bonienl Posted October 12, 2019 Share Posted October 12, 2019 (edited) With the release of Unraid 6.8 comes support for WireGuard VPN connections. At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This approach allows for quick updates and enhancements without dependency on Unraid version releases. People starting with WireGuard should read the quick-start guide written by @ljm42. See Please use his topic only to ask questions about using and setting up WireGuard. The GUI has online help as well, please have a look at this too. Use this topic to report any issues or bugs or proposed enhancements for the WireGuard functionality. This way things stay grouped together. Thanks Edited October 12, 2019 by bonienl 2 3 Quote Link to comment
hotio Posted October 12, 2019 Share Posted October 12, 2019 "Remote tunneled access" gives an invalid QR code, because of a missing IP, only "/128" is put in the config. Quote Link to comment
bonienl Posted October 12, 2019 Author Share Posted October 12, 2019 Do you use IPv6? If not, change network settings to IPv4 only. Quote Link to comment
hotio Posted October 12, 2019 Share Posted October 12, 2019 I'm running on a fully working ipv4/ipv6 network, however I've got "Network protocol" set to "IPV4 Only" on the unraid server. So afaik that's what you suggest. Quote Link to comment
ljm42 Posted October 12, 2019 Share Posted October 12, 2019 6 hours ago, hotio said: "Remote tunneled access" gives an invalid QR code I see. If you choose "remote access to LAN" then the IP Address is added to the config properly: [Interface] PrivateKey=<snip> Address=10.253.0.2/32 But if you choose the "remote tunneled access" option, the config is invalid: [Interface] PrivateKey=<snip> Address=/128 Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 16 hours ago, ljm42 said: But if you choose the "remote tunneled access" option, the config is invalid: Fixed Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 I'm not sure if I've got something configured wrong or if it is working as designed but wireguard is working fine and clients can connect without issue however when wireguard is active I am unable to access any dockers that have a custom ip address (Custom : br0). As soon as I deactivate wireguard those dockers are accessible. Do I have something setup wrong or will they not work together? Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 Dockers with a custom network (unique IP address) have the router as gateway. It requires additional routing on the gateway itself to make containers reachable over VPN. Quote Link to comment
Squid Posted October 13, 2019 Share Posted October 13, 2019 1 minute ago, bonienl said: Dockers with a custom network (unique IP address) have the router as gateway. It requires additional routing on the gateway itself to make containers reachable over VPN. I know squat about networking, but isn't Remote Access To LAN supposed to accomplish this? Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 I failed to be as specific as I should have...when wireguard is active I can't even access those dockers from my unraid server. Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 1 minute ago, Squid said: I know squat about networking, but isn't Remote Access To LAN supposed to accomplish this? Yes, in combination with additional routing rules on your router (defines the return path) Quote Link to comment
Squid Posted October 13, 2019 Share Posted October 13, 2019 Maybe the help text / pic should get updated to reflect this? Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 (edited) LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination. This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations. By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server. Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar). It is also needed to disable the "Local Server uses NAT" setting (switch on advanced view). Edited December 13, 2019 by bonienl 2 1 1 Quote Link to comment
Squid Posted October 13, 2019 Share Posted October 13, 2019 OK Since I'm sure I'm not the only one who has no real clue about what to enter here, any hints? Sorry for being so dense Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 (edited) You need this entry: Network Mask Gateway 10.253.0.0 255.255.0.0 Unraid LAN IP Updated: just route the tunnel addresses from your router to the Unraid server Edited October 20, 2019 by bonienl 1 Quote Link to comment
david279 Posted October 13, 2019 Share Posted October 13, 2019 So this is why my custom ip docker where not working.....Turned off wireguard and back all good. Gonna figure this one out... Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 The challenge is to make routing complete, because the VPN tunnel lives on the Unraid server, while other devices in the LAN have the router as gateway. Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 I understand why wireguard clients could have problems connecting to dockers with a custom ip, but why would that behavior change for devices that are on the same LAN (not using wireguard). If I try to ping one of the dockers with a custom ip from within the LAN (from 192.168.1.160 -> 192.168.1.99) the ping times out, but with wireguard inactive the ping is fine. Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 The WireGuard VPN tunnel should have no effect on the reachability of local devices on the same LAN. What kind of connection are you trying to set up? Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 I've tried multiple options for 'Peer type of access' if that is what you're referring to and it happens no matter what is selected. Actually I just deleted everything and setup a very basic server...just generated the keypair, applied changed and activated the server and as soon as I hit activate I was unable to ping a custom ip docker Quote Link to comment
david279 Posted October 13, 2019 Share Posted October 13, 2019 3 minutes ago, bonienl said: The WireGuard VPN tunnel should have no effect on the reachability of local devices on the same LAN. What kind of connection are you trying to set up? yea is the same issue i am having. When wire guard is active i cannot connect to dockers with a custom ip. This is from my normal network not the vpn. The connection times out. Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 For those having local issues, please post the output of (open a terminal session) ip route Quote Link to comment
SenorLoco Posted October 13, 2019 Share Posted October 13, 2019 default via 192.168.1.1 dev br0 10.253.0.2 dev wg0 scope link 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown Quote Link to comment
bonienl Posted October 13, 2019 Author Share Posted October 13, 2019 22 minutes ago, SenorLoco said: default via 192.168.1.1 dev br0 10.253.0.2 dev wg0 scope link 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown That looks alright. From where are you pinging the docker containers? Can you also post diagnostics? Quote Link to comment
david279 Posted October 13, 2019 Share Posted October 13, 2019 default via 192.168.29.1 dev br0 metric 212 10.253.0.2 dev wg0 scope link 10.253.0.3 dev wg0 scope link 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 192.168.29.0/24 dev br0 proto kernel scope link src 192.168.29.140 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown tower-diagnostics-20191013-1619.zip Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.