Unable to connect to TimeMachine via VPN (Wireguard or Tailscale)?

[QuantumForced]

Describe the Bug

Hi, I often travel and would like my Macbook to backup to my Unraid TimeMachine share while I'm abroad. I'm fairly new to docker/unraid/networking, so excuse any incorrect terminology. I used the Community Apps tab within Unraid to add this docker container, it works great while at home. However, using '.local' isn't supported by either VPN when trying to connect to the share in Finder, so I have set 'Fixed IP address' in the Unraid container options to 192.168.1.27, as instructed here on the Unraid forum. At this point, the share continues to work internally. However, if I now enable Wireguard or Tailscale while outside of my home network, my Macbook is unable to connect to the share:

There was a problem connecting to the server "192.168.1.27".
The server may not exist or it is unavailable at this time. Check the server name or IP address, check your network connection and then try again.

Here's a screenshot of the Unraid container settings, the docker run command is also detailed below + log.

I must be missing something, any help would be really appreciated - thank you

Expected Behavior

Successful connection to TimeMachine via Wireguard or Tailscale after setting Fixed IP Address.

Steps to Reproduce

1. Enable WireGuard VPN or TailScale
2. Attempt to connect to share via MacOS Finder

How You're Launching the Container

docker run
  -d
  --name='TimeMachine'
  --net='br0'
  --ip='192.168.1.27'
  -e TZ="America/Los_Angeles"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="quantumbox"
  -e HOST_CONTAINERNAME="TimeMachine"
  -e 'VOLUME_SIZE_LIMIT'='2 T'
  -e 'TM_USERNAME'='timemachine'
  -e 'PASSWORD'='Z92efVNcokU26x'
  -e 'ADVERTISED_HOSTNAME'='timemachine'
  -e 'CUSTOM_SMB_CONF'='false'
  -e 'CUSTOM_USER'='false'
  -e 'DEBUG_LEVEL'='0'
  -e 'MIMIC_MODEL'='TimeCapsule8,119'
  -e 'EXTERNAL_CONF'=''
  -e 'HIDE_SHARES'='no'
  -e 'TM_GROUPNAME'='timemachine'
  -e 'TM_UID'='1000'
  -e 'SET_PERMISSIONS'='false'
  -e 'SMB_INHERIT_PERMISSIONS'='no'
  -e 'SMB_NFS_ACES'='yes'
  -e 'SMB_METADATA'='stream'
  -e 'SMB_PORT'='445'
  -e 'SMB_VFS_OBJECTS'='acl_xattr fruit streams_xattr'
  -e 'WORKGROUP'='WORKGROUP'
  -e 'TM_GID'='1000'
  -e 'SHARE_NAME'='TimeMachine'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='https://upload.wikimedia.org/wikipedia/de/f/f4/Time_Machine_%28Apple%29_Logo.png'
  -v '/mnt/user/timemachine/':'/opt/timemachine':'rw'
  --hostname timemachine 'mbentley/timemachine'

Container Logs

chpasswd: password for 'timemachine' changed
dbus-daemon[43]: [system] org.freedesktop.DBus.Error.AccessDenied: Failed to set fd limit to 65536: Operation not permitted
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Loading service file /etc/avahi/services/smbd.service.
Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.1.27.
New relevant interface eth0.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 192.168.1.27 on eth0.IPv4.
Registering new address record for 127.0.0.1 on lo.IPv4.
Server startup complete. Host name is timemachine.local. Local service cookie is 1554246600.
Service "timemachine" (/etc/avahi/services/smbd.service) successfully established.
INFO: CUSTOM_SMB_CONF=false; generating [global] section of /etc/samba/smb.conf...
INFO: Creating /var/log/samba/cores
INFO: Avahi - generating base configuration in /etc/avahi/services/smbd.service...
INFO: Avahi - using timemachine as hostname.
INFO: Avahi - adding the 'dk0', 'TimeMachine' share txt-record to /etc/avahi/services/smbd.service...
INFO: Group timemachine doesn't exist; creating...
INFO: User timemachine doesn't exist; creating...
INFO: Setting password from environment variable
INFO: INFO: CUSTOM_SMB_CONF=false; generating [TimeMachine] section of /etc/samba/smb.conf...
INFO: Samba - Created Added user timemachine.
INFO: Samba - