following many of the steps in the Quickstart post but it hasn't worked (or I haven't done it correctly). Any ideas on how I can fix this?

 

Here are some additional details on what I've tried:

 

  • My router is configured to provide my Pihole IP address as the DNS server. Pihole has a custom IP address (192.168.1.x) Pihole connects to dnscrypt proxy docker container on Unraid which connects to an external DNS. Pihole itself is a docker container.
  • Unraid itself is configured to NOT use Pihole as the DNS server and instead use an external DNS.
  • I added a static route to my router--Network destination: 10.253.0.0 (local tunnel network pool for Wireguard), subnet mask 255.255.255.0, default gateway: 192.168.1.x (unraid local IP)
  • I cannot access the Pihole web GUI over Wireguard. Works fine over local network.
  • I have tried "Remote tunnel access" and "Remote access to LAN" peer types
  • I have set "Local server uses NAT" to Yes and "Host access to custom networks" to disabled. I've also tried setting these to No and enabled respectively.
Edited by Fizz
Link to post
  • 2 weeks later...

I need my "Remote tunneled access" to use eth1 as the route in PostUp. Currently it tries to use the unplugged eth0, and the configuration changes even if I download/edit/import.

Link to post

The GUI uses eth0 as management port, this can not be changed.

 

WireGuard relies on routing to select the outgoing interface for the tunnel. Normally this is the default gateway (eth0).

 

Link to post
  • 2 weeks later...

I've been trying to setup a tunnel to my other house's network. I've successfully setup to tunnel and I'm able to access my remote SMB on unraid. Right now I'm still unable to connect to the remote IP(192.168.0.0/24) from my own PC and docker containers in br0.

 

What works:
1. Unraid -> Mount Remote SMB Share via Unassigned Device

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
 1  172.27.66.1 (172.27.66.1)  2.749 ms  2.742 ms  2.854 ms
 2  * * *
 3  192.168.0.1 (192.168.0.1)  3.642 ms  3.596 ms  3.595 ms

 

2. Docker not on br0 -> Able to ping 192.168.0.1

 

What doesn't work:

1. My PC 192.168.1.34 -> Unable to Ping 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

  1     1 ms     1 ms     2 ms  [192.168.1.1]
  2     2 ms     1 ms     1 ms  [192.168.1.3]
  3     *        *        *     Request timed out.

 

2. Docker code-server 192.168.1.7 (br0) -> Unable to Ping 192.168.0.1

 



Below is my configuration
Local:

Router 192.168.1.1

 - Static route 192.168.0.0/24 to 192.168.1.3

Unraid 192.168.1.3 (Using one one ethernet eth0 to router)

 - Wireguard: Set to "VPN tunnelled access" mode

 - Docker: "Host access to custom networks" is set to on

Local Wireguard IP 172.27.66.4

 

Wireguard Subnet 172.27.66.0/24


Remote:

Router 192.168.0.1

Remote Wireguard IP 172.27.66.1

Wireguard: 

 - Hosted on RPi4 using homeassistant/wireguard (Should be in "Remote tunneled access" mode)

 

diagram.jpg.9fde766757fe1fd9df0e1eb46892cf98.thumb.jpg.b5f6fdba0a6d15ffaa1c2812b2123435.jpg

 

 

 

What I observed is that unraid routing table is not routing my traffic to wg2 interface.

Would like to know what changes should be done for my PC to able to connect to the remote subnet.

 

Thanks

Link to post
On 7/10/2021 at 6:27 PM, bjun626 said:

I've been trying to setup a tunnel to my other house's network. I've successfully setup to tunnel and I'm able to access my remote SMB on unraid. Right now I'm still unable to connect to the remote IP(192.168.0.0/24) from my own PC and docker containers in br0.

 

This is rather complex, I won't be able to give exact steps but hopefully these pointers will help:

Link to post
On 7/14/2021 at 2:41 AM, ljm42 said:

 

This is rather complex, I won't be able to give exact steps but hopefully these pointers will help:

 

You're correct the "peers.allowed_ips" are wrong on my remote side.  As I'm using home assistant wireguard, so I have to manually add another field in its yaml configuration
 -  allowed_ips:
      - 172.27.66.0/24
      - 192.168.1.0/24

The reason I'm using the VPN tunneled access is because I'm trying to access from 192.168.1.0/24 to 192.168.0.0/24 and not the other way round. LAN to LAN also work for me.

 

Thanks

Link to post
  • 2 weeks later...

I'm looking for a solution to connect to my Offsite-Backupserver. I want my whole LAN to have access to the Backupserver, but only the Backupserver having access to my LAN. Sort of a "Server to LAN access".

 

Is this possible, and what would the steps be?

 

Thanks! 🙂

Edited by Turnspit
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.