Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard - VPN Tunneled Access to a commercial VPN provider

Featured Replies

7 minutes ago, bonienl said:

Yes, you are right. The import parser went wrong on the comment statement(s).

I have made an update with the fix.

 

Thanks.

Awesome. I just tried it with the original version and it imports fine. Thanks for the quick turnaround! :)

  • Replies 249
  • Views 180.3k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I also have this problem with Surfshark. Edit: I fixed it I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN

  • Carlos Talbot
    Carlos Talbot

    Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implement

  • I've created a fork of the PIA scripts to simplify the install process on unRaid, it's still not as simple as importing a configuration, but the scripts now generate a file following the "wg#.conf" co

Posted Images

  • 3 weeks later...

Hey,

in your start post, it says "VPN tunneled access - In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel".
Is there an ETA on that topic? I really want to tunnel my radarr/sabnzbd dockers through VPN 🙂

On 11/28/2019 at 1:58 PM, suRe said:

Hey,

in your start post, it says "VPN tunneled access - In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel".
Is there an ETA on that topic? I really want to tunnel my radarr/sabnzbd dockers through VPN 🙂

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)

curl https://ipinfo.io/ip

 

Edited by Dataone

Hi, I am using Mullvad, because my ISP does not allow any port forwarding (for jellyfin and other services). I have port forwarded in Mullvad, it worked fine on Windows before with the Wireguard app, but it does not work work here (tested with iperf). Is there problem with my settings? Or is there some workaround?

1 hour ago, stealthymocha said:

Hi, I am using Mullvad, because my ISP does not allow any port forwarding (for jellyfin and other services). I have port forwarded in Mullvad, it worked fine on Windows before with the Wireguard app, but it does not work work here (tested with iperf). Is there problem with my settings? Or is there some workaround?

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.

PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

23 hours ago, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Thank you, but it does not seem to be working. I think I'll just reverse proxy from raspberry pi with openvpn.

 

EDIT: OK, i feel stupid. Looks like it was the usual solution: Turn system off and then on again. After reboot, port forwarding works.

Edited by stealthymocha
solution

  • itimpi pinned this topic
On 12/2/2019 at 1:53 AM, Dataone said:

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)


curl https://ipinfo.io/ip

 

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

11 minutes ago, suRe said:

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

On 12/6/2019 at 2:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

@Dataone

 

may I ask how you've configured the field "Peer allowed IPs" in your wireguard settings? By default it's set to 0.0.0.0 which routes all traffic on the UnRaid server through the vpn tunnel. I assume you've restricted it to just the docker containers on the bridge?

 

Also, do you know how to block traffic for those selected dockers if the vpn link goes down? Thanks.

On 10/16/2019 at 6:57 AM, ljm42 said:

In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

Any aproximation to when is this going to be possible aprox? This would be the killer feature, since routing ALL the traffic seems like a little bit too much.

 

Thanks!

On 12/6/2019 at 9:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

In my setup, containers using custom networks still go through the vpn 😕

4 hours ago, Jeffarese said:

Any aproximation to when is this going to be possible aprox?

Difficult to say, because it is unclear / not possible yet, how to do this with WireGuard.

  • 4 weeks later...
On 12/4/2019 at 5:33 AM, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this

[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this

[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

On 1/9/2020 at 3:04 AM, Monkeysphere said:

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this


[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this


[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

 

You'll need to manually edit the config file after importing it (but make sure it isn't active), as I assume that the plugin ignores everything but the keys etc and generates a config on it's own

Multiple interfaces/connections on Windows client.

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

6 minutes ago, hdlineage said:

Hello I have a question regarding connecting to multiple servers on Windows. 

You have asked this question on 2 different threads. I have split this into the thread you originally asked it on so the responses can be coordinated.

@Dataone thanks, I ended up doing that manually just before you messaged back. It worked in the sense that the rules must have loaded but they must have also been incorrect because it locked me out of the server GUI and I had to reboot. Not sure if the connection worked though.

 

I'm setting up an IP Fire firewall today so I will probably just use that for the killswitch.

  • 2 weeks later...

So, I got a weird/cool idea I'm trying to work on, I bought a VPS from OVH with a failover IP, and I'm trying to route that public failover ip to the server, that way I can get a publicly static and route-able  (I'm gonna have a network with multiple sites VPNed together with wireguard :D), so far I can ping the server through the failover ip from my local network (have a static route pointing to the server) and the VPS, but not from the public internet, anyone got any idea on how to fix that? I can assign the IP to the VPS and it does work there...
Let me know what kind of logs/configs would be helpful and I'll post them.

I have a couple of questions regarding this.

 

Do Dockers still update whilst being routed through the VPN tunnel using Wireguard?

 

And how would one go about tunneling back from out of the network to a VM? As in, how would you connect to the specific tunnel running in Unraid?

  • 2 weeks later...

Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implemented. Thanks.

Edited by Carlos Talbot

  • 4 weeks later...
On 1/8/2020 at 10:04 PM, Monkeysphere said:

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Was attempting to set up Mullvad as well, and ran into the same issue. When i would leave the VPN settings page, and returning, the Active slider would become Inactive every time. After manually removing the ,::0/0 it's up and running.

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

 

Any help would be greatly appreciated.  

  • 2 weeks later...
On 1/9/2020 at 3:04 AM, Monkeysphere said:

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Amazing I spent ages trying to get this to work and this is what was wrong. Removing ,::0/0 sorted it.

thanks for sharing

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.