Can't access SMB shares remotely using WireGuard VPN in docker

  • Hi all,


    I've asked this question before in an open topic but I think it didn't reach the majority of the users. Therefore I'm creating this new topic in the hope that someone can help me. I have been struggling with the wireguard vpn for months now and I can't get it to work properly. I think I have googled all relevant aspects and tried a lot of things myself but I can't figure out what the problem is. Therefore I'm hoping someone in this community can help me get in the right direction.


    I've set up wireguard using docker using:

    PUID=0 and GUID=0 refers to the root user to avoid permission problems, the SERVERURL=auto gives the correct address and with the dns pointing to my PiHole which runs on a different server. This configuration works in the sense that I'm able to connect to the internet and observe that it uses my PiHole to solve dns requests. However, I'm unable to access my shares on the network I'm connecting to. Tried circumventing my PiHole by using 1.1.1.1 as dns server which resulted in the same issues; can connect to internet but not able to see shares.


    Are there specific OMV firewall rules that I don't know the existence of that prevent me from accessing my shares via the wireguard vpn?



    My configs:


    wg0.conf

    Code
    [Interface]
    Address = 10.13.13.1
    ListenPort = 51820
    PrivateKey = xxxxx
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s25 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s25 -j MASQUERADE
    [Peer]
    PublicKey = xxxxx
    AllowedIPs = 10.13.13.2/32


    peer1.conf

    Code
    [Interface]
    Address = 10.13.13.2
    PrivateKey = xxxxx
    ListenPort = 51820
    DNS = 192.168.0.100
    [Peer]
    PublicKey = xxxxx
    Endpoint = xxxxx:51820
    AllowedIPs = 0.0.0.0/0, ::/0


    Looking forward to your suggestions,


    Thomas

  • The wg server adresses are setup automatically by the docker image. Connecting to the internet works perfectly fine this way but indeed the problem might be that the smb shares cannot 'see' the wg server. Can you give me some directions how to implement this ip route?

  • You either need to setup a macvlan to get your image on your local network, or run it in host mode and look at the port forwarding options.


    ip route (if you use it) would need to be set up two ways on your host box/router to get stuff from/to both networks.


    Have a look at the macvlan option on my blog post here - it might let you move your wireguard host to macvlan which would be on your own LAN :)


    https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

  • So, for the last week I've been using WG on and off LAN with no routing, via a Docker container (in bridge mode) quite happily with no issues.

    Playing audio off my SMB server remotely via JetAudio.


    Some apps are a bit quick to assume they can't "see" SMB due to lag.

  • Hi guys, I'm in the same boat as Thomas.


    My server at home (10.0.1.0/24) has wireguard (10.13.13.0/24) running as a server in a docker container

    This server also is running a dockerized samba share which is perfectly accessible from any windows machine on lan.

    However, it is not accessible from a connected wireguard peer, even though the server lan and wg0 addresses are both pingable from the client.


    ptruman you mentioned the docker container you run is in bridge mode. Did you mean the wireguard container? Could you maybe elaborate or send me the relevant docker-compose settings?


    Kind regards

  • I run into the same issues.

    Either I could use the internal services of my nas or the internet. Not both.

    With the following docker-compose.aml I have access to both at the same time. (pls. adjust the PUID and PGID)


    I hope this helps.

  • Here is my Wireguard config. As mentioned, it runs in BRIDGE mode (set via Portainer). I access it via Traefik (i.e. my router forwards the WG port to my host, and Traefik handles it from there). I use a common DNS name internally and externally, BOTH resolve (internally and externally) to my public IP, and my router handles the hairpin.

    My WireGuard config is:

    I have set my CLIENT (Android) AllowedIPs to be:

    Code
    192.168.1.0/24, 10.13.13.0/24, 0.0.0.0/0

    And my CLIENT (Android) WireGuard DNS is my LAN DNS IP.

    That way Wireguard is (AllowedIP) to see my DNS, the LAN (when DNS resolves internally) and "the internet".

    If you remove 0.0.0.0/0 you won't get internet over WG, which is fine if you don't set "Block Connections Without VPN" in Android - i.e. you'll split tunnel.


    If you're not clear on Traefik, you might want to read my main guide on OMV/Portainer/Traefik which is here : https://site.gothtech.co.uk/ar…ainer-traefik-letsencrypt

    And then read my WireGuard add-on which is here: https://site.gothtech.co.uk/ar…encrypt/wireguard-traefik

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!