Dynamix WireGuard VPN


bonienl

Recommended Posts

Warning for those of you who live on the edge of iOS updates and loaded the iOS 15 beta.

 

From what I can tell, WireGuard VPNs don't presently work. I was able to get my backup VPN, which is a simple L2TP connection, working - but WireGuard is dead in the water.

 

I did attempt to reprovision via QR code, but I think this is an issue outside of all of us.

Link to comment
On 5/14/2021 at 12:57 PM, Xaero said:

So I'm trying to set up something slightly more "advanced" in terms of firewalling for the VPN.

I have two tunnels configured, one which is only me, and I don't actively use this tunnel intentionally. It's my backup way in.
My second tunnel is where all of my actual endpoint users connect. Ideally, I want them to have access to:
10.253.0.1 (Unraid on the Wireguard side), 192.168.252.72 (Unraid on the local LAN side), 192.168.252.254 (Local DNS) and no other local IP addresses.
How can I set this up with a blacklist or whitelist? Currently I'm whitelisting the above addresses, but with 0.0.0.0/0 and ::0 in their peer configs, and DNS pointing to 192.168.252.254 the result is they have access to my server, and my DNS - but nothing else on the internet.

If I switch to blacklist, I'd have to blacklist each individual IP address (from what I can gather) from 192.168.252.1 - 192.168.252.72 and then from .73 to .253. And then I'd have to repeat that for the wireguard subnet.

Is there a simpler way to implement this type of access restriction that I'm overlooking?

Does anyone have any input on this?
Not super familiar with iptables and such; but this seems like the only way to approach it?

Link to comment

As of Wireguard App version: 1.0.13 (24) - iOS/iPadOS 15 and macOS Monterey now work properly. If you did NOT remove your configuration, it's an in place update and things will work. Otherwise import your tunnels from QR Code or Archive and you'll be good to go!

Link to comment

I'm having some trouble accessing my docker containers when I connect to Unraid through Wireguard. I'm using an IOS device to test this. I can access the Unraid web gui with https (randomcharacters.unraid.net:8443) or http (192.168.1.x:8443). I use a reverse proxy to access various docker containers (dockercontainer.mysubdomain.duckdns.org). This works when I'm directly connected to my local network, but not over Wireguard. I've tried following many of the steps in the Quickstart post but it hasn't worked (or I haven't done it correctly). Any ideas on how I can fix this?

 

Here are some additional details on what I've tried:

 

  • My router is configured to provide my Pihole IP address as the DNS server. Pihole has a custom IP address (192.168.1.x) Pihole connects to dnscrypt proxy docker container on Unraid which connects to an external DNS. Pihole itself is a docker container.
  • Unraid itself is configured to NOT use Pihole as the DNS server and instead use an external DNS.
  • I added a static route to my router--Network destination: 10.253.0.0 (local tunnel network pool for Wireguard), subnet mask 255.255.255.0, default gateway: 192.168.1.x (unraid local IP)
  • I cannot access the Pihole web GUI over Wireguard. Works fine over local network.
  • I have tried "Remote tunnel access" and "Remote access to LAN" peer types
  • I have set "Local server uses NAT" to Yes and "Host access to custom networks" to disabled. I've also tried setting these to No and enabled respectively.
Edited by Fizz
Link to comment
  • 2 weeks later...
  • 2 weeks later...

I've been trying to setup a tunnel to my other house's network. I've successfully setup to tunnel and I'm able to access my remote SMB on unraid. Right now I'm still unable to connect to the remote IP(192.168.0.0/24) from my own PC and docker containers in br0.

 

What works:
1. Unraid -> Mount Remote SMB Share via Unassigned Device

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
 1  172.27.66.1 (172.27.66.1)  2.749 ms  2.742 ms  2.854 ms
 2  * * *
 3  192.168.0.1 (192.168.0.1)  3.642 ms  3.596 ms  3.595 ms

 

2. Docker not on br0 -> Able to ping 192.168.0.1

 

What doesn't work:

1. My PC 192.168.1.34 -> Unable to Ping 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

  1     1 ms     1 ms     2 ms  [192.168.1.1]
  2     2 ms     1 ms     1 ms  [192.168.1.3]
  3     *        *        *     Request timed out.

 

2. Docker code-server 192.168.1.7 (br0) -> Unable to Ping 192.168.0.1

 



Below is my configuration
Local:

Router 192.168.1.1

 - Static route 192.168.0.0/24 to 192.168.1.3

Unraid 192.168.1.3 (Using one one ethernet eth0 to router)

 - Wireguard: Set to "VPN tunnelled access" mode

 - Docker: "Host access to custom networks" is set to on

Local Wireguard IP 172.27.66.4

 

Wireguard Subnet 172.27.66.0/24


Remote:

Router 192.168.0.1

Remote Wireguard IP 172.27.66.1

Wireguard: 

 - Hosted on RPi4 using homeassistant/wireguard (Should be in "Remote tunneled access" mode)

 

diagram.jpg.9fde766757fe1fd9df0e1eb46892cf98.thumb.jpg.b5f6fdba0a6d15ffaa1c2812b2123435.jpg

 

 

 

What I observed is that unraid routing table is not routing my traffic to wg2 interface.

