Jump to content
ljm42

WireGuard - VPN Tunneled Access

53 posts in this topic Last Reply

Recommended Posts

7 minutes ago, bonienl said:

Yes, you are right. The import parser went wrong on the comment statement(s).

I have made an update with the fix.

 

Thanks.

Awesome. I just tried it with the original version and it imports fine. Thanks for the quick turnaround! :)

Share this post


Link to post

Hey,

in your start post, it says "VPN tunneled access - In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel".
Is there an ETA on that topic? I really want to tunnel my radarr/sabnzbd dockers through VPN 🙂

Share this post


Link to post
On 11/28/2019 at 1:58 PM, suRe said:

Hey,

in your start post, it says "VPN tunneled access - In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel".
Is there an ETA on that topic? I really want to tunnel my radarr/sabnzbd dockers through VPN 🙂

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)

curl https://ipinfo.io/ip

 

Edited by Dataone

Share this post


Link to post

Hi, I am using Mullvad, because my ISP does not allow any port forwarding (for jellyfin and other services). I have port forwarded in Mullvad, it worked fine on Windows before with the Wireguard app, but it does not work work here (tested with iperf). Is there problem with my settings? Or is there some workaround?

Share this post


Link to post
1 hour ago, stealthymocha said:

Hi, I am using Mullvad, because my ISP does not allow any port forwarding (for jellyfin and other services). I have port forwarded in Mullvad, it worked fine on Windows before with the Wireguard app, but it does not work work here (tested with iperf). Is there problem with my settings? Or is there some workaround?

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.

PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Share this post


Link to post
23 hours ago, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Thank you, but it does not seem to be working. I think I'll just reverse proxy from raspberry pi with openvpn.

 

EDIT: OK, i feel stupid. Looks like it was the usual solution: Turn system off and then on again. After reboot, port forwarding works.

Edited by stealthymocha
solution

Share this post


Link to post
On 12/2/2019 at 1:53 AM, Dataone said:

As long as your docker containers are using the bridged network option, they will be routed through the vpn. You can verify this by going into a docker container's shell and typing the below text. (Assuming that the docker has curl)


curl https://ipinfo.io/ip

 

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

Share this post


Link to post
11 minutes ago, suRe said:

Oh, this is perfect. So all "bridged" dockers will route through vpn, and any "custom" docker network adapters, e.g. Container using ReverseProxy adapter will be reachable through normal ISP IP?
Have not updated to RC Versions yet, so i can't test it on my own.

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

Share this post


Link to post
On 12/6/2019 at 2:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

@Dataone

 

may I ask how you've configured the field "Peer allowed IPs" in your wireguard settings? By default it's set to 0.0.0.0 which routes all traffic on the UnRaid server through the vpn tunnel. I assume you've restricted it to just the docker containers on the bridge?

 

Also, do you know how to block traffic for those selected dockers if the vpn link goes down? Thanks.

Share this post


Link to post
On 10/16/2019 at 6:57 AM, ljm42 said:

In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

Any aproximation to when is this going to be possible aprox? This would be the killer feature, since routing ALL the traffic seems like a little bit too much.

 

Thanks!

Share this post


Link to post
On 12/6/2019 at 9:52 PM, Dataone said:

At least by default I assume so, yes. My containers using bridged all go through the vpn and all containers using br0 use my home network.

 

I'm sure you can set some iptable/routing rules to modify this if you liked though

In my setup, containers using custom networks still go through the vpn 😕

Share this post


Link to post
4 hours ago, Jeffarese said:

Any aproximation to when is this going to be possible aprox?

Difficult to say, because it is unclear / not possible yet, how to do this with WireGuard.

Share this post


Link to post
On 12/4/2019 at 5:33 AM, Dataone said:

 

I know that this is the trick for Plex, but you may be able to do the same with the jellyfin ports.


PostUp  = iptables -t nat -I PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)
PreDown = iptables -t nat -D PREROUTING -p tcp --dport *external port* -j REDIRECT --to-ports 32400 (internal plex port)

 

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this

[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this

[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

  • Like 1
  • Thanks 1

Share this post


Link to post

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

Share this post


Link to post
On 1/9/2020 at 3:04 AM, Monkeysphere said:

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this


[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this


[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

 

You'll need to manually edit the config file after importing it (but make sure it isn't active), as I assume that the plugin ignores everything but the keys etc and generates a config on it's own

Share this post


Link to post

Multiple interfaces/connections on Windows client.

Hello I have a question regarding connecting to multiple servers on Windows. 

The wireguard client on Windows only allows one connection at a time. Is there a way to establish two connections with two separate interfaces?

I have two servers on two different subnets and I can't seem to find a way to connect them simultaneously.  

There is also very little documentation on the windows client. 

Share this post


Link to post
6 minutes ago, hdlineage said:

Hello I have a question regarding connecting to multiple servers on Windows. 

You have asked this question on 2 different threads. I have split this into the thread you originally asked it on so the responses can be coordinated.

Share this post


Link to post

@Dataone thanks, I ended up doing that manually just before you messaged back. It worked in the sense that the rules must have loaded but they must have also been incorrect because it locked me out of the server GUI and I had to reboot. Not sure if the connection worked though.

 

I'm setting up an IP Fire firewall today so I will probably just use that for the killswitch.

Share this post


Link to post

So, I got a weird/cool idea I'm trying to work on, I bought a VPS from OVH with a failover IP, and I'm trying to route that public failover ip to the server, that way I can get a publicly static and route-able  (I'm gonna have a network with multiple sites VPNed together with wireguard :D), so far I can ping the server through the failover ip from my local network (have a static route pointing to the server) and the VPS, but not from the public internet, anyone got any idea on how to fix that? I can assign the IP to the VPS and it does work there...
Let me know what kind of logs/configs would be helpful and I'll post them.

Share this post


Link to post

I have a couple of questions regarding this.

 

Do Dockers still update whilst being routed through the VPN tunnel using Wireguard?

 

And how would one go about tunneling back from out of the network to a VM? As in, how would you connect to the specific tunnel running in Unraid?

Share this post


Link to post

Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implemented. Thanks.

Edited by Carlos Talbot

Share this post


Link to post
On 1/8/2020 at 10:04 PM, Monkeysphere said:

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Was attempting to set up Mullvad as well, and ran into the same issue. When i would leave the VPN settings page, and returning, the Active slider would become Inactive every time. After manually removing the ,::0/0 it's up and running.

Share this post


Link to post

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

 

Any help would be greatly appreciated.  

Share this post


Link to post
On 1/9/2020 at 3:04 AM, Monkeysphere said:

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Amazing I spent ages trying to get this to work and this is what was wrong. Removing ,::0/0 sorted it.

thanks for sharing

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.