WireGuard - VPN Tunneled Access to a commercial VPN provider


ljm42

Recommended Posts

On 3/12/2020 at 1:39 PM, sittingmongoose said:

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

It is unlikely that network discovery will work over the VPN connection, but you should be able to connect via IP address. 

 

The WireGuard quickstart thread is a better place for this conversation:
  https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

Currently you are in the thread that discusses making a connection to a commercial VPN provider.

 

Link to comment
4 hours ago, thunderclap said:

I guess I'm a little confused. By using the VPN Tunneled method, how do I set which dockers should use the VPN? There isn't a port number as far as I can tell, and I don't want every docker or the full Unraid server to be on the VPN.

From the OP:

Quote

 

Now ALL of your Unraid traffic will go through the commercial VPN tunnel.  

  • In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

 

 

  • Like 1
Link to comment
  • 4 months later...
On 8/11/2020 at 7:49 AM, xPliZit_xs said:

Hi,

 

running 6.8.3 and recently went into Settings/VPN-Manager. I have a WG0 Tunnel already but i created WG1 out of curiosity....

The problem is that i cannot delete WG1 because the button to delete is not in the GUI for WG1 but it there for WG0.

Thanks, hopefully this can be fixed.

 

Switch wg1 from basic to advanced, then the delete button for wg1 will appear.

  • Like 1
Link to comment
On 1/8/2020 at 9:04 PM, Monkeysphere said:

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this


[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this


[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Piggybacking on this. I am having the same exact issue with mullvad. It will start if I remove ,::0/0. This will forward all ipv4 connections but leaves all ipv6 exposed. This isn't an issue while running in the bridge network but for containers using the host container they will still use ipv6. Is there going to be a patch that allows us to forward both ipv4 and ipv6 soon?

Link to comment

I'm also using Mullvad and running into the same issue as Monkeysphere and notcarl

 

I also had a question, is it possible to have "Remote tunneled access" and "VPN tunneled access" at the same time? i always want my unraid box to connect to the internet via my VPN but i also wanna be able to connect to my LAN remotely, and also take advantage of the VPN.

Is this possible?

 

the "Remark: this must be the only peer in the tunnel and sole active tunnel when in use" on VPN tunneled access seem to indicate this is currently not possible, but would it be feasible to implement?

Link to comment
  • 1 month later...

im coming here because of:

 

Quote

Now ALL of your Unraid traffic will go through the commercial VPN tunnel.  

In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

 

you can disable the full routing by adding 

Table = off

to the [Interface] Section!

 

Credits to https://shibumi.dev/posts/disable-routing-for-wireguard/

 

i deleted my tunnel, edited the conf file by adding the "Table=off" statement and import again.

 

Now i have a persistent Tunnel to my VPS, and can access this tunnel by selecting the interface like this:
 

# got my isp ip
curl ipinfo.io/ip 

# got my vps ip
curl --interface wg1 ipinfo.io/ip

 

Link to comment
  • 5 weeks later...
On 9/24/2020 at 3:06 PM, leo_poldX said:

im coming here because of:

 

 

you can disable the full routing by adding 


Table = off

to the [Interface] Section!

 

Credits to https://shibumi.dev/posts/disable-routing-for-wireguard/

 

i deleted my tunnel, edited the conf file by adding the "Table=off" statement and import again.

 

Now i have a persistent Tunnel to my VPS, and can access this tunnel by selecting the interface like this:
 


# got my isp ip
curl ipinfo.io/ip 

# got my vps ip
curl --interface wg1 ipinfo.io/ip

 

Can you use the “—interface wg1” in a docker to only route that docker trough the tunnel?

Link to comment

Is it possible to use Mullvad as a relay to connect to my server at work?

 

I have an unRAID server at my office at University of Copenhagen - I do not have access to the University router.

I have setup a 'VPN tunneled access' to Mullvad.

I works fine - I have installed the Firefox container and testet that I am connected the to Internet through Mullvad.

 

I have installed the Mullvad VPN on a Windows 10 laptop.

From the laptop I can connect to the same Mullvad server as the unRAID server at work is connected to.

 

From the laptop connected to Mullvad I have tried to connect to my server at work. Tried to ping the server local static address - Tried to ping the server tunnel ip etc. but there is no connection.

 

Is there a trick to make this work - maybe some port setup at Mullvad or maybe with another 'Peer type of access' on the server?

Link to comment
  • 2 months later...

These may be entry-level type of questions but I'm looking into learning a thing or two here, please bear with me :D

 

  • I want to tunnel into my unraid on my mobile device with WG setup from the other topic AND have my traffic routed through my commercial VPN account (TorGuard -- which also supports WG). By following this topic (hence Now ALL of your Unraid traffic will go through the commercial VPN tunnel.), and setting peer type of access to Remote tunneled access, does it mean that all traffic from my mobile will be guarded by Torguard?
  •  Is there any real difference from this method and the method of using the "-vpn" docker types from CA to protect my traffic? (aside of course from this tutorial not being a VPN protocol but WG protocol) -- I ask because I use most "-vpn" docker containers and those unavailable with native VPN I just use that privoxy --net=container:qbittorrent-vpn argument, and setting up the WG from this topic seems like a much easier setup than to configure every last container either as VPN or privoxy

Thanks, any support is really appreciated :)

Edited by timmyx
  • Like 1
Link to comment
  • 3 weeks later...
  • 2 weeks later...

I'm in the exact same situation as the previous two posters @Bullerwins and @intoran

Successfully set up a "VPN tunneled access" Wireguard connection with a Mullvad server, but no handshake occurs when I create a tunnel to access remotely. I also attempted to remove the Mullvad tunnel and ONLY add the remote access tunnel, and I was unable to handshake from the Wireguard app on my phone.

If both are not currently possible could someone please confirm? I'm a novice to Unraid but the forums are excellent for support, which is really appreciated. I currently am subscribed to AT&T fiber which supposedly does not support UPnP, but I think I have correctly forwarded ports. I am attempting to use ZeroTier instead but I don't have any luck when I try accessing a service. Please let me know if there is any information from me that would help, or if anyone has alternatives. Thank you!

Edit: I'm running Unraid 6.9.0-rc2, in order to use nvidia-drivers plugin

Edited by KidsTheseDays
Repeat sentences and more info
Link to comment

Thanks for the response ljm42!

 

I actually figured out the issue, which of course was a simple user-error on my part. I was trying to forward ports from my router, when I should have opened a port with my VPN who provides a random number that I entered into the "Local endpoint:" field as  "hostname.dynamicdns.org:55555" with 55555 as an example of the provided port. I then removed and updated the tunnel on my mobile device client and voila, handshake successful and active, even when the server is already tunneled to my VPN.

 

This is such an excellent feature. My Unraid trial is expiring soon and I am happy to support its further development.

 

Edit: To clarify, this was setting up a "Remote tunnel access" peer to access services and files on the server, while using a separate "VPN tunneled access" peer for the server's internet access.

Edited by KidsTheseDays
More info
  • Like 1
Link to comment
On 2/24/2021 at 12:46 PM, KidsTheseDays said:

Thanks for the response ljm42!

 

I actually figured out the issue, which of course was a simple user-error on my part. I was trying to forward ports from my router, when I should have opened a port with my VPN who provides a random number that I entered into the "Local endpoint:" field as  "hostname.dynamicdns.org:55555" with 55555 as an example of the provided port. I then removed and updated the tunnel on my mobile device client and voila, handshake successful and active, even when the server is already tunneled to my VPN.

 

This is such an excellent feature. My Unraid trial is expiring soon and I am happy to support its further development.

 

Edit: To clarify, this was setting up a "Remote tunnel access" peer to access services and files on the server, while using a separate "VPN tunneled access" peer for the server's internet access.

Based on this I would be unable to achieve what I'm looking for since my VPN provider doesn't provide port forwarding.  At least for free.

Link to comment
  • 1 month later...

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

 

Edited by Sissy
Omitted a word due to an editing error.
Link to comment
13 hours ago, Sissy said:

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

 

 

To clarify, you posted in the thread that explains how to connect to commercial VPN providers. Is that what you are trying to do? If you are trying to connect from outside your home into your Unraid system please post this question here:

 https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/

 

I don't know if the plugin supports your use case or not :) 

 

  • Thanks 1
Link to comment
21 minutes ago, ljm42 said:

 

To clarify, you posted in the thread that explains how to connect to commercial VPN providers. Is that what you are trying to do?

 

Thank you.  Based on the title of the thread, "WIREGUARD - VPN TUNNELED ACCESS," it appeared to be about the topic I was interested in -- tunneled access to my networks via WireGuard.  I will repost my question at the link you provided.

 

Link to comment
  • ljm42 changed the title to WireGuard - VPN Tunneled Access to a commercial VPN provider
2 hours ago, Sissy said:

Thank you.  Based on the title of the thread, "WIREGUARD - VPN TUNNELED ACCESS," it appeared to be about the topic I was interested in -- tunneled access to my networks via WireGuard.  I will repost my question at the link you provided.

Good point. "VPN Tunneled Access" is one of the options in the "Peer type of access" dropdown, so it made sense at the time :) I renamed the thread to make it more clear

  • Thanks 1
Link to comment

Greetings - read every post here and found nothing regarding PIA. Since I have a good bit of time left with them I would really like to get it setup with them. However, I am open to other providers if there is more secure option!

 

Finally, @ljm42 posted:

On 2/22/2021 at 3:00 PM, ljm42 said:

Hopefully folks are able to see this message in the webgui when setting up VPN tunneled access? 

image.png
 

Things won't work right if you start a second tunnel while "VPN tunneled access" is active.

 

This may answer my second question. I am fine with all my traffic from this particular Unraid server (server01) going through PIA VPN. I would like to be able to remote IN to my LAN though. Do I just install WireGuard on another server (server02) for that Peer Connection? As always, all feedback/directions are greatly appreciated!

Link to comment
On 4/16/2021 at 10:22 PM, TechMed said:

Greetings - read every post here and found nothing regarding PIA. Since I have a good bit of time left with them I would really like to get it setup with them. However, I am open to other providers if there is more secure option!

 

There shouldn't really need to be provider-specific instructions. If PIA lets you download a standard WireGuard config file then you should be able to import it as discussed in the first post of this thread. 

 

Note that if a provider requires you to use their own custom app rather than the standard WireGuard app, they won't work with Unraid as it uses the standard WireGuard app for linux.

 

If you can confirm that PIA works I'll add them to the list on the first post.

 

On 4/16/2021 at 10:22 PM, TechMed said:

I am fine with all my traffic from this particular Unraid server (server01) going through PIA VPN. I would like to be able to remote IN to my LAN though. Do I just install WireGuard on another server (server02) for that Peer Connection? 

 

That sounds reasonable

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.