See peers in AdGuard

[lavir]

Hi there, thank you for the docker-compose file.

I have a question. Is it possible to set up (change unbound config/PostUp/PostDown ) so to see peers as clients (10.6.0.0) in AdGuard instead of the Wireguard server (10.2.0.3)?

[fnazz]

Yes, Im assuming you are referring to change the network range here, you will have to update the subnet range from

• private-network : 10.2.0.0/24 to
• private-network: 10.6.0.0/24

Then change corresponding sections where ip's are hard set.

[lavir]

Unfortunately it does not work, or I did something wrong. Below is my docker compose file

networks:
  private_network:
    ipam:
      driver: default
      config:
        - subnet: 10.6.0.0/24

services:
  unbound:
    image: "mvance/unbound:latest"
    container_name: unbound
    restart: unless-stopped
    hostname: "unbound"
    volumes:
      - "./unbound:/opt/unbound/etc/unbound/"
    networks:
      private_network:
        ipv4_address: 10.6.0.200

  wireguard:
    depends_on: [unbound, adguard]
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - SERVERPORT=51820
      # - SERVERURL=vpn.example.com #optional - For use with DDNS (Uncomment to use)
      - PEERS=1 # How many peers to generate for you (clients)
      - PEERDNS=10.6.0.100 # Set it to point to adguard home
      - INTERNAL_SUBNET=10.6.0.0
      #- ALLOWEDIPS=10.6.0.0/24 # optional - split tunnel for web panel and DNS traffic only
    volumes:
      - ./wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - "51820:51820/udp"
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      private_network:
        ipv4_address: 10.6.0.3

  adguard:
    depends_on: [unbound]
    container_name: adguard
    image: adguard/adguardhome
    restart: unless-stopped
    hostname: adguard
    # Volumes store your data between container upgrades
    volumes:
      - "./adguard/opt-adguard-work:/opt/adguardhome/work"
      - "./adguard/opt-adguard-conf:/opt/adguardhome/conf"
    networks:
      private_network:
        ipv4_address: 10.6.0.100

[fnazz]

Did you happen to clean up the docker network/etc? can you pls share the output?

[fnazz]

What does docker network ls docker network inspect show

[lavir]

Sure Before run:

docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
47848a16d86a   bridge    bridge    local
f6aade248719   host      host      local
34956b7e6c90   none      null      local

After run:

