WireGuard - VPN Tunneled Access to a commercial VPN provider

ljm42

By ljm42
in Plugin Support

Recommended Posts

mattmill Noob

mattmill

Posted
Posted

Does anyone know if port forwarding to rTorrent works when using VPN to Docker? Setup a WG connection to Mullvad with a port forward configured. However in ruTorrent the port is shown as closed. I have done a port mapping in the containers config but it seems unable to pass through the port.

image.thumb.png.eb6ddad85b43b25e8f26a0ae45c62c90.png

 

image.png.33a72651369b0a0b10fde55e7f5febdd.png

 

Link to comment
  • Replies 238
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

ljm42
ljm42

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.   This guide explains how to make an outgoing WireGua

Carlos Talbot
Carlos Talbot

Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implement

Dor
Dor

I've created a fork of the PIA scripts to simplify the install process on unRaid, it's still not as simple as importing a configuration, but the scripts now generate a file following the "wg#.conf" co

Posted Images

JCarlson Noob

JCarlson

Posted
Posted

This right here. Thanks for posting this. I was having a hard time getting my containers routed through another Docker container, but after reading this, a little trial and error, and now all of my containers I needed to route through Wireguard are working and I can access their GUI. Everything else I tried prevented access to the GUI.

  • Like 1
Link to comment
  • 3 weeks later...
guayocampo Noob

guayocampo

Posted
Posted
On 5/24/2021 at 7:53 AM, TechMed said:

Hi All, (@ljm42)

 

Just confirming that PIA will work with unRAID.

I have had it up and running for over a week now; not one issue.

As directed, I have been verifying via the jlesage/Firefox Docker.

 

While not for the faint of heart (nor as easy as Jorgen, ICDeadPpl, and ljm42 have made it by simply installing a provider config) this link to a PIA support page will get you set up. Follow the instructions though!!! Actually read the readme.md file as there's important info in there. Lastly, make sure you are using the "manual-connections-2.0.0" setup zip/tar.

 

As always, thanks to the GREAT community here for making all of this possible!

Hey sorry to bother but is possible for you to upload a guide of your PIA setup I was triying to do the setup with the guides I found but without luck, Im a pretty new to unraid and what im looking forward to acomplish is to dowload some movies in a safe enviorment.

If you can help out I would really apreciate friend, thank you in advance.

Link to comment
betaman Enthusiast

betaman

Posted
Posted (edited)
On 3/26/2023 at 10:08 PM, guayocampo said:

Hey sorry to bother but is possible for you to upload a guide of your PIA setup I was triying to do the setup with the guides I found but without luck, Im a pretty new to unraid and what im looking forward to acomplish is to dowload some movies in a safe enviorment.

If you can help out I would really apreciate friend, thank you in advance.

I had this working with a couple servers in Canada (I'm in the US) but it seems to go down often.  I switched back to the *vpn containers and seems to be working but my speeds are like 1/3 of what they were using wireguard. I'd appreciate some additional setup instructions with PIA as well if someone has this working reliably?

Edited by betaman
Link to comment
AndiAUT Noob

AndiAUT

Posted
Posted
12 hours ago, betaman said:

I had this working with a couple servers in Canada (I'm in the US) but it seems to go down often.  I switched back to the *vpn containers and seems to be working but my speeds are like 1/3 of what they were using wireguard. I'd appreciate some additional setup instructions with PIA as well if someone has this working reliably?

 

I'm not using PIA but when I moved from Mullvad to ProtonVPN I just imported the file they provided and while the connection worked, my docker containers behind the vpn lost the connection from time to time. You might have already tried it, since in hindsight it seemed obvious, but what worked for me was to set a persistent keepalive of 20 seconds. Didn't think of it at first, because it didn't look like the actual connection itself was lost and when I manually made some search queries inside the docker containers it worked again for some time. 

Link to comment
betaman Enthusiast

betaman

Posted
Posted
On 4/4/2023 at 6:37 AM, AndiAUT said:

 

I'm not using PIA but when I moved from Mullvad to ProtonVPN I just imported the file they provided and while the connection worked, my docker containers behind the vpn lost the connection from time to time. You might have already tried it, since in hindsight it seemed obvious, but what worked for me was to set a persistent keepalive of 20 seconds. Didn't think of it at first, because it didn't look like the actual connection itself was lost and when I manually made some search queries inside the docker containers it worked again for some time. 

