WireGuard - VPN Tunneled Access to a commercial VPN provider


ljm42

Recommended Posts

2 hours ago, ljm42 said:

 

The OP tells you how to run a leak test, not sure what else you would be concerned with?

 

Far as I can tell there is no kill switch or other safety mechinisum to block the internet if the VPN goes down for some reason. If that happened it would just keep using the internet under your real IP without interruptions and you would have no idea.

Link to comment
4 hours ago, TexasUnraid said:

 

Far as I can tell there is no kill switch or other safety mechinisum to block the internet if the VPN goes down for some reason. If that happened it would just keep using the internet under your real IP without interruptions and you would have no idea.

 

Please give the "Testing the tunnel" section of the OP another read :)

Link to comment
2 hours ago, ljm42 said:

 

Please give the "Testing the tunnel" section of the OP another read :)

1: How is it possible to leak the DNS to your ISP if the tunnel is exclusive? That is what is confusing me, it should not be possible to leak DNS if it truly has a "kill switch" since all traffic would be coming from the other end of the tunnel and it would never even see your local network, or am I misunderstanding?

 

2: So the tunnel will only be used if you set the docker to use it? It will not funnel all internet traffic from the server through it by default?

 

3: The issue with sending a docker though a custom tunnel is won't webguis/vnc not work since they will not have an open port for local IP access?

Link to comment
On 11/18/2022 at 7:02 PM, TexasUnraid said:

1: How is it possible to leak the DNS to your ISP if the tunnel is exclusive? That is what is confusing me, it should not be possible to leak DNS if it truly has a "kill switch" since all traffic would be coming from the other end of the tunnel and it would never even see your local network, or am I misunderstanding?

 

My understanding is if you don't set a dns provider in the "Extra Paramters", then the Unraid host handles your dns lookups and those go through Unraid's Internet connection. However, if you set the dns provider then the container handles the lookups and those go through the tunnel.
 

On 11/18/2022 at 7:02 PM, TexasUnraid said:

2: So the tunnel will only be used if you set the docker to use it? It will not funnel all internet traffic from the server through it by default?

 

Right, when you set the tunnel type to "VPN tunneled access for docker" this creates a network interface but does not assign containers to it. You would follow the instructions in the OP to assign the desired containers to it and set their DNS.

 

On 11/18/2022 at 7:02 PM, TexasUnraid said:

3: The issue with sending a docker though a custom tunnel is won't webguis/vnc not work since they will not have an open port for local IP access?

 

That would not be very useful :) The docker containers use the WireGuard tunnel for Internet access but they are still accessible on the local LAN.

Link to comment

I guess I am doing something wrong.  Kind of new to this so forgive me.  I am trying to use SurfSharkVPN and set up wg1 tunnel to route dockers through.  Now I have this config file in qbittorrentvpn using wireguard and I can route docker through no problems.  But changing the docker to wg1, it does not seem to do anything.  Now I can log into the console and do curl ipconfig.io and get the vpn ip, but any docker container I run does not work.  Like I have firefox and it will not connect to any sites.  I can ping them from the console but can not access them from the gui.  (Radarr and sonarr are the same way)

 

Here is my surfshark config

 

[Interface]
Address = 10.14.0.2/16
PrivateKey = 
DNS = 162.252.172.57,149.154.159.92
[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = us-orl.prod.surfshark.com:51820

 

I manually added the DNS to the WG tunnel.  Even changed it to just 1.1.1.1 or 8.8.8.8  Is there something I am missing?

 

image.thumb.png.973bc8a7463d7f6b47c531f5da4b4ffc.png

Link to comment

What’s the latest consensus on best commercial VPN provider to use with WireGuard on UnRAID? I’ve got PIA working but often have to change servers. With BF deals, I was thinking of switching but I want a provider with fast, reliable servers that I can auto-generate or download a .conf file to use with UnRAID. Thanks 

Link to comment
1 hour ago, betaman said:

What’s the latest consensus on best commercial VPN provider to use with WireGuard on UnRAID? I’ve got PIA working but often have to change servers. With BF deals, I was thinking of switching but I want a provider with fast, reliable servers that I can auto-generate or download a .conf file to use with UnRAID. Thanks 

 Very similar question, let us know who you go with and how they work.

 

I like PIA since there are no limits on how or how much you use the service and the price is good as well.

 

When you say you have the change the servers on PIA a lot, why is that?

Link to comment
19 hours ago, TexasUnraid said:

 Very similar question, let us know who you go with and how they work.

 

I like PIA since there are no limits on how or how much you use the service and the price is good as well.

 

When you say you have the change the servers on PIA a lot, why is that?

I’m not sure why. For some reason the tunnel stops working. I reload a different conf file I made that works and it’s back again. Been cycling between CA Toronto and CA Montreal. Do you know a server that is working well for you?

Edited by betaman
Link to comment
28 minutes ago, betaman said:

I’m not sure why. For some reason the tunnel stops working. I reload a different conf file I made that works and it’s back again. Been cycling between CA Toronto and CA Montreal. Do you know a server that is working well for you?

