[HowTo] WireGuard with OMV Super-Easy

  • Hello,


    The Wireguard can only connect via intranet, can't access external sites.

    Anybody know why ?

    are you sure you have opened the port on your router?

    In the .conf of the server you should have it set under the parameter:

    ListenPort = xxxxx 

    if this is not open and redirected from the outside to your wireguard server, then you won't be able to reach it from outside.

  • Hi I have the same issue of tinh_x7, wireguard is working fine to access the smb share of omv through my phone when connected to wireguard vpn, but I cannot access internet, use of firefox or other apps it says there is no internet connection.


    The config file of the server seems fine:



    My router is forwarded correctly (otherwise my phone would not work even to browse lan, as I tested it without using the wifi, but only cellular data).

    I'm using the docker container from linuxserver.


    Is it better at this point to discard, the container\docker way, go directly the debian way installing wireguard from the buster-backports and configure it manually instead?

  • Hello Wek,


    For me, the plugin has small foot print, so it's fine to install directly onto OMV.

    If it's something complex like Nextcloud and you don't feel comfortable install it, then user Docker to be safe.

    Docker is popular and convenience in the virtualization world.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • can you check if the host machine is configured to forward ipv4 packets?

    run this command

    Code
    pi@raspberrypi:~ $ sysctl net.ipv4.ip_forward 
    it should result in:
    net.ipv4.ip_forward = 1

    if it's 0 your machine receives packet from the phone which are intended to the outer internet but instead drops them


    also check, on your phone wireguard configuration that the AllowedIP is 0.0.0.0

  • Hi nick2k3 my phone wireguard config also seems fine:

    Code
    [Interface]
    Address = 10.13.13.2
    PrivateKey = xxxxxxxxxxxxx
    ListenPort = 51820
    DNS = 10.13.13.1
    
    [Peer]
    PublicKey = xxxxxxxxxxxx
    Endpoint = mambojambo.duckdns.org:51820
    AllowedIPs = 0.0.0.0/0, ::/0

    and ipv4 forward is also enabled:


    Code
    root@omv:~# sysctl net.ipv4.ip_forward
    net.ipv4.ip_forward = 1

    I don't know what else to think about.

    The only thing that I see strange is DNS = 10.13.13.1 on the config, because my normal intranet get dns by my isp through 192.168.1.1 but then again I guess wireguard creates another subnet so I guess is fine, so I'm out of ideas here.


    tinh_x7 thank you, I was more asking specifically about wireguard if it would be better to run directly on the machine instead of docker, because of all this issue the container is giving me, but whatever works it's ok, it's just strange that the lan works but not the wan, but as you can see the config seems fine.

  • Hi, I had similar problems. try to change the DNS on your client configuration to 1.1.1.1 or something similar, outside of your network.

    I am afraid that dns requests are not forwarded by the docker gateway to the host's default DNS.


    In my network I use Pihole on another system than the host on which wireguard runs and I have set the DNS on the client to that host. It works!

    But if I leave the self generated DNS ( 10.13.13.1in your case) i had problems.

  • Nope unfortunately changing dns doesn't work I tried even with google dns 8.8.8.8 doesn't work.


    Also when I switched back to the normal dns 10.13.13.2 on the android phone, it behaved even stranger, some apps where working like the youtube app whatsapp and so on, but not firefox nor gmail...


    mmmh it seems this docker container is making more trouble than what really needs to, I guess I will delete the container and try to install the proper wireguard on the host itself as ryecoaaron pointed out the package is into buster-backports, this way I hope I will delete the problem of dealing with dns requests not forwarded by the docker gateway correctly.

  • No luck, even installing it into the host itself same result, also tried cloudflare dns 1.1.1.1 no luck, lan working properly can access the nas, internet doesn't work ?(

    I'm totally lost now

  • Even though I was successful using this script in the past, I just wanted to put it out there that the guys at linuxserver released a docker container for wireguard that I helped verify works for omv 4 and 5 with normal and backport kernels. It has some nifty features like easily adding users and re-displaying QR codes if needed.

  • Even though I was successful using this script in the past, I just wanted to put it out there that the guys at linuxserver released a docker container for wireguard that I helped verify works for omv 4 and 5 with normal and backport kernels. It has some nifty features like easily adding users and re-displaying QR codes if needed.

    yep I used the docker at first, but I'm having this weird issue with not being able to connect to internet with it but I can connect to my lan, same with the script, I was just playing around to see what was the culprit, but I got almost same result with both methods except maybe with the script a bit worse, I will try again totally manual on the host without script and if that doesn't work I will try again the docker

  • PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

    I see variables in these lines. Are they correctly defined? In my config they point to my wireguard net.

  • after some trial and error I managed to make it work through docker, it was just a matter of rebuild the docker container again, and use this time cloudflare as dns, now everything works like it should

  • I think I have similar issues to the ones you were encountering Wek, I have been stuck trying all kinds of configurations for weeks now..


    My configuration is the following:

    OMV server running on <MY EXT. IP>

    PiHole DNS running on different server 192.168.0.100


    I'm trying to run Wireguard in docker using the following to create the docker:



    Which produces the following for wg0.conf:

    Code
    [Interface]
    Address = 10.13.13.1
    ListenPort = 51820
    PrivateKey = xxxxxx
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE
    
    [Peer]
    PublicKey = xxxxxx
    AllowedIPs = 10.13.13.2/32

    Yes, I switched eth0 to enp0s25 because that's the name of my omv ethernet adapter.


    And peer1.conf:

    Code
    [Interface]
    Address = 10.13.13.2
    PrivateKey = xxxxxx
    ListenPort = 51820
    DNS = 1.1.1.1
    
    [Peer]
    PublicKey = xxxxxx
    Endpoint = <MY EXT. IP>:51820
    AllowedIPs = 0.0.0.0/0, ::/0

    Port 51820 is forwarded and the command "sysctl net.ipv4.ip_forward" nicely returns "net.ipv4.ip_forward = 1". I have tried setting "PEERDNS=192.168.0.100", "PEERDNS=1.1.1.1" and "PEERDNS=auto" but result in a working internet connection when connected to wireguard server.


    Am I doing something fundamentally wrong here which is preventing me from succeeding?


    Kind regards,

    Thomas

    ___________________________________________


    Edit: configuring "PEERDNS=192.168.0.100", i.e. setting it to my PiHole and fully rebuilding the docker solved my problems partially. I can now connect to the internet and I can indeed see that my PiHole is handling my DNS requests. However, I cannot access my SMB shares. Is there some kind of firewall rule I need to edit inside OMV that I don't know of to be able to access my shares when using WireGuard vpn?

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!