WireGuard - VPN Tunneled Access to a commercial VPN provider


ljm42

Recommended Posts

Ugh! Figured it out after sufficiently banging my head against the wall. It was a firewall rule. The rule was activated a while ago, but this is the first time launching a VPN session with it in place. Which is a little weird because I guess it prevented the session handshake and it couldn't get off the ground.

 

I didn't think of it because the change happened weeks ago. Anyway, I'll leave my post below for anyone in might help the future.

 

 

 

My VPN for tunneled access for dockers suddenly stopped working. I had shut down to add a new drive and decided to change up my VPN config to a new server, which I do occasionally just because. The new config loaded, I flipped the active switch, but I have no access on that network. It says Last Handshake: Not connected and it sends a few kb and nothing received. I tried testing with a Firefox container and nothing. Also tried pinging 8.8.8.8 in the console of the container and nothing. I can successfully ping the peer endpoint. Peer tunnel address fails. 

 

Not sure if it matters, but I accidentally hit tunneled access for system when adding that new config. Could something there have made it go loopy? 

 

I'm using IPv4 only. I tried creating new configs, different servers. I tried the config file for the server that was just working for me and nothing. I tried going into /host/config and deleting everything in wireguard. I tried adding a config for Proton VPN which also worked for me in the past and that doesn't work either. I tried flipping it on/off countless time. I tried rebooting a few times. The log seems to indicate the VPN starts with no other entries. 

 

Nov 28 09:20:06 XXXXXX wireguard: Tunnel WireGuard-wg0 started
Nov 28 09:20:06 XXXXXX network: update services: 1s

 

Any suggestions or an approach to troubleshoot? 

 

Screenshot 2023-11-28 at 9.31.10 AM.png

Edited by flaminiom
Link to comment
  • 1 month later...

I'm having a weird issue where all my containers, not only the one configured as wg0 will access through the VPN. My type of access is set as tunneled access for docker.

 

Can it be because I manually restarted my vpn using the CLI and restarted with a different config file? I wanted to change the endpoint server following a schedule.

 

Edit: if I restart via the web UI, then only the chosen container connects through the VPN. If I restart via the CLI, all dockers go through the VPN. I'm definitely not an expert here, but I checked the routing tables before and after in the web UI, and they are identical. Is there something I'm missing? When I restart using the CLI I use the interface settings from the config file generated using the web UI and the peer settings that I get from my provider.

 

Okay, I fixed the issue. I restarted the config through wg-quick up/down and then loaded a new config from a different location. I now backed up the default config generated by Unraid, stop/start through rc.d and then replace the config file in /etc/wireguard. This works well!

Edited by DrBlokmeister
Added more info on when this issue occurs.
Link to comment
On 11/22/2023 at 3:21 PM, xieve said:

 

I also have this problem with Surfshark.

Edit: I fixed it :)

I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN provider limits the package size to below 1420 bytes, which seems to be a standard value for Wireguard. This is not correctly detected by MTU discovery and thus if we try to send larger packets (which HTTPS does) they are simply dropped.

So first, I figured out what the actual MTU should be by using differently sized ping like this:

 

ping -I wg0 -c 4 -M do -s [SIZE] 1.1.1.1

 

SIZE being the packet size to be tested minus 28 bytes, which seems to be the ping overhead.

 

After a bit of trial and error, I figured out that Surfshark has an MTU of 1370 (meaning the max size of a ping was 1342 bytes). I set this in the VPN settings (you have to enable the "advanced view" on the upper right) and tested it, but it still wasn't working. (It might work for you at this point.)

This is where MSS (maximum segment size) clamping comes in. I don't know exactly how it works, but it forces the packet size to always be under a specified limit, which is exactly what we need. I tested it by executing this in the host console:

 

iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

 

And it worked! Now all I needed to do was persist this change. I installed the User Scripts addon and created the script attached to this post. All you have to do is extract the archive to /boot/config/plugins/user.scripts/scripts, then go to Settings → User Scripts and set the schedule to "At First Array Start Only".

clamp-mss-to-pmtu.zip 750 B · 1 download

You are my hero. This is the solution anyone using Surfshark is looking for.

Link to comment
  • 3 weeks later...

Hello Community

 

I have been unsuccessful in getting WireGuard to work since my upgrade from 6.11.3->6.12.6, and I am in need of guidance.

1.  I have been using ZeroTier for remote access into my server and docker UI and access to my network.  Don't really want to give that up.

2.  My goal is to have system VPN tunneling access for updates (I am behind the Chinese firewall and cannot get at Github for plugins w/o VPN.  Dockers updates are OK w/o VPN).

3.  I also want to have select docker containers (Sonar, etc) running over VPN (not Plex, as my experience is that the remote access for playback does not like a double NAT). 

 

I have read through the guides, tried a number of different things, and the configuration below satisfies my goal of using ZeroTier (with complete access to server, dockers, file system) and Plex, but cannot get Wireguard working (No handshakes)

image.png.a99c9fee2b987dd0544157b680396258.png

 

image.png.60eba9cec4934640f15555a16c46a4ca.png

 

Note:  Need to reinstitute zt0 listening at any docker stop and start, even though is shows in “listening” in many cases.

 

image.png.6a3d9227bfdbe9866ba587c8e6659ac7.png

 

("Host access to custom networks" breaks Zerotier,  as does using anything other than a HOST network setting in the Docker)

 

image.thumb.png.348b357c6d864621e25174131cb980a8.png

 

image.thumb.png.e4772bdbe4b955b523bc0a01375c8d86.png

 

 

I have enabled UPnP both on the system and on my gateway router:

image.thumb.png.c673ed23052571579a63629d0d6914ea.png

 

 

This is the VPN configuration:

 

image.thumb.png.8caa4b13857829908778570493530466.png

Peer endpoint "ping" is working.

 

and clicking in the eyeball in with the "advanced" settings highlighted, I get this information:

 

WireGuard Configuration

Local server configuration

[Interface]

# Device_Steady Snake

PrivateKey=xxxx=

Address=10.66.39.132

PostUp=logger -t wireguard 'Tunnel WireGuard-wg3 started';/usr/local/emhttp/webGui/scripts/update_services

PostDown=logger -t wireguard 'Tunnel WireGuard-wg3 stopped';/usr/local/emhttp/webGui/scripts/update_services

PostUp=ip -4 route flush table 203

PostUp=ip -4 route add default via 10.66.39.132 dev wg3 table 203

PostUp=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203

PostDown=ip -4 route flush table 203

PostDown=ip -4 route add unreachable default table 203

PostDown=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203

 

[Peer]

#Tokyo 202_1

PublicKey=yyyy=

Endpoint=146.70.201.2:51820

AllowedIPs=0.0.0.0/0

 

Any guidance appreciated.  

 

Thank you in advance.

 

 

 

 

 

image.png

image.png

image.png

image.png

image.png

image.png

Edited by ShangHangin
Link to comment
  • 2 weeks later...
On 3/6/2023 at 7:17 AM, mattmill said:

Does anyone know if port forwarding to rTorrent works when using VPN to Docker? Setup a WG connection to Mullvad with a port forward configured. However in ruTorrent the port is shown as closed. I have done a port mapping in the containers config but it seems unable to pass through the port.

image.thumb.png.eb6ddad85b43b25e8f26a0ae45c62c90.png

 

image.png.33a72651369b0a0b10fde55e7f5febdd.png

 

Has anyone managed to successfully port forward using Unriads built in vpn manager?

Link to comment
  • 2 weeks later...
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.