Yeah, unfortunately PIA is not as straightforward. There's some utilities to generate the .conf file so I'm good there. The persistent keepalive sounds interesting. Is that just another line I need to add to the .conf?  I'm not familiar with it. Thanks

Link to comment
AndiAUT Noob

AndiAUT

Posted
Posted
1 hour ago, betaman said:

Yeah, unfortunately PIA is not as straightforward. There's some utilities to generate the .conf file so I'm good there. The persistent keepalive sounds interesting. Is that just another line I need to add to the .conf?  I'm not familiar with it. Thanks

 

You could set it in the conf file, but you can also set it in the GUI. It's in the advanced peer settings of the tunnel.

Link to comment
betaman Enthusiast

betaman

Posted
Posted (edited)

Can anyone recommend the most current working endpoint for PIA? Montreal and Toronto were my "go-to" endpoints but once configured, I'm not getting any ip address returned when doing "curl ipconfig.io" from nzbget docker console window.

 

EDIT: Montreal appears to be working right now. Really curious if there's another setting or something I need to configure to keep the connection active?

Edited by betaman
Link to comment
  • 1 month later...
oldsweatyman Noob

oldsweatyman

Posted
Posted
On 2/28/2023 at 5:37 AM, Niklashere said:

Hi all,

I have a weird problem with the VPN connection. I hope you can help me find a solution.

I set up the VPN according to the instructions and at first glance, it seems to work. It performs a handshake with the server. I have selected the network interface wg0 for a new Firefox container and also set the --DNS=1.1.1.1. Now, when I try to access a website, it only works if the website can be accessed via HTTP. HTTPS connections are not possible. I also tried this via the command line with several containers. The IP address I get back is from the VPN provider. The problem does not exist with the standard network interface.

 

Screenshot for visualization:

63272112_Bildschirmfoto2023-02-28um11_10_07.thumb.png.2d60c3d3ff74b5d91d8a65929409986e.png

 

I hope you can help me with this. I have attached some screenshots of the settings.

 

VPN-Manager:

297296344_Bildschirmfoto2023-02-28um11_06_52.thumb.png.9b9439852c45bfa62587a009e803d691.png

 

WireGuard Config:

1425809874_Bildschirmfoto2023-02-28um11_05_09.thumb.png.7843a825366f7fa22f3663552b8e845e.png

 

Container Settings:

1667048924_Bildschirmfoto2023-02-28um11_07_28.thumb.png.6b4eef93360d1ff0283404ad4725ac8c.png

 

Thank you!

 

Edit: I tried the „passthroughvpn“ container and with it, it seems to work. It’s still just a workaround for me, so I would appreciate any help. :)

 

I am having an identical issue, has anyone figured this out? Can't connect via https.

Link to comment
  • 3 weeks later...
badi95 Noob

badi95

Posted
Posted

I'm in the process of switching over from using passthroughvpn container to using the "VPN tunnel access for docker" to connect to my VPS, so can expose certain containers to through nginx. I'm able to connect to the VPS and use containers that don't interface with other containers fine. I'm running in to issues when I try to use containers that need to talk to other containers on the bridge network, for example overseerr. I've tried adding the bridge network to the container along with with the wg0 network, but then the container is no longer accessible through the tunnel. Any help would be appreciated.

Link to comment
  • 4 weeks later...
bluecat Noob

bluecat

Posted
Posted (edited)

Thanks for this guide. It worked fine in the beginning for me.

 

Now I'm experiencing the problem, that I can't choose the wg0 interface anymore when creating a Docker. This happened after I switched the Docker data root setting from btrfs vDisk to folder. I tried switching it back and wg0 appears again.

 

I don't understand why this is happening and where the correlation is here

Edited by bluecat
Link to comment
  • 2 weeks later...
ljm42 Experienced

ljm42

Posted
  • Author
Posted
4 hours ago, isvein said:

So the DNS should always be set as extra parameter on each docker and NOT under the tunnel dns settings?

 

The "Peer DNS server" setting isn't really applicable when in "VPN tunneled access" mode because Peer settings apply to Peers, not Unraid itself.

 

Best to follow the guide in the OP

  • Thanks 1
Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
On 7/9/2023 at 10:52 AM, bluecat said:

Thanks for this guide. It worked fine in the beginning for me.

 

Now I'm experiencing the problem, that I can't choose the wg0 interface anymore when creating a Docker. This happened after I switched the Docker data root setting from btrfs vDisk to folder. I tried switching it back and wg0 appears again.

 

I don't understand why this is happening and where the correlation is here

 

Odd. Does it help to make a dummy change to the WG config and apply? 

If not, Diagnostics might be helpful

Link to comment
isvein Enthusiast

isvein

Posted
Posted
2 hours ago, ljm42 said:

 

The "Peer DNS server" setting isn't really applicable when in "VPN tunneled access" mode because Peer settings apply to Peers, not Unraid itself.

 

Best to follow the guide in the OP

thanks! I think I got confused and though of each container as an peer, but I think I get how it works now :D

  • Like 1
Link to comment
  • 1 month later...
Pepreal Noob

Pepreal

Posted
Posted
On 2/28/2023 at 11:37 AM, Niklashere said:

Hi all,

I have a weird problem with the VPN connection. I hope you can help me find a solution.

I set up the VPN according to the instructions and at first glance, it seems to work. It performs a handshake with the server. I have selected the network interface wg0 for a new Firefox container and also set the --DNS=1.1.1.1. Now, when I try to access a website, it only works if the website can be accessed via HTTP. HTTPS connections are not possible. I also tried this via the command line with several containers. The IP address I get back is from the VPN provider. The problem does not exist with the standard network interface.

 

Screenshot for visualization:

63272112_Bildschirmfoto2023-02-28um11_10_07.thumb.png.2d60c3d3ff74b5d91d8a65929409986e.png

 

I hope you can help me with this. I have attached some screenshots of the settings.

 

VPN-Manager:

297296344_Bildschirmfoto2023-02-28um11_06_52.thumb.png.9b9439852c45bfa62587a009e803d691.png

 

WireGuard Config:

1425809874_Bildschirmfoto2023-02-28um11_05_09.thumb.png.7843a825366f7fa22f3663552b8e845e.png

 

Container Settings:

1667048924_Bildschirmfoto2023-02-28um11_07_28.thumb.png.6b4eef93360d1ff0283404ad4725ac8c.png

 

Thank you!

 

Edit: I tried the „passthroughvpn“ container and with it, it seems to work. It’s still just a workaround for me, so I would appreciate any help. :)

Same problem with Surfshark. http seems to work but https wont resolve. anyone has a solution to this?

Link to comment
  • 5 weeks later...
xxDeadbolt Apprentice

xxDeadbolt

Posted
Posted
On 7/26/2023 at 8:27 PM, xxDeadbolt said:

Anyone having any more success with PIA? Not quite sure where I'm going wrong, I've created a number of configs but none of them work. I just get the below image and no connection at all.

image.png.8632c19f8025c6a0626d47b94f7eab85.png

 

This happens if I use the wg config in a VM or import it on unraid. 

Not sure how, but tried the steps again to generate a PIA config and now have this working in Unraid. Tested the connection using Firefox and a second/test container of Qbittorrent & all seems good. Will test it a bit more before deciding to use it as my primary VPN for containers :) 

Link to comment
  • 5 weeks later...
xieve Noob

xieve

Posted
Posted (edited)
On 9/25/2023 at 5:51 PM, Pepreal said:

Same problem with Surfshark. http seems to work but https wont resolve. anyone has a solution to this?

 

I also have this problem with Surfshark.

Edit: I fixed it :)

I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN provider limits the package size to below 1420 bytes, which seems to be a standard value for Wireguard. This is not correctly detected by MTU discovery and thus if we try to send larger packets (which HTTPS does) they are simply dropped.

So first, I figured out what the actual MTU should be by using differently sized ping like this:
  

ping -I wg0 -c 4 -M do -s [SIZE] 1.1.1.1

 

SIZE being the packet size to be tested minus 28 bytes, which seems to be the ping overhead.

 

After a bit of trial and error, I figured out that Surfshark has an MTU of 1370 (meaning the max size of a ping was 1342 bytes). I set this in the VPN settings (you have to enable the "advanced view" on the upper right) and tested it, but it still wasn't working. (It might work for you at this point.)

This is where MSS (maximum segment size) clamping comes in. I don't know exactly how it works, but it forces the packet size to always be under a specified limit, which is exactly what we need. I tested it by executing this in the host console:

  

iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

 

And it worked! Now all I needed to do was persist this change. I installed the User Scripts addon and created the script attached to this post. All you have to do is extract the archive to /boot/config/plugins/user.scripts/scripts, then go to Settings → User Scripts and set the schedule to "At First Array Start Only".

clamp-mss-to-pmtu.zip

Edited by xieve
  • Like 1
  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing