rukiftw Posted April 21, 2020 Share Posted April 21, 2020 WARNING: I don't know what i'm doing. Proceed at your own risk. So our beloved Spaceinvaderone put out a new video, on how to share a docker's internet to other dockers. This gave me a new project. tasks: consolidate dockers, which use vpns, to share one. test wireguard OS: Unraid 6.8.3 Container: linuxserver/wireguard Documentation: https://hub.docker.com/r/linuxserver/wireguard Container Config: Extra Parameters: --cap-add=NET_ADMIN --cap-add=SYS_MODULE --sysctl="net.ipv4.conf.all.src_valid_mark=1" --sysctl net.ipv6.conf.all.disable_ipv6=0 No idea what most of that does, but the ipv6 part, disables ipv6, as the docker was throwing errors without it, and would stop. Wireguard Config: #remove all references to ipv6 interface, address, dns, Perr, allowedIPs, endpoint #Make the following edits to allow for Internet Kill Switch. PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT Note: this docker does NOT use systemd-resolve, so leaking DNS appears not the be an issue. At this point everything works, save for local access. Meaning: The container has internet access through the VPN, and the other containers have their internet routed through this one. When the vpn drops, network traffic drops until it reconnects . Passed IPLeak.net And the speed! I can get 80% of my connection in throughput. Openvpn was 10%. Here is where things, turn. I made he following edit(s), but none of them allow for local traffic and block all traffic. I tried them individually and all together. The error is the same, "ping: sendmsg: Operation not permitted". Both by ip and by dns. Both local and external. Meaning that when the VPN is connected, no traffic passes. Internal or external. add my local range to the AllowedIPs section in the wg config file. replace mark scripts with hard coded entries: PostUp = iptables -P OUTPUT DROP && iptables -A OUTPUT -o <vpn interface id >+ -j ACCEPT && iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT && iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT && iptables -A INPUT -s 255.255.255.255 -j ACCEPT & iptables -A OUTPUT -o eth+ -p udp -m multiport --dports 53,51820 -d <wg server ip> -j ACCEPT && iptables -A OUTPUT -o eth+ -p tcp -m multiport --dports 53 -d <wg server ip> -j ACCEPT && iptables -A OUTPUT -o eth+ ! -d <wg server DNS ip> -p tcp --dport 53 -j DROP && ip6tables -P OUTPUT DROP && ip6tables -A OUTPUT -o <vpn interface id >+ -j ACCEPT Manually add my local lan as a path PreDown = iptables -D INPUT -i eth+ -d 192.168.10.0/24 -j ACCEPT && iptables -D OUTPUT -o eth+ -d 192.168.10.0/24 -j ACCEPT PostUp = iptables -I INPUT -i eth+ -d 192.168.10.0/24 -j ACCEPT && iptables -I OUTPUT -o eth+ -d 192.168.10.0/24 -j ACCEPT Add every non addressable range to allowedIPs 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32, 10.64.0.0/10 I hope the working part helps someone. Any ideas on the second part? Quote Link to comment
Squid Posted April 21, 2020 Share Posted April 21, 2020 You would probably be best hitting up linuxserver on their discord channel for this one, since they've made a conscious decision to not publish it within CA (I can only assume because of Quote This image is designed for Ubuntu and Debian based systems only. 1 Quote Link to comment
saarg Posted April 21, 2020 Share Posted April 21, 2020 Aptalca put this one together, so I don't know the details, but as far as I know it's building the needed kernel modules, and that is not something we can easily do on unraid. I know wireguard is included in unraid, but I have no idea if that is all that is needed. 1 Quote Link to comment
rukiftw Posted April 21, 2020 Author Share Posted April 21, 2020 4 hours ago, Squid said: You would probably be best hitting up linuxserver on their discord channel for this one, since they've made a conscious decision to not publish it within CA (I can only assume because of Thanks Squid. I didn't even know they had a discord. 4 hours ago, saarg said: Aptalca put this one together, so I don't know the details, but as far as I know it's building the needed kernel modules, and that is not something we can easily do on unraid. I know wireguard is included in unraid, but I have no idea if that is all that is needed. The wireguard version in unraid doesn't allow you to select which dockers use it, and which dont, even though it says it does (VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider). however, I have not tried to see if allows local access....that may be the missing key. Thank you for the idea. Quote Link to comment
saarg Posted April 22, 2020 Share Posted April 22, 2020 10 hours ago, rukiftw said: Thanks Squid. I didn't even know they had a discord. The wireguard version in unraid doesn't allow you to select which dockers use it, and which dont, even though it says it does (VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider). however, I have not tried to see if allows local access....that may be the missing key. Thank you for the idea. I was only talking about if unraid had the correct modules to get our container to run correctly, not if you could do it using unraids built in wireguard support. Quote Link to comment
rukiftw Posted April 22, 2020 Author Share Posted April 22, 2020 thanks for the help! Quote Link to comment
danofun Posted May 1, 2020 Share Posted May 1, 2020 I've had some success with allowing local access to Wireguard and it's attached containers. Im running this via docker-compose but it should work in unRAID's GUI as well. Here's what I've added. Wireguard Container: - Add environmental variable LAN_NETWORK and populate with your LAN (i.e. 192.168.1.0/24) - in the wg0.conf config file, add the following to the PostUp and PostDown lines PostUp=ip route add $LAN_NETWORK via $(ip route |awk '/default/ {print $3}') dev eth0 PostDown=ip route del $LAN_NETWORK via $(ip route |awk '/default/ {print $3}') dev eth0 You can then designate specific containers to utilize the Wireguard connection. In the container we want to use with Wireguard: - remove all ports as we will now be connecting to this container via the Wireguard container. - In docker-compose we'll add a network_mode: service:wireguard line. As for unRAID's GUI, there are a couple of discussions here and here regarding the container network. - your attached container needs to start after Wireguard so add the following depends_on: - wireguard Here is a sample docker-compose.yml showing NZBget routing through Wireguard: version: '3.6' services: # Wireguad wireguard: image: linuxserver/wireguard container_name: wireguard restart: always ports: - 51820:51820/udp # nzbget - 6789:6789 volumes: - /mnt/user/appdata/wireguard:/config - /lib/modules:/lib/modules environment: LAN_NETWORK: 192.168.1.0/24 PGID: 100 PUID: 99 TZ: America/New_York cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 # NzbGET Usenet (NZB) Downloader nzbget: image: linuxserver/nzbget container_name: nzbget restart: always network_mode: service:wireguard volumes: - /mnt/user/appdata/nzbget:/config - /mnt/user/media:/media environment: PGID: ${PGID} PUID: ${PUID} TZ: ${TZ} depends_on: - wireguard One item of note, I was unable the make the kill switch work. Any help would be greatly appreciated. root@8de63d4b329d:/# iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT Unable to access interface: No such device iptables v1.6.1: mark: bad mark value for option "--mark", or out of range. Try `iptables -h' or 'iptables --help' for more information. root@8de63d4b329d:/# Quote Link to comment
rukiftw Posted May 5, 2020 Author Share Posted May 5, 2020 The IP-tables "mark" rules only work when WireGuard routes everything through the tunnel, as it creates and array to block all ips, but 0.0.0.0/0. However, i think the error message, is related to something else, like the vpn adapter not being found or character issue from copy/paste. Quote Link to comment
ChillyCurve Posted May 5, 2020 Share Posted May 5, 2020 On 5/1/2020 at 12:30 PM, danofun said: I've had some success with allowing local access to Wireguard and it's attached containers. Im running this via docker-compose but it should work in unRAID's GUI as well. Here's what I've added.... Thank you for your post, I'm so close to this I can feel it! Were you able to get this working? I've done everything you have, the only thing is that I noticed an error in the wireguard container logs about not finding eth0 for that start up command. Any idea what the container's interface is called? Here's docker compose and wg0.conf for reference: version: "3.6" services: wireguard-client: image: linuxserver/wireguard container_name: wireguard-client cap_add: - NET_ADMIN - SYS_MODULE environment: - LAN_NETWORK=${LAN} - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} volumes: - /home/serveradmin/remote/docker/wireguard-client:/config - /lib/modules:/lib/modules ports: - 51820:51820/udp - 7502:8989 #Eonarr - 7501:7878 #Radarr - 7500:7880 #Jackett - 7505:5075 #nzbhydra2 - 7506:6789 #nzbget sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped radarr: image: "linuxserver/radarr" container_name: "radarr" volumes: - /home/serveradmin/remote/docker/radarr:/config - /home/serveradmin/remote/downloads/completed:/downloads - /home/serveradmin/remote/media/movies:/movies - "/etc/localtime:/etc/localtime:ro" - /home/serveradmin/remote/docker/shared:/shared restart: always network_mode: "service:wireguard-client" depends_on: - wireguard-client environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} and [Interface] PrivateKey = xxxx Address = x.x.x.x/32 DNS = x.x.x.x PostUp=ip route add x.x.x.x/20 via $(ip route |awk '/default/ {print $3}') dev eth0 PostDown=ip route del x.x.x.x/20 via $(ip route |awk '/default/ {print $3}') dev eth0 [Peer] PublicKey = xxxx AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32, 10.64.0.0/10 Endpoint = x.x.x.x:51820 Thank you! Quote Link to comment
blade227 Posted June 3, 2020 Share Posted June 3, 2020 Have you guys had any luck with this? I am also trying to accomplish the same thing and can't get it working Quote Link to comment
rukiftw Posted June 20, 2020 Author Share Posted June 20, 2020 zero further success. Quote Link to comment
saarg Posted June 20, 2020 Share Posted June 20, 2020 5 hours ago, rukiftw said: zero further success. Hopefully it will work when the new version of unraid is released. Quote Link to comment
omsha Posted July 22, 2020 Share Posted July 22, 2020 i think i got this to work. i'm testing this with the linuxserver/deluge container. the output from "curl ipconfig.io" is the wireguard vpn ip. i can access the deluge webGUI through my local lan. so, i set up the wireguard container as explained by rukiftw. did not touch the wireguard conf file, and did not enable internet kill switch. i also added the environmental variable LAN_NETWORK as mentioned by danofun. then just followed the spaceinvader One video https://www.youtube.com/watch?v=znSu_FuKFW0 to force the deluge container through the wireguard one. also added the deluge ports to the wireguard container. and then added the Postup=ip . . . (see danofuns post) to my wireguards config file under the [Interface] block. Quote Link to comment
AndiAUT Posted July 29, 2020 Share Posted July 29, 2020 On 7/23/2020 at 12:01 AM, omsha said: i think i got this to work. i'm testing this with the linuxserver/deluge container. the output from "curl ipconfig.io" is the wireguard vpn ip. i can access the deluge webGUI through my local lan. so, i set up the wireguard container as explained by rukiftw. did not touch the wireguard conf file, and did not enable internet kill switch. i also added the environmental variable LAN_NETWORK as mentioned by danofun. then just followed the spaceinvader One video https://www.youtube.com/watch?v=znSu_FuKFW0 to force the deluge container through the wireguard one. also added the deluge ports to the wireguard container. and then added the Postup=ip . . . (see danofuns post) to my wireguards config file under the [Interface] block. Yes, this worked for me too. I was able to connect to mullvad and my raspberry wireguard server. Tried it with sonarr and the firefox docker. Quote Link to comment
Jafalex Posted August 15, 2020 Share Posted August 15, 2020 Hi, First post on this forum. I'm not even using Unraid (but will look into it), simply using Docker like @danofun seems to be. After 2 days in hell trying to make this work, this post did it for me, thanks every one so (so!) much! in the end, it was this exact post which did it for me: Cheers Quote Link to comment
Double_J_038 Posted September 16, 2020 Share Posted September 16, 2020 Hi Everyone, Thank you for the great information in this thread. I am adding a few more tweaks and notes below in order to run the native UNRAID Dynamics Wireguard simultaneously with the Linuxserver Wireguard Docker. I now have two working versions of Wireguard running on my machine with one specifically for use with whatever Dockers I decide to add to the new Wireguard VPN. When intially created, I named my new docker "wireguard4dockers" as shown below. When downloaded, you have to add a lot of the variables into the template, so this takes time, and if you have an error (like I did the first time), you might think you have lost the data after you click the "apply" button and the template disappears; but if you go to the CA "APPS" tab, you can reinstall the template and pick right back up where you left off. First off, since you are adding this as a new docker and probably have Wireguard set up on UNRAID already, when you begin to enter your specific information into the template, change the ListenPort so you don't have a conflicting port between this Wireguard docker and the built in Wireguard in UNRAID. By Default the UNRAID Wireguard listenport is 51820, which is also the standard listenport of the Linuxserver docker. Secondly, make sure that you set your config properly so the docker saves into your "appdata" folder using, Container Path: /config and Host Path to "your specific location". I initially did not set it up properly and couldn't figure out why my folder was blank, until I realized that I did not put the slash in front of "config". Also, don't forget to add the "config" folder inside your own "wireguard4docker" folder. I also changed my internal SUBNET to something completely different from the built-in Wireguard to avoid any conflicts. Not sure if this was necessary, but I thought it couldn't hurt. Also, take note that once you get the template created and it has saved as an operational Docker, if you import a pre-made config file into your config folder for this docker, you need to change the name of the file to "wg0" (that lower case w, g and a zero) or create your new template named as "wg0". This was noted on one of the many pages of posts in the links that danofun included above. Lastly, I had to include my specific Local LAN IP Address in the config file in the "PostUp" and "PostDown" lines ...part of another tip mentioned to be added to the config file in previous posts; in my file these two lines are: PostUp=ip route add 195.168.4.0/24 via $(ip route |awk '/default/ {print $3}') dev eth0 PostDown=ip route del 195.168.4.0/24 via $(ip route |awk '/default/ {print $3}') dev eth0 .....and going this route I did NOT need to add the following environmental variable into the docker template: "LAN_NETWORK ....populated with your LAN (i.e. 192.168.1.0/24)" noted to add in the above posts. Here are a few snippets of my "wireguard4docker" template. Please note, I also downloaded the Firefox docker to use to check out connectivity, following other posts on how to link other dockers to your vpn docker. Firefox Ports to add while you are setting up the "wireguard4docker" VPN created under the "advanced view": port 7814 will be your port to use to get into the firefox webgui. Using the posts in this thread, as well and the links provided by everyone, I was able to create a fully functioning secondary Wireguard Docker VPN running in less than an hour. Proving that we can in fact use an off the shelf existing Wireguard docker template to be used as a VPN for specific Docker Containers, while at the same time utilize the built in Wireguard Controls for your other VPN needs. Thus overcoming the bottleneck and limitation of not being able to have a "VPN tunneled access" running along with another tunnel instance within the built-in UNRAID Dynamics Wireguard Program. I hope this helps others. I really haven't done anything different other than compile a few critical pieces of information under the same thread. I spend a lot of time browsing the forum for information and am always amazed at what can be found here; but having run through this process this evening I thought this additional data might be helpful for other to have. Kudo's and a big thankyou to everyone prior who pave the way for amateur's like myself who are able to stumble through to make something work and confirm what others have accomplished does in fact work. Thanks, 2 Quote Link to comment
rippedwarrior Posted October 6, 2020 Share Posted October 6, 2020 Thanks for this guide @Double_J_038! I was able to get it to work using your guide, but I had one additional piece I needed to do to make it work. I had to remove any IPv6 addresses from the wg0.conf file. Other than that it has worked swimmingly. I'm so happy to have a wireguard client for my dockers. Thanks! Quote Link to comment
Double_J_038 Posted October 6, 2020 Share Posted October 6, 2020 Glad it helped you. Additionally, I recently found and added the docker "Rebuild DNDC" that monitors any custom containers, so any other dockers pointed to your custom wireguard4dockers container will automatically rebuild if the Wireguard container is updated. It is available under community "APPS" tab. It works 90% of the time updating linked containers without issue. A few times I had to reinstall one of my linking containers, but not a big issue of community Apps is installed. Here is the support site: https://hub.docker.com/r/eafxx/rebuild-dndc Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.