Those are the same servers I use, also what I was worried about with this tunnel implementation and leakage etc. Also no way to handle port forwarding it seems so guess I am stuck using the dockers with built in VPN's if on PIA.

Link to comment
On 6/10/2022 at 11:54 AM, Purely8120 said:

Hello again!

 

I just want to update the port forwarding problem I described a few replies above:

 

It turns out it was really simple. Just expose wanted ports on the docker menu for the container you want to forward ports to...

 

Hope it helps!

Thank you!! I could not figure out why port forwarding wasn't working with my torrent client, and being a newbie and all, I totally overlooked such a simple solution. People like you who update with a solution are a godsend. 

Link to comment
  • 1 month later...
On 11/22/2022 at 5:05 AM, BrownHP800 said:

I guess I am doing something wrong.  Kind of new to this so forgive me.  I am trying to use SurfSharkVPN and set up wg1 tunnel to route dockers through.  Now I have this config file in qbittorrentvpn using wireguard and I can route docker through no problems.  But changing the docker to wg1, it does not seem to do anything.  Now I can log into the console and do curl ipconfig.io and get the vpn ip, but any docker container I run does not work.  Like I have firefox and it will not connect to any sites.  I can ping them from the console but can not access them from the gui.  (Radarr and sonarr are the same way)

 

did you manage to resolve this issue? I'm struggling with the same and was able to localise issue to DNS: access to ip addresses works, but not to domains.

and I have issue both for Surfshark and my own Wireguard server

Link to comment
  • 3 weeks later...

Hey everyone.

 

This is a great idea! 

 

However, I am struggeling a bit with the setup. It is pretty straight forward to be honest, but after I imported my wireguard conf file and selected the appropriate interface in the firefox docker configuration but I cant access the webinterface of the firefox docker. 

 

Maybe I oversee something obvious but I think by now I tweaked every possible setting and thougt to myself, better ask folks that actually know what they are talking about lol.

 

So this is my VPN config:

 

image.thumb.png.5c64e7b46996bdd9d58c3bc080cccae2.png

 

Firefox Docker:

 

image.thumb.png.0befa872462f07eadc6f08f249e38e19.png

 

But when I try accessing it I get a ERR_CONNECTION_TIMED_OUT in my browser. What can I be doing wrong here?

Link to comment
5 hours ago, germericanish said:

Maybe I oversee something obvious but I think by now I tweaked every possible setting and thougt to myself, better ask folks that actually know what they are talking about lol.

 

Your Local Tunnel Firewall and Peer Allowed IPs are definitely wrong. Rather than untangle it, I'd recommend that you delete this tunnel and docker container, then start over by following the guide in the first post carefully step by step. I can't think of any settings you should need to change that aren't mentioned in the guide.

 

Also, I'm not sure what version of Unraid you are running but I'd recommend upgrading to Unraid 6.11.5 first so you have the latest code.

Link to comment
45 minutes ago, ljm42 said:

 

Your Local Tunnel Firewall and Peer Allowed IPs are definitely wrong. Rather than untangle it, I'd recommend that you delete this tunnel and docker container, then start over by following the guide in the first post carefully step by step. I can't think of any settings you should need to change that aren't mentioned in the guide.

 

Also, I'm not sure what version of Unraid you are running but I'd recommend upgrading to Unraid 6.11.5 first so you have the latest code.

Oh yeah didn't think of that actually. I just dumped teh conf file into the system and thought I will be good. Will do and report back. Thanks!

Link to comment

Small suggestion: I think it would be better if the sliders for "Active" and "Autostart" were a bit bigger or easier to see.

I didn't know why my docker tunnel wasn't working at first. It turns out it was because it was toggled inactive by default. I didn't notice those sliders hunched in the top right, and I'm used to them being used to toggle advanced views and the like.

Link to comment

I'm using Surfshark Wireguard configs and I'm getting mixed results.

 

Resilio Sync works fine on the custom wireguard network.

Firefox and Linuxserver's deluge container and YTSync all don't work. Even Resilio Sync sometimes randomly doesn't work.

 

The Surfshark .conf file looks like this (I altered the private and public keys for this post):

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = nd9Aahf9ashFSHFSe1K2rt6stcGt9rM9d7hbwml2D
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = Nxnc8FsnaM25UQqfDXCj0wCNUsm1RgkNHd8ndsVBja
AllowedIPs = 0.0.0.0/0
Endpoint = 45.248.76.221:51820

 

Is there anything that looks wrong here?

Another thing: these .conf files work for the Windows and iOS Wireguard clients, but not for Android.

Link to comment

Using the VPN tunneled access for docker, is it possible to not use the tunnel for some local IPs? My dockers on wg1 lose access to dockers I don't want on the tunnel running on another vlan. I tried modifying allowed IPS to exclude 192.168.0.0/16 with a calculator, but when I put that in allowed IPs the handshake fails.

 

edit: This is on 6.11.5

Edited by nerv
Link to comment
  • 2 weeks later...

I also cannot access containers running on the wireguard interface from my LAN. It will timeout every time. I imported the config and selected the new network type when setting up firefox container.

 

I've set up a static route on my router using the Local tunnel network pool and my unraid server's local IP address but that doesn't make any difference (1 distance or 2). I've also enabled "Host access to custom networks" and restarted unraid but it didn't help either.

 

I was able to verify through container shell that it is using the commercial VPN IP and when it is running with a different network type that I use for other containers I'm able to access through LAN just fine. When I ssh to my unraid server and do a curl for the firefox container on wireguard using the unraid server IP I am able to get a response. Since I am getting a timeout I think it is able to get a connection otherwise I would get refused or some other error. I should also note that if I use the br0 network I am not able to access that over LAN either.

 

Any help would be appreciated.

Link to comment
On 11/25/2022 at 6:57 AM, TexasUnraid said:

Those are the same servers I use, also what I was worried about with this tunnel implementation and leakage etc. Also no way to handle port forwarding it seems so guess I am stuck using the dockers with built in VPN's if on PIA.

Is your tunnel still working? I keep getting timeout errors with both Montreal and Toronto.

Link to comment
On 2/2/2023 at 11:05 PM, BitAdept said:

I also cannot access containers running on the wireguard interface from my LAN. It will timeout every time. I imported the config and selected the new network type when setting up firefox container.

 

I've set up a static route on my router using the Local tunnel network pool and my unraid server's local IP address but that doesn't make any difference (1 distance or 2). I've also enabled "Host access to custom networks" and restarted unraid but it didn't help either.

 

I was able to verify through container shell that it is using the commercial VPN IP and when it is running with a different network type that I use for other containers I'm able to access through LAN just fine. When I ssh to my unraid server and do a curl for the firefox container on wireguard using the unraid server IP I am able to get a response. Since I am getting a timeout I think it is able to get a connection otherwise I would get refused or some other error. I should also note that if I use the br0 network I am not able to access that over LAN either.

 

Any help would be appreciated.

 

this post fixed my problem. I forgot my wireless and wired networks are on 2 different subnets.
 

 

Link to comment
On 5/3/2022 at 11:30 AM, Skitals said:

Getting PIA working is as simple as using this utility to generate a config file. It took me a few attempts trying different endpoints before finding one that worked (or perhaps there is some failure rate), but it is possible to create a standard wg config file with PIA.

Hi, I just came across your post. How is this working out for you? I have PIA would love to get this to work with Wireguard. What settings did you use? 

Link to comment

This guide worked great and I'm running several dockers through my new (Mullvad) VPN tunnel network.  One thing though... I have run the Plex docker through this network and two undesirable things happen:

 

1. No longer have access to the webui

 

2. when playing plex on my home TV (which is connected to my home/network wifi) it now streams at non-original quality, saying 'A direct connection to the server is not available"

 

Any advice on either of these issues much appreciated!

Link to comment

Hi all and excuse me If this is a stupid question, I'm quite new about all this.

 

Reading online discussions about how to use torrent clients with VPNs, I've often seen people recommend not trusting "kill switches" because they could possibly leak something for a small amount of time if they aren't fast enough to kick in. The often quoted advice is to "bind" the client to the VPN interface, assuring that all traffic goes only through the tunnel.

 

I'm guessing that selecting a tunneled wireguard interface in the docker configuration of the torrent client does the same thing as the "binding"? Should I be worried about the kill switch not kicking in fast enough?

 

Thank you  

Link to comment
  • 2 weeks later...

Hi all,

I have a weird problem with the VPN connection. I hope you can help me find a solution.

I set up the VPN according to the instructions and at first glance, it seems to work. It performs a handshake with the server. I have selected the network interface wg0 for a new Firefox container and also set the --DNS=1.1.1.1. Now, when I try to access a website, it only works if the website can be accessed via HTTP. HTTPS connections are not possible. I also tried this via the command line with several containers. The IP address I get back is from the VPN provider. The problem does not exist with the standard network interface.

 

Screenshot for visualization:

63272112_Bildschirmfoto2023-02-28um11_10_07.thumb.png.2d60c3d3ff74b5d91d8a65929409986e.png

 

I hope you can help me with this. I have attached some screenshots of the settings.

 

VPN-Manager:

297296344_Bildschirmfoto2023-02-28um11_06_52.thumb.png.9b9439852c45bfa62587a009e803d691.png

 

WireGuard Config:

1425809874_Bildschirmfoto2023-02-28um11_05_09.thumb.png.7843a825366f7fa22f3663552b8e845e.png

 

Container Settings:

1667048924_Bildschirmfoto2023-02-28um11_07_28.thumb.png.6b4eef93360d1ff0283404ad4725ac8c.png

 

Thank you!

 

Edit: I tried the „passthroughvpn“ container and with it, it seems to work. It’s still just a workaround for me, so I would appreciate any help. :)

Edited by Niklashere
new information
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.