WireGuard - VPN Tunneled Access to a commercial VPN provider


ljm42

Recommended Posts

  • 3 weeks later...
On 11/28/2019 at 1:58 PM, suRe said:

Hey,

in your start post, it says "VPN tunneled access - In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel".
Is there an ETA on that topic? I really want to tunnel my radarr/sabnzbd dockers through VPN 🙂

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)

curl https://ipinfo.io/ip

 

Edited by Dataone
Link to comment
1 hour ago, stealthymocha said:

Hi, I am using Mullvad, because my ISP does not allow any port forwarding (for jellyfin and other services). I have port forwarded in Mullvad, it worked fine on Windows before with the Wireguard app, but it does not work work here (tested with iperf). Is there problem with my settings? Or is there some workaround?

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.

PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Link to comment
23 hours ago, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Thank you, but it does not seem to be working. I think I'll just reverse proxy from raspberry pi with openvpn.

 

EDIT: OK, i feel stupid. Looks like it was the usual solution: Turn system off and then on again. After reboot, port forwarding works.

Edited by stealthymocha
solution
Link to comment
  • itimpi pinned this topic
On 12/2/2019 at 1:53 AM, Dataone said:

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)


curl https://ipinfo.io/ip

 

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

Link to comment
11 minutes ago, suRe said:

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

Link to comment
On 12/6/2019 at 2:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

@Dataone

 

may I ask how you've configured the field "Peer allowed IPs" in your wireguard settings? By default it's set to 0.0.0.0 which routes all traffic on the UnRaid server through the vpn tunnel. I assume you've restricted it to just the docker containers on the bridge?

 

Also, do you know how to block traffic for those selected dockers if the vpn link goes down? Thanks.

Link to comment
On 10/16/2019 at 6:57 AM, ljm42 said:

In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

Any aproximation to when is this going to be possible aprox? This would be the killer feature, since routing ALL the traffic seems like a little bit too much.

 

Thanks!

Link to comment
On 12/6/2019 at 9:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

In my setup, containers using custom networks still go through the vpn 😕

Link to comment
  • 4 weeks later...
On 12/4/2019 at 5:33 AM, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this

[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this

[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

  • Like 1
  • Thanks 1
Link to comment

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

Link to comment
On 1/9/2020 at 3:04 AM, Monkeysphere said:

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this


[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this


[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

 

You'll need to manually edit the config file after importing it (but make sure it isn't active), as I assume that the plugin ignores everything but the keys etc and generates a config on it's own

Link to comment

Multiple interfaces/connections on Windows client.

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

Link to comment

@Dataone thanks, I ended up doing that manually just before you messaged back. It worked in the sense that the rules must have loaded but they must have also been incorrect because it locked me out of the server GUI and I had to reboot. Not sure if the connection worked though.

 

I'm setting up an IP Fire firewall today so I will probably just use that for the killswitch.

Link to comment
  • 2 weeks later...

So, I got a weird/cool idea I'm trying to work on, I bought a VPS from OVH with a failover IP, and I'm trying to route that public failover ip to the server, that way I can get a publicly static and route-able  (I'm gonna have a network with multiple sites VPNed together with wireguard :D), so far I can ping the server through the failover ip from my local network (have a static route pointing to the server) and the VPS, but not from the public internet, anyone got any idea on how to fix that? I can assign the IP to the VPS and it does work there...
Let me know what kind of logs/configs would be helpful and I'll post them.

Link to comment

I have a couple of questions regarding this.

 

Do Dockers still update whilst being routed through the VPN tunnel using Wireguard?

 

And how would one go about tunneling back from out of the network to a VM? As in, how would you connect to the specific tunnel running in Unraid?

Link to comment
  • 2 weeks later...
  • 4 weeks later...
On 1/8/2020 at 10:04 PM, Monkeysphere said:

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Was attempting to set up Mullvad as well, and ran into the same issue. When i would leave the VPN settings page, and returning, the Active slider would become Inactive every time. After manually removing the ,::0/0 it's up and running.

  • Like 2
Link to comment

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

 

Any help would be greatly appreciated.  

Link to comment
  • 2 weeks later...
  • ljm42 changed the title to WireGuard - VPN Tunneled Access to a commercial VPN provider

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.