Dynamix WireGuard VPN


bonienl

Recommended Posts

1 hour ago, Hoopster said:

I have UPnP disabled and am using manual port forwarding.  Does it matter either way?

No, both methods work.

 

1 hour ago, Hoopster said:

 Issue here?

You should do a traceroute from the peer device. I expect multiple hops (3) to reach the final destination.

Link to comment
6 minutes ago, bonienl said:

I suspect a routing issue on the Unraid server itself, hence I like to see the network configuration file.

# Generated settings:
IFNAME[0]="br0"
BRNAME[0]="br0"
BRSTP[0]="no"
BRFD[0]="0"
BRNICS[0]="eth0"
PROTOCOL[0]="ipv4"
USE_DHCP[0]="no"
IPADDR[0]="192.168.1.10"
NETMASK[0]="255.255.255.0"
GATEWAY[0]="192.168.1.1"
METRIC[0]="1"
DNS_SERVER1="1.1.1.1"
DNS_SERVER2="1.0.0.1"
USE_DHCP6[0]="yes"
DHCP6_KEEPRESOLV="no"
VLANID[0,1]="3"
DESCRIPTION[0,1]="Dockers"
PROTOCOL[0,1]="ipv4"
USE_DHCP[0,1]="yes"
METRIC[0,1]="2"
VLANS[0]="2"
IFNAME[1]="br1"
BRNAME[1]="br1"
BRNICS[1]="eth1"
BRSTP[1]="no"
BRFD[1]="0"
PROTOCOL[1]="ipv4"
USE_DHCP[1]="yes"
METRIC[1]="3"
SYSNICS="2"

Actual file attached as well.

 

network.cfg

Link to comment

Ok, you have to make changes for the docker part.

 

First the VLAN used for Docker should have no IPv4 (and no IPv6 assignment).

Here is my config (you can use IPv4 only)

 

image.png.1ea9cff3a9d297aabfb0fe8b2928776c.png

 

Next, you need to assign the VLAN network (br0.3) to Docker. Define subnet, gateway and DHCP pool accordingly.

Here is my config for br0.5 (docker subnet)

 

image.thumb.png.38d467bed7be5c329b3b3cd30612e8a9.png

 

Start Docker and retest, it should go much better now 😃

  • Thanks 1
Link to comment
33 minutes ago, bonienl said:

Next, you need to assign the VLAN network (br0.3) to Docker. Define subnet, gateway and DHCP pool accordingly.

Here is my config for br0.5 (docker subnet)

Here's what I currently have.  It appears I initially made a typo and had 192.168.3.1 as both the subnet and Gateway address. That was a mistake in the subnet entry, it's always the little things. Since that only shows up in Advanced view, I failed to check that when troubleshooting.  Thank you, thank you for catching that. 👍

 

I did not assign a DHCP pool because I wanted to manually assign an IP address to each container. 

 

image.thumb.png.ecbfc33aba60c78bf2913116d7f35594.png

 

I did also change the Docker VLAN address assignment from 'Automatic' to 'None"

 

IT WORKS NOW!!!  Thank you.

 

This traceroute looks a lot better. 😁

image.png.8b697fd67e9c479484609c7d4af46de8.png

 

I hope all this helps someone else.

Edited by Hoopster
Link to comment
6 hours ago, Hoopster said:

IT WORKS NOW!!! 

Great to hear.

Some further explanation of your issue before.

 

VLAN 3 was set up with DHCP, this means your Unraid server gets an IP address in the same subnet as the Docker containers.

It then wants to use VLAN 3 to communicate directly with the containers, because it is the nearest connection.

Docker however doesn't allow direct communication between host and containers in the same network.

So when traffic leaves the tunnel at the server side, it will get blocked by Docker and can't reach the containers (this gives your 2nd hop unreachable).

This is exactly the same issue when people are using br0 as their custom container network!!

 

When no IP address is assigned to VLAN 3, the server doesn't learn a direct connection to the containers, but instead will send traffic to the default gateway (your router). The router in return can forward the traffic to the destined container and communication is established, with the condition that a static route on your router exists for the return path. That is containers back to the tunnel.

 

Another "none visible" issue you have solved here is asymmetric routing. The DHCP assignment of VLAN 3 caused the server to learn a second default gateway via VLAN 3. This means that traffic destined for the Internet could either leave via eth0 or VLAN 3, since both ended up here at the same router and there are no specific firewall rules in place, this didn't cause a connection problem, but it is always better to avoid asymmetric routing.

 

Link to comment

What is the correct route to allow the 10.* to get to the 192.168 (br0) subnet via router, instead of intern of unraid?

 

My idea is, since docker wont allow host to reach br0, why not go the way around from the router? (or does docker still know its host -> br0?, i dont think so)

Edited by nuhll
Link to comment
On 10/25/2019 at 11:42 PM, bonienl said:

Some further explanation of your issue before.

The mistakes I made in setting up the VLAN were made over 18 months ago, but masked until I tried to use WireGuard to access containers with a custom IP on a VLAN.

 

I followed your excellent guide for setting up VLANs as I was trying to solve the call trace issue I was having on br0.  The VLAN solved that problem as well.  Even though I did not want DHCP on the VLAN and wanted to assign static address, the 'IPv4 address assignment' being left on 'automatic' (instead of 'none') and the mistake in the Subnet address, were not evident all this time because access to those containers still worked locally.  It was only over the VPN tunnel (as you explained above) that the errors became apparent.

 

Although it was a mistake in that I ran the traceroute from the server to the container on the VLAN, this did not look right to me and I wondered why my unRAID server was getting an IP address on the VLAN.  Now I understand what was going on.

 

image.png.ca105bbd1c15b2c76103142e45d7c9ba.png

 

Thanks again for all your help on this.

Edited by Hoopster
Link to comment
6 hours ago, bonienl said:

Do you mean "own IP address"?

If yes, go through this topic, there are explanations and solutions given.

No the LAN side IP is same as my unraid server they just all use different port.  For example if my server is 192.168.0.100 the web gui for Sonar is 192.168.0.100:8989.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.