WireGuard - VPN Tunneled Access to a commercial VPN provider


ljm42

Recommended Posts

1 minute ago, ziggie216 said:

With RC5, does this mean that I dont need to use certain docker container that has a built in vpn-wireguard client anymore?

 

Yup. I just tested it out today. Works great. Only issue I ran into was I needed to enter my VPN's DNS server into the Peer DNS Server field for the connection to activate.

Link to comment
On 4/19/2022 at 5:23 PM, ljm42 said:

For anyone following this thread, be sure to check out the first post for a sneak peek into 6.10.0-rc5, coming Soon(TM)!  

 

Starting with this release you will be able to assign specific Docker containers to a VPN tunnel connected to a commercial provider! The rest of your server will use the normal Internet connection while your selected containers use WireGuard. There is even a kill switch, so if the WireGuard tunnel goes down, the containers will not be able to access the Internet.

Can it be used with VM's?

Link to comment
On 9/13/2021 at 4:14 AM, Moises said:

I am currently unable to get this to work with Mullvad, not sure what I am doing wrong. I download my config file, import it, the tunnel shows up with everything filled in, but when I change the slider to active, nothing happens. My logs don't show the tunnel starting at all. I have confirmed that everything with mullvad is working fine since I can use it with my phone. All other tunnels are also disabled. Any hints?

In the "WireGuard configuration file generator > Advanced settings > Tunnel traffic" set it to "Only IPv4"

That solved the problem for me.

  • Like 1
Link to comment
On 5/1/2022 at 5:24 PM, Kopernikus said:

Hi,

 

Upgraded to 6.10.0-rc5 to test out this new functionality.

I'm using TorGuard as commercial VPN, so created config file, imported (it created wg1) and when activating it seems to connect fine (able to ping to the peer endpoint).

However when I want to use this connection for a container for example firefox, I'm setting the network type to custom wg1, but as soon as the container is started I can't reach it anymore, tried it with other containers same result.

 

Any idea? @bonienl @ljm42

 

To be more complete: my Unraid runs untagged on my server VLAN and my containers/VM's are running on their own VLAN. To test tried it with AirVPN same result tunnel is connecting fine however as soon as I am connected I can't connect to the docker container it uses.

Could it have something to do with the iptables who are set?

 

 

I did some more test and found the issue.

So my Unraid is running on my untagged server VLAN, when I set my client to this same VLAN I am able to reach to docker, (I think) this is caused by the IP tables added in the Wireguard config, they only allow traffic from my server VLAN, but ofcourse I'm accessing the server from my trusted VLAN. For example with the docker container qbittorentvpn you can define the trusted networks so those ared added.

Edited by Kopernikus
Link to comment
On 5/1/2022 at 3:15 PM, gStone82 said:

Yup. I just tested it out today. Works great. Only issue I ran into was I needed to enter my VPN's DNS server into the Peer DNS Server field for the connection to activate.

Can you post the config file that you imported? (blank out any keys first)

Link to comment
On 4/30/2022 at 7:44 AM, Steace said:

Windscribe also support WireGuard, I've been using them for years without any problems.

Thanks! I've added them to the OP

 

On 4/30/2022 at 7:44 AM, Steace said:

I found out that the PresharedKey is not imported from the config file, you need to enter it manually in the Unraid/Wireguard interface

Hmm... would you please post the config file that you imported? (blank out any keys first)

Link to comment
On 4/27/2022 at 6:52 AM, badi95 said:

I have a wireguard tunnel to my vps for certain docker containers using passthroughvpn container. Will I be able to replace this setup with the functionality described? or will it only support commercial VPN solutions?

 

On 4/28/2022 at 10:27 AM, Steve1985 said:

I run my own wireguard server on a VM in the cloud. Just tried the VPN tunneled access for docker option and it works like a charm.

 

Just follow the instructions in the OP. For my existing tunnel i just had to adjust the option that was added after rc5. In my case the "peer endpoint" disappeared so the tunnel stopped working. Not sure if this could be considered a bug.