Would like to know what changes should be done for my PC to able to connect to the remote subnet.

 

Thanks

Link to comment
On 7/10/2021 at 6:27 PM, bjun626 said:

I've been trying to setup a tunnel to my other house's network. I've successfully setup to tunnel and I'm able to access my remote SMB on unraid. Right now I'm still unable to connect to the remote IP(192.168.0.0/24) from my own PC and docker containers in br0.

 

This is rather complex, I won't be able to give exact steps but hopefully these pointers will help:

Link to comment
On 7/14/2021 at 2:41 AM, ljm42 said:

 

This is rather complex, I won't be able to give exact steps but hopefully these pointers will help:

 

You're correct the "peers.allowed_ips" are wrong on my remote side.  As I'm using home assistant wireguard, so I have to manually add another field in its yaml configuration
 -  allowed_ips:
      - 172.27.66.0/24
      - 192.168.1.0/24

The reason I'm using the VPN tunneled access is because I'm trying to access from 192.168.1.0/24 to 192.168.0.0/24 and not the other way round. LAN to LAN also work for me.

 

Thanks

  • Like 1
Link to comment
  • 2 weeks later...

I'm looking for a solution to connect to my Offsite-Backupserver. I want my whole LAN to have access to the Backupserver, but only the Backupserver having access to my LAN. Sort of a "Server to LAN access".

 

Is this possible, and what would the steps be?

 

Thanks! 🙂

Edited by Turnspit
Link to comment
  • 2 weeks later...

Hello - installed this plugin and it is working fine - Thanks for the work.

 

I am not super knowledgeable regarding networking - but I am using the remote access to LAN as shown below, followed the steps laid out in the very detailed write up, and I can connect to Unraid and docker containers (e.g. Plex, Emby etc.) well from outside my home network, so ports are forwarded correctly and everything seems to be working well. However I cannot access anything else connected to my LAN (e.g. Pi-Hole running on an R-Pi) or my router admin page. 

 

I was using openVPN before this and could access all devices on the network easily. Any advice for me to try and get to everything connected to the LAN? Thanks in advance.

 

image.thumb.png.e1cee3055103be7c6e6ff5e087f6add2.png

Edited by abhi.ko
added more info.
Link to comment

Hey there. I am looking at attempting to connect to a Subspace Wireguard VPN server from Unraid. Attempting to import tunnel configs from Subspace produces mixed results: it doesn't seem to import the assigned addresses or subnet masks correctly; and I can't exactly tell what use case to try with "advanced" configuration. I have no present desire to use Unraid to host Wireguard, nor use it to provide VPN connectivity to clients; I want to be able to access the Unraid GUI from other VPN clients. If the plugin isn't meant for "client" use, then is there a Docker container I should consider instead; or other way to activate it from the OS-level? Thanks!

Link to comment

How should I setup other Docker containers to connect to WireGuard? I watched this video from Spaceinvader One that for VPN as a Docker container we just need to add the name of the container in extra parameter. However, Dynamix WireGuard does not show in the Docker page and can only be configured in the settings page, I am not sure how to setup the connection.

Link to comment

I need some help I completely broke Wireguard. 

 

I was having some issues getting it working, especially after switching from Google DDNS to Cloudflare + NPM. Couldn't get anything to work. So I decided to nuke everything and start fresh.

 

I rm -rf'd /etc/wireguard/, deleted the plugin, redownloaded the plugin and then tried to start fresh. 

However, when I went into VPN settings after nothing would save. Hitting apply would reset everything. After looking around, it looks like re downloading the plugin did not create '/etc/wireguard'. So I mkdir '/etc/wireguard', as well as '/etc/wireguard/wg0.conf'

Now I can get a couple things to save, but once I try to 'add peer' it just raises and lowers the tunnel wg0 part, as if Im clicking the down/expand arrow.

 

At this point I decided to delete everything again, and restart the server. When I did that /etc/wireguard/ showed up (was not there when I restarted) and had the old files from the very beginning. 

 

Any pointers on how to just 100% reset the Wireguard state. Deleting/restarting is clearly not working, and nothing new I am doing is saving.

Link to comment
12 hours ago, hive_minded said:

Now I can get a couple things to save, but once I try to 'add peer' it just raises and lowers the tunnel wg0 part, as if Im clicking the down/expand arrow.

