flaminiom Posted November 28, 2023 Share Posted November 28, 2023 (edited) Ugh! Figured it out after sufficiently banging my head against the wall. It was a firewall rule. The rule was activated a while ago, but this is the first time launching a VPN session with it in place. Which is a little weird because I guess it prevented the session handshake and it couldn't get off the ground. I didn't think of it because the change happened weeks ago. Anyway, I'll leave my post below for anyone in might help the future. My VPN for tunneled access for dockers suddenly stopped working. I had shut down to add a new drive and decided to change up my VPN config to a new server, which I do occasionally just because. The new config loaded, I flipped the active switch, but I have no access on that network. It says Last Handshake: Not connected and it sends a few kb and nothing received. I tried testing with a Firefox container and nothing. Also tried pinging 8.8.8.8 in the console of the container and nothing. I can successfully ping the peer endpoint. Peer tunnel address fails. Not sure if it matters, but I accidentally hit tunneled access for system when adding that new config. Could something there have made it go loopy? I'm using IPv4 only. I tried creating new configs, different servers. I tried the config file for the server that was just working for me and nothing. I tried going into /host/config and deleting everything in wireguard. I tried adding a config for Proton VPN which also worked for me in the past and that doesn't work either. I tried flipping it on/off countless time. I tried rebooting a few times. The log seems to indicate the VPN starts with no other entries. Nov 28 09:20:06 XXXXXX wireguard: Tunnel WireGuard-wg0 started Nov 28 09:20:06 XXXXXX network: update services: 1s Any suggestions or an approach to troubleshoot? Edited November 29, 2023 by flaminiom Quote Link to comment
bluecat Posted November 29, 2023 Share Posted November 29, 2023 Recently I had the problem that a Mullvad VPN Server went offline. Is it possible, for these cases, that it automatically chooses another server? For e.g., have multiple servers added in one configuration and selects the next one, if one server goes down? Quote Link to comment
DrBlokmeister Posted January 7 Share Posted January 7 (edited) I'm having a weird issue where all my containers, not only the one configured as wg0 will access through the VPN. My type of access is set as tunneled access for docker. Can it be because I manually restarted my vpn using the CLI and restarted with a different config file? I wanted to change the endpoint server following a schedule. Edit: if I restart via the web UI, then only the chosen container connects through the VPN. If I restart via the CLI, all dockers go through the VPN. I'm definitely not an expert here, but I checked the routing tables before and after in the web UI, and they are identical. Is there something I'm missing? When I restart using the CLI I use the interface settings from the config file generated using the web UI and the peer settings that I get from my provider. Okay, I fixed the issue. I restarted the config through wg-quick up/down and then loaded a new config from a different location. I now backed up the default config generated by Unraid, stop/start through rc.d and then replace the config file in /etc/wireguard. This works well! Edited January 7 by DrBlokmeister Added more info on when this issue occurs. Quote Link to comment
jmenur Posted January 10 Share Posted January 10 On 11/22/2023 at 3:21 PM, xieve said: I also have this problem with Surfshark. Edit: I fixed it I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN provider limits the package size to below 1420 bytes, which seems to be a standard value for Wireguard. This is not correctly detected by MTU discovery and thus if we try to send larger packets (which HTTPS does) they are simply dropped. So first, I figured out what the actual MTU should be by using differently sized ping like this: ping -I wg0 -c 4 -M do -s [SIZE] 1.1.1.1 SIZE being the packet size to be tested minus 28 bytes, which seems to be the ping overhead. After a bit of trial and error, I figured out that Surfshark has an MTU of 1370 (meaning the max size of a ping was 1342 bytes). I set this in the VPN settings (you have to enable the "advanced view" on the upper right) and tested it, but it still wasn't working. (It might work for you at this point.) This is where MSS (maximum segment size) clamping comes in. I don't know exactly how it works, but it forces the packet size to always be under a specified limit, which is exactly what we need. I tested it by executing this in the host console: iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu And it worked! Now all I needed to do was persist this change. I installed the User Scripts addon and created the script attached to this post. All you have to do is extract the archive to /boot/config/plugins/user.scripts/scripts, then go to Settings → User Scripts and set the schedule to "At First Array Start Only". clamp-mss-to-pmtu.zip 750 B · 1 download You are my hero. This is the solution anyone using Surfshark is looking for. Quote Link to comment
Limeth Posted January 26 Share Posted January 26 Thanks for the guide, it helped me! Quote Link to comment