 

If you have an existing tunnel to a "regular" WireGuard endpoint (i.e. not a commercial provider) all you have to do is make a small change and hit Apply. When you hit Apply from within 6.10.0-rc5+ it will upgrade it to the latest config. There is no need to modify the "peer type of access".

 

Then modify an existing Docker container by setting the  “Network Type” to “Custom: wg2” (or whatever the name of the tunnel is), and the container will now use that tunnel for its network.

Link to comment
10 hours ago, ljm42 said:

Can you post the config file that you imported? (blank out any keys first)

Sure. See below. The DNS 1.1.1.1 in the config did not import into the peer DNS field. I'd assume because it is listed under interface rather than peer. I ended up using Torguard's provided DNS for Wireguard (10.9.0.1) found here: https://torguard.net/tgspec.php. Without the DNS entry clicking active button would set it to active for about a second before switching back to inactive. Nothing relevant showing in the Unraid logs.

 

# TorGuard WireGuard Config
[Interface]
PrivateKey = 
ListenPort = 51820
MTU = 1292
DNS = 1.1.1.1
Address = 10.13.37.5/24

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 107.181.189.38:1443
PersistentKeepalive = 25

 

Edited by gStone82
Link to comment
14 hours ago, bonienl said:

 

Your PC must be in the same LAN network as the server to make the container reachable.

 

If your PC is in a different local network, Unraid doesn't know how to reach it.

 

 

Why can I reach my other containers from my "trusted vlan"?

Only the ones assigned to wg1 are not reachable.

 

Would I a be able to fix is with a static route? Just like I did for my wireguard tunnel (wg0) when I want to reach my network from outside my home so I can reach my dockers/vm who are on a different VLAN.

Edited by Kopernikus
Link to comment
On 5/3/2022 at 2:23 PM, bonienl said:

 

This is fixed in rc6, which imports all keys, but you can post your config file for validation purposes.

 

Confirmed, I added a new location a everything work as intended! Thank you and sorry for the late response, I was busy as hell.

  • Like 1
Link to comment
On 5/4/2022 at 9:29 AM, Kopernikus said:

Would I be able to fix this with a static route?

 

Yes, you can add manually a static route, but keep in mind that each time the tunnel is restarted, it needs to be re-added again.

 

Below is an example for WireGuard tunnel wg1

 

# ip route show table 201
default via 192.168.6.190 dev wg1                      <-- default route to tunnel
10.0.101.0/24 via 10.0.101.1 dev br0                   <-- local LAN network to home router

ip route add 10.0.102.0/24 via 10.0.101.1 table 201    <-- add other local network to home router
                                                           
# ip route show table 201
default via 192.168.6.190 dev wg1 
10.0.101.0/24 via 10.0.101.1 dev br0 
10.0.102.0/24 via 10.0.101.1 dev br0 

 

Link to comment
15 minutes ago, bonienl said:

 

Yes, you can add manually a static route, but keep in mind that each time the tunnel is restarted, it needs to be re-added again.

 

Below is an example for WireGuard tunnel wg1

 

# ip route show table 201
default via 192.168.6.190 dev wg1                      <-- default route to tunnel
10.0.101.0/24 via 10.0.101.1 dev br0                   <-- local LAN network to home router

ip route add 10.0.102.0/24 via 10.0.101.1 table 201    <-- add other local network to home router
                                                           
# ip route show table 201
default via 192.168.6.190 dev wg1 
10.0.101.0/24 via 10.0.101.1 dev br0 
10.0.102.0/24 via 10.0.101.1 dev br0 

 

 

Thx.

There's no way to make this permanent?

 

I can imagine I'm not the only person who access his dockers from another (V)LAN then were the Unraid server resides.

Personally I like to segment my network into VLAN aka "Trusted/Servers/IoT/Dockers/VM/Guests/Management etc..."