 

Depending on the options you choose when setting up the tunnel, sometimes once of the advanced fields is required to be filled in. It is switching to advanced mode so you can fill it in.

Link to comment
On 8/12/2021 at 8:57 PM, kencwt said:

How should I setup other Docker containers to connect to WireGuard? I watched this video from Spaceinvader One that for VPN as a Docker container we just need to add the name of the container in extra parameter. However, Dynamix WireGuard does not show in the Docker page and can only be configured in the settings page, I am not sure how to setup the connection.

 

The built-in WireGuard is not a Docker container so it cannot be used that way.

 

There is a way to configure WireGuard to connect to a commercial VPN provider, but it takes over the entire connection and cannot be limited to specific containers:

 

Link to comment
On 8/6/2021 at 11:43 PM, unquietwiki said:

Hey there. I am looking at attempting to connect to a Subspace Wireguard VPN server from Unraid. Attempting to import tunnel configs from Subspace produces mixed results: it doesn't seem to import the assigned addresses or subnet masks correctly; and I can't exactly tell what use case to try with "advanced" configuration. I have no present desire to use Unraid to host Wireguard, nor use it to provide VPN connectivity to clients; I want to be able to access the Unraid GUI from other VPN clients. If the plugin isn't meant for "client" use, then is there a Docker container I should consider instead; or other way to activate it from the OS-level? Thanks!

 

The WireGuard webgui is optimized to be the place where you manage all the peers rather than being just a peer itself. But you should be able to make it work. Start by importing a config and choosing perhaps "Remote access to LAN".

 

There are two WireGuard config files, one for the server and one for the peer. You can view each by clicking the little "eye" icons on the right side of the page. You may need to research how to setup WireGuard manually in order to find the right settings.

 

Once you get it working, come back here and tell us what you did!

  • Like 1
Link to comment
On 8/4/2021 at 3:16 PM, abhi.ko said:

I can connect to Unraid and docker containers (e.g. Plex, Emby etc.) well from outside my home network, so ports are forwarded correctly and everything seems to be working well. However I cannot access anything else connected to my LAN (e.g. Pi-Hole running on an R-Pi) or my router admin page. 

 

See the section on "complex networks" here:

There are certain combinations of "Use NAT" and "Host access to custom networks" that do not work together, and others that require you to setup a static route on your router.

Link to comment
13 hours ago, ljm42 said:

 

The WireGuard webgui is optimized to be the place where you manage all the peers rather than being just a peer itself. But you should be able to make it work. Start by importing a config and choosing perhaps "Remote access to LAN".

 

There are two WireGuard config files, one for the server and one for the peer. You can view each by clicking the little "eye" icons on the right side of the page. You may need to research how to setup WireGuard manually in order to find the right settings.

 

Once you get it working, come back here and tell us what you did!


Thanks for replying! That eye thing helps; tells me that at least the config file gets imported correctly. That being said, the default IPv4-only for WireGuard in Unraid means that if I set it to IPv6/IPv4, it'll lose most of the imported configuration. The UI's also unclear about my end's public IP address being optional; I know in the other WireGuard setup I maintain (traditional, not Subspace), I don't ever have to worry about the home user IPs.

Subspace-generated WireGuard config...

[Interface]

PrivateKey = PRIVATE

DNS = IPV4DNS,IPV6DNS

Address = IPV4ADDR/SN,IPV6ADDR/SN

 

[Peer]

PublicKey = PUBLIC

 

Endpoint = VPNADDRESS:PORT

AllowedIPs = IPV6ALLOWEDSN,IPV4ALLOWEDSN

Link to comment
  • 2 weeks later...

I seem to have found an odd bug.

When tunnels are set to be inactive, (re)entering the VPN Manager and changing any information (such as the tunnel or peer's name) and applying, activates the tunnel. Deactivating it and doing so again without leaving the page won't activate the tunnel again, but revisiting the page and changing information once again will.

This has accidentally caused me to activate two commercial VPN tunnels as I was naming the "peers" and the server became inaccessible until a reboot (I was unable to use the local terminal since the GPU was previously attached to a VM and I can't seem to get the iGPU to work with unRaid)

Edited by Dor
Link to comment

You need to change the tunnel view from „Basic“ to „Advanced“. The toggle is located between the „Active“ and „Autostart“ toggle in the top Right corner of the tunnel.

After that you will find a delete tunnel button in the bottom right corner of the tunnel configuration.

Link to comment
  • 3 weeks later...

I've set up wireguard for a complex network but I'm unable to access my shinobicctv docker that is on a vlan.  The vlan has a subnet of 10.5.20.0/24.  I'm able to ping and tracert all ip addresses on the vlan through wireguard but can't access them via webgui.  I can access the router at 10.5.20.1 tough.  Any ideas?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.