Hi all, I am new to Ubuntu (22.04 - server with CLI only) but have some experience with Linux in general. I have been attempting to learn and setup a home based (Snap) Nextcloud server to migrate away from Icloud/Google drive. I have an old desktop PC I am utilizing as a test bed for this.
So far I have 3 virtual machines setup via Oracle VM, all running Ubuntu server CLI only.
Nextcloud with NIC bridged to LAN (192.168.1.10)
NGINX with NIC bridged to LAN (192.168.1.11) and Wireguarded to VLAN (10.10.10.11)
Wireguard with NIC bridge to LAN (192.168.1.13) forwarded to VLAN (10.10.10.10)
From my host machine, or any other device on my LAN, I can access Nextcloud directly or via NGINX via the 192.168.xx LAN system.
I can PING between 10.10.10.10 and 11 from within the Wireguard and NGINX VM’s
However, I have no communication from my LAN to the Wireguard VLAN; I have tried setting Wireguard IP addresses to be apart of the 192. network - as in a peer to site on an internal device - but it just errors out. I have tried to setup Wireguard on the host, but it fails with either IP address associated with the Wireguard VM.
I have tried following setups from about 5 different “guides” off the internet, including the one in the Ubuntu docs, but none of them seem to address interfacing with a virtual machine. Does anyone have any online references I can read, or some experience they can share about setting something like this up? It seems to be a common idea, but it also seems most people use docker containers instead.
Can I assume that by “VLAN 10.10.10.x” you mean a Wireguard VPN between VMs 2 and 3 - a point-to-point link?
If I’m guessing wrong, ignore the rest of this post because I don’t understand your network configuration.
For other machines on 192.168.1.x to be able to commmunicate with the addresses on the Wireguard network 10.10.10.x, then they must have a route that tells them the next hop that they have to send their packets to. A simple check is to use the command ip route get 10.10.10.10 and see where it thinks it needs to send the packet to. The only answer that will get the packets to the VPN will be via 192.168.10 or 11.
Additionally, whichever VM they are trying to go via needs to have IP forwarding enabled, to tell them they are allowed to forward packets that they receive onwards in the right direction (default is to just drop packets not addressed to themselves). Search “linux enable IP forwarding” for details.
Hi cantankerousoldgit, Yes you are correct in that VLAN = Wireguard VPN between the machines.
I have made a few discoveries and clarified some things in my mind since I posted this.
I was under the impression that my NGINX server had to be within my VPN; It is now my understanding that the Wireguard server simply acts as a proxy within whichever (LAN) system it is embedded. I have since removed NGINX server from the VPN and have my Wireguard server communicating with its outside peer. My system now looks like this.
Nextcloud in LAN (192.168.1.10)
NGINX in LAN (192.168.1.11)
Wireguard in LAN (192.168.1.13) VPN (10.10.10.10)
Desktop Peer outside of LAN, VPN (10.10.10.11)
This allows Desktop to (tunnel) handshake w/ Wireguard, but it is still blocked from accessing my NGINX proxy. I suspect this is a routing and/or firewall issue as you suggest. I will keep digging and report back any findings I come up with. Thank you for your time!
That tutorial includes some iptables settings in your configuration. They also have a version of their tutorials using UFW if you have a somewhat uncomplicated deployment, and also one for nftables users.