ShangHangin Posted January 28 Share Posted January 28 (edited) Hello Community I have been unsuccessful in getting WireGuard to work since my upgrade from 6.11.3->6.12.6, and I am in need of guidance. 1. I have been using ZeroTier for remote access into my server and docker UI and access to my network. Don't really want to give that up. 2. My goal is to have system VPN tunneling access for updates (I am behind the Chinese firewall and cannot get at Github for plugins w/o VPN. Dockers updates are OK w/o VPN). 3. I also want to have select docker containers (Sonar, etc) running over VPN (not Plex, as my experience is that the remote access for playback does not like a double NAT). I have read through the guides, tried a number of different things, and the configuration below satisfies my goal of using ZeroTier (with complete access to server, dockers, file system) and Plex, but cannot get Wireguard working (No handshakes) Note: Need to reinstitute zt0 listening at any docker stop and start, even though is shows in “listening” in many cases. ("Host access to custom networks" breaks Zerotier, as does using anything other than a HOST network setting in the Docker) I have enabled UPnP both on the system and on my gateway router: This is the VPN configuration: Peer endpoint "ping" is working. and clicking in the eyeball in with the "advanced" settings highlighted, I get this information: WireGuard Configuration Local server configuration [Interface] # Device_Steady Snake PrivateKey=xxxx= Address=10.66.39.132 PostUp=logger -t wireguard 'Tunnel WireGuard-wg3 started';/usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard 'Tunnel WireGuard-wg3 stopped';/usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 203 PostUp=ip -4 route add default via 10.66.39.132 dev wg3 table 203 PostUp=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203 PostDown=ip -4 route flush table 203 PostDown=ip -4 route add unreachable default table 203 PostDown=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203 [Peer] #Tokyo 202_1 PublicKey=yyyy= Endpoint=146.70.201.2:51820 AllowedIPs=0.0.0.0/0 Any guidance appreciated. Thank you in advance. Edited January 28 by ShangHangin Quote Link to comment
mattmill Posted February 9 Share Posted February 9 On 3/6/2023 at 7:17 AM, mattmill said: Does anyone know if port forwarding to rTorrent works when using VPN to Docker? Setup a WG connection to Mullvad with a port forward configured. However in ruTorrent the port is shown as closed. I have done a port mapping in the containers config but it seems unable to pass through the port. Has anyone managed to successfully port forward using Unriads built in vpn manager? Quote Link to comment
Fidel84 Posted February 10 Share Posted February 10 Is there now a way to use the Wireguard Tunnel from the VPN provider as a gateway for local devices such as FireTV? It works perfectly for me for docker, but I can't get it to work for local services. Quote Link to comment
DavidDuffin Posted February 21 Share Posted February 21 Hey guys, I have had wireguard working for weeks now, moved my computer into a better case and now cant connect to it at all the only thing thats changed is the Ip of the server. Can anyone help?? Quote Link to comment
trurl Posted February 21 Share Posted February 21 6 minutes ago, DavidDuffin said: changed is the Ip of the server Did you regenerate keys? Quote Link to comment
DavidDuffin Posted February 21 Share Posted February 21 (edited) 7 minutes ago, trurl said: Did you regenerate keys? Yes. and I just see this when i apply changes. Edited February 21 by DavidDuffin Quote Link to comment
Ruffy Posted March 27 Share Posted March 27 Hey guys, is there a way to separate each docker container running through the Wireguard tunnel from the other container? Quote Link to comment
Bilbo Posted March 31 Share Posted March 31 On 11/22/2023 at 4:21 PM, xieve said: I also have this problem with Surfshark. Edit: I fixed it I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN provider limits the package size to below 1420 bytes, which seems to be a standard value for Wireguard. This is not correctly detected by MTU discovery and thus if we try to send larger packets (which HTTPS does) they are simply dropped. So first, I figured out what the actual MTU should be by using differently sized ping like this: ping -I wg0 -c 4 -M do -s [SIZE] 1.1.1.1 SIZE being the packet size to be tested minus 28 bytes, which seems to be the ping overhead. After a bit of trial and error, I figured out that Surfshark has an MTU of 1370 (meaning the max size of a ping was 1342 bytes). I set this in the VPN settings (you have to enable the "advanced view" on the upper right) and tested it, but it still wasn't working. (It might work for you at this point.) This is where MSS (maximum segment size) clamping comes in. I don't know exactly how it works, but it forces the packet size to always be under a specified limit, which is exactly what we need. I tested it by executing this in the host console: iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu And it worked! Now all I needed to do was persist this change. I installed the User Scripts addon and created the script attached to this post. All you have to do is extract the archive to /boot/config/plugins/user.scripts/scripts, then go to Settings → User Scripts and set the schedule to "At First Array Start Only". clamp-mss-to-pmtu.zip 750 B · 38 downloads LEGEND! Quote Link to comment
betaman Posted April 2 Share Posted April 2 On 2/10/2024 at 12:37 PM, Fidel84 said: Is there now a way to use the Wireguard Tunnel from the VPN provider as a gateway for local devices such as FireTV? It works perfectly for me for docker, but I can't get it to work for local services. Curious about this as well? FireTV’s and Kodi. Privoxy is causing issue with server timeouts and login using Emby. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.