Wireguard connection being blocked by Adguard Home

elsmandino · Sep 9th 2024

Afternoon all.

I followed the OMV7 official guide to get Wireguard up and running on my server and have had no issues access my server, from outside my home network, using the Android Wireguard app.

I have recently, however, installed Adguard Home as a container:

Code

services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome:latest
    hostname: adguardhome
    restart: unless-stopped
    ports:
      - "192.168.1.19:53:53/udp"
      - "192.168.1.19:53:53/tcp"
#      - "192.168.1.19:3000:3000/tcp"
      - 8083:80/tcp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /srv/dev-disk-by-uuid-85c4513d-cfd9-4134-ad11-5d6552e81a81/appdata/adguardhome/work:/opt/adguardhome/work
      - /srv/dev-disk-by-uuid-85c4513d-cfd9-4134-ad11-5d6552e81a81/appdata/adguardhome/conf:/opt/adguardhome/conf
    environment:
      - PUID=1001
      - PGID=100

Display More

Whenever, I run the Adguard container, my phone immediately loses access.

I was not expecting this and cannot quite work out what the issue is.

Any advice on allowing the connection through would be much appreciated.

fbeye · Sep 9th 2024

Maybe has to do with setting the WG DNS to the ADGuard DNS IP? Such as DNS

Code

192.168.1.19

In WG?

Just throwing that out there, like always probably some 10 lines 40 responses will be the correct one.

elsmandino · Sep 11th 2024

Thanks for that.

I have tried to mess around with my settings but the issue remains.

I am a bit of a novice when it comes to networking.

Quote from fbeye
Maybe has to do with setting the WG DNS to the ADGuard DNS IP? Such as DNS
Code
192.168.1.19
In WG?

Just throwing that out there, like always probably some 10 lines 40 responses will be the correct one.

Does this mean that I have somehow set things up so that my system is blocking itself?

elsmandino · Sep 11th 2024

After a bit more research, I can see that a similar issue has come up before:

Issue with docker compose file - General - openmediavault

I am going to update my docker compose file with raulfg3's suggested code:

Code

# Note: 192.168.1.xxx is an example network, you must update all these to match your own.
networks:
  MyMacVlan:
    external: true
services:
  adguard:
    container_name: adguard
    image: adguard/adguardhome:latest
    cap_add:
      - NET_ADMIN
    networks:
      MyMacVlan:                        # <-- MACVlan Name You need to create first in Portainer WebGUI.
        ipv4_address: 192.168.1.3       # <-- Update to your desired adguard IPv4
    volumes:
      - CHANGE_TO_COMPOSE_DATA_PATH/adguard/Work:/opt/adguardhome/work
      - CHANGE_TO_COMPOSE_DATA_PATH/adguard:/opt/adguardhome/conf
    restart: unless-stopped

Display More

I note that I need to set up a MACVlan as described on this page:

omv7:omv7_plugins:docker_compose [omv-extras.org]

The instructions seem quite complicated but do I need to follow the whole guide - i.e. does Adguard require communication between the container and the host? The guide says not, if you are using PiHole.

jata1 · Sep 11th 2024

I have adguard working with either external bridge or macvlan network. So happy to help.

You will not need to use your host ip in the port mappings when using macvlan. so it is worth seeing it it helps with your issue.

jata1 · Sep 11th 2024

Just thinking a little more about your issue and I think it is related to using wireguard to access your omv server?

Can you clarify why you are wanting to do this using a vpn? What is your overall goal with this config?

Im asking as vpn are great but not the only way to access network services over the interweb. I have found secure reverse proxy to work really well and are easier to maintain and extend etc.

ryecoaaron · Sep 11th 2024

Quote from jata1

I have found secure reverse proxy to work really well and are easier to maintain and extend etc.

How is a reverse proxy easier to maintain then setting up wireguard once and never having to touch it again? Reverse proxy security is exposed to everyone on the internet and dependent on the proxy and app(s) security. A vpn only has the vpn to worry about it. If the vpn has security issues, then the attacker would still have to get through the app security.

jata1 · Sep 11th 2024

It really depends on use case. That’s why I asked the OP.

I like using reverse proxy to access home assistant remotely from any client at any time. No vpn client needed.

I have setup Plex to work in the same way. No need to use upnp that opens a port.

Both are set and forget examples.

I do have wireguard setup on my router. I use it occasionally if I’m away from home and really need to access my entire network (and I have my laptop with WireGuard client with me)

elsmandino · Sep 12th 2024

Thanks very much for your further input.

