Wireguard unRAID with eero - Handshake but no data

I already posted this on the unRAID forum so apologizes for duplicating but this community looks much more active.

The original post but I’ve copied and pasted it here.

I’m able to properly configure the Wireguard settings such that my peer can perform the handshake with the server but I cannot actually do anything over the VPN. No access to internet nor LAN. My network is looks something like:

Peer <===> Internet <===> Modem <===> eero <===> unRAID 

I have to forward a port from the modem to the eero and then again from the eero to the unRAID server. This appears to be working because the handshake works followed by some data being sent from the peer to the server but very little data being returned. To complicate matters, I use Adguard as my DNS which is on the unRAID server. I am able to get the handshake working with and without Adguard specified as the DNS but always no internet/LAN access. Here is the Wireguard config for the server:

[Interface]
#Home VPN PrivateKey=<redacted>
Address=10.253.0.1, fc00:253:0:0::1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:0:0::/64 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:0:0::/64 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200
PostUp=ip -4 route add 192.168.4.0/22 via 192.168.4.1 dev br0 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.4.0/22 via 192.168.4.1 dev br0 table 200

[Peer]
#iPhone
PublicKey=<redacted>
AllowedIPs=10.253.0.2, fc00:253:0:0::2 

The config for the peer:

[Interface]
#iPhone PrivateKey=<redacted>
Address=10.253.0.2/32, fc00:253:0:0::2/128
DNS=192.168.4.2 #Adguard

[Peer]
#Home VPN
PublicKey=<redacted>
Endpoint=71.38.147.68:51820
AllowedIPs=0.0.0.0/0, ::/0 

If anyone could help me resolve this, I would be eternally grateful!

​

UPDATE 1: When I connect to the VPN, I can ping the local tunnel address and itself (the peer address) at 10.253.0.1 and 10.253.0.2 but nothing else. This makes sense that I cannot reach anything because it cannot ping the DNS server at 192.168.4.2. The question is what do I need to do to allow it to reach the DNS from 10.253.0.x? It seems there is some firewall between the two but this is all being managed on unRAID so I am not sure which settings to change.

​

UPDATE 2: I think I found the root issue. The issue is that `Host access to custom networks:` for Docker setting enabled. I did this so that unRAID can actually use the Adguard DNS as well. However, this makes it such that the wg0 interface cannot access the Docker services on br0. Hence, when you tunnel into the VPN, it cannot access the DNS server nor anything on the LAN. Is it possible to use Adguard with Wireguard on unRAID?

​

UPDATE 3: I’ve disabled `Host access to custom networks` in Docker settings but the issue persists. It appears that the issue is not being able to reach the Adguard DNS. I added a public DNS to the peer DNS server and the internet works but no access to LAN. If anyone has ideas for what to try next, I’m all ears.

​

FINAL UPDATE: I’ve managed to resolve the issue. Following the suggestion from this guide it says that, if you have dockers with custom IPs, then you should set `Use NAT` = No and `Host access to custom networks` = enabled. Additionally, you need to set a static route in your router. For me, this was problematic because eero does not support static routes. So, I set the eeros to run in bridge mode and added the static route to my router and now everything works properly. However, this means you lose some of the nice features of eero. This would be fixed if/when eero adds static routes support. Before that happens, if somebody knows how to have eero be the default gateway with a static route to accommodate Wireguard, please post in the comments!

I had a similar issue (Wireguard would handshake, but LAN/Internet access didn’t work), and in my case it was due to my Docker custom network type being set to ipvlan. It was actually causing internet connectivity issues with my server as a whole.

Switching the custom network type to macvlan fixed the issue, although for some folks this can cause kernel panics (I haven’t run into this).

If you are using Docker, it’s worth seeing if your network type is set to ipvlan, and if switching to macvlan fixes things.

Had similar issue and set it aside to work on something else. Would love to see a detailed guide on this.

I did this so that unRAID can actually use the Adguard DNS as well

Do not do this. There is no need.

OP, I know you’ve already found a solution, but here is an alternative solution if you want to keep “host access to custom networks” enabled and “Use NAT” enabled at the same time, so no need to mess around with custom routing on your router:

https://forums.unraid.net/topic/132677-unraid-wireguard-tunneled-access-while-having-host-access-to-custom-networks-enabled/

Just tried this and no luck. I imagine I don’t need to restart the server since this is a Docker setting.

This works exactly how I wanted and the eeros do not have to be in bridge mode. This is definitely the solution. The only question is I don’t exactly understand what the difference between shim-br0 and br0 is. Why it is not the default? Perhaps this is worth adding as an option in the future as changing any configuration to the VPN will necessitate adding shim- to all the lines again.

Yeah, I believe I didn’t need to do a server reboot for this to take effect. Sorry it didn’t work!