 

Now I'm running the Wireguard connection inside the docker container and for the docker containers who don't have support I forwared them or use a proxy, but it would be better to assign them directly to the "wg?" interface.

 

 

Link to comment
39 minutes ago, Kopernikus said:

There's no way to make this permanent?

Unraid doesn't know about the existence of the other networks and can't add them automatically.

 

40 minutes ago, Kopernikus said:

I can imagine I'm not the only person

I use network segregation too, but the PC which manages Unraid is in the same network as the server and this works out-of-the-box

 

Link to comment
On 5/3/2022 at 2:23 PM, bonienl said:

 

This is fixed in rc6, which imports all keys, but you can post your config file for validation purposes.

 

[Interface]

PrivateKey = ******

Address = 100.98.122.24/32

DNS = 10.255.255.3

 

[Peer]

PublicKey = ******

AllowedIPs = 0.0.0.0/0

Endpoint = bos-298-wg.whiskergalaxy.com:65142

PresharedKey = *******

 

Link to comment

I am not quite sure about a DNS Server Problem but it seems like it doenst work. I am on unraid Version: 6.10.0-rc7.

 

The config from my provider.

[Interface]
PrivateKey = xxx
Address = 10.aaa.bbb.128/32
DNS = 100.xxx.xxx.3

[Peer]
PublicKey = yyy
AllowedIPs = 0.0.0.0/0
Endpoint = 194.aaa.bbb.33:51820


The imported config in unraid.

[Interface]
PrivateKey=xxx
Address=10.aaa.bbb.128
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.aaa.bbb.128 table 200
PostUp=ip -4 route add 192.xxx.0.0/16 via 192.xxx.1.1 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.xxx.0.0/16 via 192.xxx.1.1 table 200

[Peer]
PublicKey=yyy
Endpoint=194.aaa.bbb.33:51820
AllowedIPs=0.0.0.0/0
PersistentKeepalive=60


I have even tried to manually add to "Peer DNS server:" but it doenst seems to work. Any idea to fix this, it seems to be the cause of dns leaks inside the docker containers.

Edited by Technikte
Link to comment
42 minutes ago, bonienl said:

Unraid does not accept a system wide DNS setting, instead - if a specific DNS is required - you should configure that under extra parameters of the docker container.

Like:

--dns=100.x.y.z

 

Thanks, it worked. I thought somehow wireguard would force the dns for the docker containers..but nevertheless 🥳

Link to comment
33 minutes ago, Technikte said:

Thanks, it worked. I thought somehow wireguard would force the dns for the docker containers..but nevertheless 🥳

Wireguard forcing DNS won’t work when using multiple tunnels each with their own setting. This leads to conflicts.

Note: not all vpn providers set a specific dns server and it could be that the vpn tunnel works with the current dns settings of unraid.

Link to comment

First of all, thanks for this feature, it was the only thing Unraid lacked for me.

 

I upgraded to RC7 and was able to use two tunnels at the same. One for all the Docker containers that go through Mullvad and another one that connects Duplicati to a Raspberry Pi in another location for backups.

That's all I ever wanted and now I can finally do it without additional Wireguard Docker containers. 

 

After I testet that everything worked, I tried to figure out which DNS the containers connected to Mullvad use. So I installed the linuxserver firefox docker and also connected it to the Mullvad tunnel. The results were the same as described in the last few comments: It always uses the Unraid DNS which is the one set in my Router, regardless of what is set in "Peer DNS Server".

 

So I tried to use "--dns=8.8.8.8" as extra parameter in the firefox docker container. I figured if use this parameter and go to https://www.dnsleaktest.com/ i should see the nearest Google DNS after a Standard test, but instead I see the DNS that Mullvad would use if I used the Mullvad PC app. As if the --dns setting deletes the Unraid DNS setting for that container and so it reverts to the Mullvad DNS.

I even made another tunnel with a different config file for another country, with the same result.

 

Am I doing something wrong and how can I make sure that I don't use my normal DNS which Unraid uses?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.