I followed the guide, that I linked (to set up MacVlan, and now have Adguard running with the following container variables:

Code

services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome:latest
    hostname: adguardhome
    restart: unless-stopped
    ports:
      - 53:53/udp
      - 53:53/tcp
      - 80:80/tcp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /srv/dev-disk-by-uuid-85c4513d-cfd9-4134-ad11-5d6552e81a81/appdata/adguardhome/work:/opt/adguardhome/work
      - /srv/dev-disk-by-uuid-85c4513d-cfd9-4134-ad11-5d6552e81a81/appdata/adguardhome/conf:/opt/adguardhome/conf
    environment:
      - PUID=1001
      - PGID=100   
    networks:
      mynet:
        ipv4_address: 192.168.1.241
networks:
  mynet:
    external: true

Display More

Once I remembered to change my router's DNS to the new IP address, everything was running as expected but my Wireguard tunnel is still not working.

My only reason for wanting external access to my server, at the moment, is to use the HomeAssistant app while I am away from home.

However, I was hoping to also add some sort of back up for my photos at some point, when I am out.

As a test, I set up my Wireguard tunnel to only work with my Firefox app.

When the tunnel is down, the app works fine but when it is activated I cannot access anything.

It does seem that Adguard has somehow prevented my use of the Wireguard plugin.

Edit - as a test, I changed my router's DNS back to auto and stopped the Adguard Container.

My Wireguard tunnel still does not work, so there is some change that I have made that is stopping it from running all together.

I have looked at the logs, on my Wireguard app, and it keeps saying

Code

"@set_metadata: update dataspace from GM"

about 10 times per second, so something really odd is going on.

jata1 · Sep 13th 2024

I can’t help too much with your WireGuard setup as I have it setup differently.

Overall, I’m not sure vpn it’s the best solution for remote access to home assistant.

If I were you (and I have been in your situation) I would start simple and then add additional capability/security. My advice:

Adguard on docker bridge network

Port forward router tcp 8123 to your HA setup

Check HA works on lan and remote

Now you have a working system, secure and improve it.

Get a duckdns ddns account (or cloudflare etc)

Research a docker called swag. Get this working with duckdns.

Once you have swag, you can reverse proxy home assistant and any other service on your network.

ryecoaaron · Sep 13th 2024

Quote from jata1

Overall, I’m not sure vpn it’s the best solution for remote access to home assistant.

vpn isn't the problem. The setup is. And I wouldn't expose HA directly to the internet. swag (or other proxy) in front of it would be an important step in my opinion.

elsmandino · Sep 13th 2024

I think my main issue now is that I had a rock solid set up, ticking away nicely, until I messed around with Adguard and I suddenly have no external access to my network.

I used to use PiHole, without any issue, so I might go back to using that (though I have read that it is not quite as good).

I think my first step is to try and undo all the setting I made in my earlier post and see if I still external access - fingers crossed that everything will work again and I consider how best to proceed from there.

chente · Sep 13th 2024

I would check if adding a DNS in the client's Wireguard tunnel configuration resolves it.

elsmandino · Sep 13th 2024

Thanks chente - I shall definitely try that.

What address do you think I should try?

I have changed all the settings back and my Wireguard tunnel still doesn't work - am really gutted as it worked perfectly before and I wish I hadn't messed around with it.

Is there any way to check Wireguard's logs to see what is suddenly doing wrong?

chente · Sep 13th 2024

If the client is Android you can edit the tunnel from the smartphone and add a DNS, it is not necessary to reconfigure the Wireguard tunnel from OMV.

I would add the DNS to which the devices on your network connect, if it is Adguard then the IP of Adguard, if it is your router then the IP of your router

elsmandino · Sep 13th 2024

Thanks chente - I added my router's IP as the DNS and still nothing.

Really confusing.

I really want to avoid having to reinstall the OS, if at all possible.

I checked the Wireguard logs on the app and it again keeps showing the message

Code

Fri Sep 13 19:38:23 GMT +1:00 2024
@set_meddtdata: update dataspace from GM (0x00000000

Over and over again - is that to be expected?

chente · Sep 13th 2024

I don't know what those logs mean but I guarantee that the problem is not the Wireguard plugin, but what Adguard is doing on your server.

If establishing a DNS on the client hasn't worked, I don't have any more ideas, I don't use Adguard so I can't help you with that, sorry.

elsmandino · Sep 13th 2024

Thank you - appreciate your time.

I have stopped the Adguard container and changed back all settings and I cannot work out why it is still messing things up - totally agree that it must be that doing the damage.

I guess that a full OS reinstall is going to be the only way forward.

Out of interest, do you use any alternatives to Adguard such as PiHole?

jata1 · Sep 13th 2024

I have used both pihole and adguard. I use adguard as I prefer it but both do the same thing so it’s a personal choice.

You have adguard running in a docker so you shouldn’t need to reinstall omv.

Stop adguard. Change dns settings on your router to something that works (8.8.8.8). Change your client to use router dns.

Then check this is working. Then try WireGuard again.

chente · Sep 14th 2024

Quote from elsmandino

do you use any alternatives to Adguard such as PiHole?

No. I don't use Pihole or Adguard.

I have a DNS server on my router for local domain forwarding only.

Participate now!