docker-compose up --force-recreate

[+] Running 4/2
 ⠿ Network vpn_server_private_network  Created   0.1s
 ⠿ Container unbound                   Created   0.0s
 ⠿ Container adguard                   Created   0.0s
 ⠿ Container wireguard                 Created   0.0s
Attaching to adguard, unbound, wireguard
unbound    | [1649327317] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:2f::f port 53
unbound    | [1649327317] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:1::53 port 53
unbound    | [1649327317] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:2::c port 53
unbound    | [1649327317] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:503:c27::2:30 port 53
adguard    | 2022/04/07 10:28:37.844667 [info] AdGuard Home, version v0.107.5
adguard    | 2022/04/07 10:28:37.856614 [info] Initializing auth module: /opt/adguardhome/work/data/sessions.db
adguard    | 2022/04/07 10:28:37.856779 [info] auth: initialized.  users:1  sessions:4
adguard    | 2022/04/07 10:28:37.856814 [info] Initialize web module
adguard    | 2022/04/07 10:28:37.858112 [info] AdGuard Home is available at the following addresses:
adguard    | 2022/04/07 10:28:37.858248 [info] Go to http://127.0.0.1:80
adguard    | 2022/04/07 10:28:37.858254 [info] Go to http://10.6.0.100:80
adguard    | 2022/04/07 10:28:37.870438 [info] Starting the DNS proxy server
adguard    | 2022/04/07 10:28:37.870477 [info] Cache TTL override is enabled. Min=60, Max=1200
adguard    | 2022/04/07 10:28:37.870483 [info] The server is configured to refuse ANY requests
adguard    | 2022/04/07 10:28:37.870488 [info] DNS cache is enabled
adguard    | 2022/04/07 10:28:37.870495 [info] MaxGoroutines is set to 300
adguard    | 2022/04/07 10:28:37.870502 [info] Fastest IP is enabled
adguard    | 2022/04/07 10:28:37.870518 [info] Creating the UDP server socket
adguard    | 2022/04/07 10:28:37.870615 [info] Listening to udp://[::]:53
adguard    | 2022/04/07 10:28:37.870621 [info] Creating a TCP server socket
adguard    | 2022/04/07 10:28:37.870670 [info] Listening to tcp://[::]:53
adguard    | 2022/04/07 10:28:37.872495 [info] Entering the UDP listener loop on [::]:53
adguard    | 2022/04/07 10:28:37.872587 [info] Entering the tcp listener loop on [::]:53
wireguard  | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
wireguard  | [s6-init] ensuring user provided files have correct perms...exited 0.
wireguard  | [fix-attrs.d] applying ownership & permissions fixes...
wireguard  | [fix-attrs.d] done.
wireguard  | [cont-init.d] executing container initialization scripts...
wireguard  | [cont-init.d] 01-envfile: executing...
wireguard  | [cont-init.d] 01-envfile: exited 0.
wireguard  | [cont-init.d] 01-migrations: executing...
wireguard  | [migrations] started
wireguard  | [migrations] no migrations found
wireguard  | [cont-init.d] 01-migrations: exited 0.
wireguard  | [cont-init.d] 02-tamper-check: executing...
wireguard  | [cont-init.d] 02-tamper-check: exited 0.
wireguard  | [cont-init.d] 10-adduser: executing...
wireguard  | -------------------------------------
wireguard  | GID/UID
wireguard  | -------------------------------------
wireguard  |
wireguard  | User uid:    1000
wireguard  | User gid:    1000
wireguard  | -------------------------------------
wireguard  |
wireguard  | [cont-init.d] 10-adduser: exited 0.
wireguard  | [cont-init.d] 30-module: executing...
wireguard  | Uname info: Linux a46019f815ed 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
wireguard  | **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
wireguard  | [cont-init.d] 30-module: exited 0.
wireguard  | [cont-init.d] 40-confs: executing...
wireguard  | **** Server mode is selected ****
wireguard  | **** SERVERURL var is either not set or is set to "auto", setting external IP to auto detected value of ***.***.***.*** ****
wireguard  | **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
wireguard  | **** Internal subnet is set to 10.6.0.0 ****
wireguard  | **** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
wireguard  | **** Peer DNS servers will be set to 10.6.0.100 ****
wireguard  | **** No wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs ****
wireguard  | grep: /config/peer*/*.conf: No such file or directory
wireguard  | PEER 1 QR code: **************
wireguard  | [cont-init.d] 40-confs: exited 0.
wireguard  | [cont-init.d] 90-custom-folders: executing...
wireguard  | [cont-init.d] 90-custom-folders: exited 0.
wireguard  | [cont-init.d] 99-custom-scripts: executing...
wireguard  | [custom-init] no custom files found exiting...
wireguard  | [cont-init.d] 99-custom-scripts: exited 0.
wireguard  | [cont-init.d] done.
wireguard  | [services.d] starting services
wireguard  | [services.d] done.
wireguard  | [#] ip link add wg0 type wireguard
wireguard  | [#] wg setconf wg0 /dev/fd/63
wireguard  | .:53
wireguard  | CoreDNS-1.9.1
wireguard  | linux/amd64, go1.17.8, 4b597f8
wireguard  | [#] ip -4 address add 10.6.0.1 dev wg0
wireguard  | [#] ip link set mtu 1420 up dev wg0
wireguard  | [#] ip -4 route add 10.6.0.2/32 dev wg0
wireguard  | [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

docker network ls
NETWORK ID     NAME                         DRIVER    SCOPE
47848a16d86a   bridge                       bridge    local
f6aade248719   host                         host      local
34956b7e6c90   none                         null      local
e5d4b244e6e9   vpn_server_private_network   bridge    local

docker network inspect e5d4b244e6e9
[
    {
        "Name": "vpn_server_private_network",
        "Id": "e5d4b244e6e980490a0871982cac11cbb85e3f53e652bd3fac28a98a7ca97aa4",
        "Created": "2022-04-07T10:28:36.739401726Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.6.0.0/24"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "0d34482e354dda96d6136595990514f86e80c42944a3ac5b6541967cff4890cf": {
                "Name": "unbound",
                "EndpointID": "dfb1a3e29a93e43c05ab682ce4e50fe1db0291602784c6cf2345f2220d4e7d80",
                "MacAddress": "02:42:0a:06:00:c8",
                "IPv4Address": "10.6.0.200/24",
                "IPv6Address": ""
            },
            "63be4c2d1958b90b10b9b9229367a295816d4716c2540eec8b62a80e93d775f4": {
                "Name": "adguard",
                "EndpointID": "6744d014bce21ecc8d496329b9226894c0dbd6eae2647f2821ef74e66e0822a4",
                "MacAddress": "02:42:0a:06:00:64",
                "IPv4Address": "10.6.0.100/24",
                "IPv6Address": ""
            },
            "a46019f815eda0499c578a454d7dca02974f95ce156e1ec266851a311425083e": {
                "Name": "wireguard",
                "EndpointID": "f914245b28f3b4af61506764cb74baea0a0441b8972852d8f50afe39c7a75926",
                "MacAddress": "02:42:0a:06:00:03",
                "IPv4Address": "10.6.0.3/24",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "private_network",
            "com.docker.compose.project": "vpn_server",
            "com.docker.compose.version": "2.4.0"
        }
    }
]

# wg0.conf
[Interface]
Address = 10.6.0.1
ListenPort = 51820
PrivateKey = *****************************************
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer1
PublicKey = *****************************************
AllowedIPs = 10.6.0.2/32

# Peer1
[Interface]
Address = 10.6.0.2
PrivateKey = *****************************************
ListenPort = 51820
DNS = 10.6.0.100

[Peer]
PublicKey = *****************************************
Endpoint = ***.***.***.***:51820
AllowedIPs = 0.0.0.0/0, ::/0

[fnazz]

problem is this section unbound | [1649327317] libunbound[21:0] error: udp connect failed: Cannot assign requested address for 2001:500:2f::f port 53

one more thing is your external-subnet is : 10.2.0.0/24 (assigned to client ip address) when connects through vpn client. internal-subnet is : 10.6.0.0/24 ( used for communication between the containers)

Coming back to your original question, you want to use 10.6.0.0 range for your client ip address, certainly you can do that but its not safe, as the client can access the adguard/unbound docker containers , hence two different subnets.

Hope that explains

[lavir]

I run it on Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64) as root user

It's a new clean instance, it has nothing else I will try to fix it. At least the first 2 solutions found on google did not help.

Coming back to your original question, you want to use 10.6.0.0 range for your client ip address, certainly you can do that but its not safe, as the client can access the adguard/unbound docker containers , hence two different subnets.

My goal is to be able to recognize users in AdGuard, and apply some rules separately. For that, I need somehow to route DNS requests directly from the user (internal-subnet) to Adguard Right now in AdGuard is Wireguard IP (10.2.0.3)

I can run AdGuard independent of all. But setting DNS IP to it does not route to Adguard.

[fnazz]

My goal is to be able to recognize users in AdGuard, and apply some rules separately. For that, I need somehow to route DNS requests directly from the user (internal-subnet) to Adguard Right now in AdGuard is Wireguard IP (10.2.0.3)

You will be able to do that without needing to change subnets, once adguard is up and running, refer to this issue and instructions https://github.com/AdguardTeam/AdGuardHome/issues/2704

Also, I notice Adguard is also starting at 53 port for dns resolution, since you are using unbound, you can disable that.

[lavir]

I have tried. Nothing.

The problem is to resolve the hostname you need to know the client's IP address (10.6.0.2), but Wireguard resolves DNS from its own IP (10.2.0.3). Below is debug info from AdGuard: adguard | 2022/04/07 15:17:26.503975 1#6517 [debug] github.com/AdguardTeam/dnsproxy/proxy.(*Proxy).udpHandlePacket(): Start handling new UDP packet from 10.2.0.3:51767

I'm not 100% sure. Maybe I need to configure CoreDNS which is used in the Wireguard container. But to that, I need to build my own image.

Or maybe I want too much :)

[Pr0mises]

@lavir Were you able to do so? I had the same idea but wasn't able to do so. I made multiple reddit posts about it: adguard wireguard

[lavir]

Unfortunately no. I also have tried many other ideas, all of them unsuccessful :(

[burjuyz]

Any updates regarding this issue?

[Pr0mises]

Any updates regarding this issue?

I'm using https://github.com/iganeshk/adwireguard-dark

Works perfect. No unbound though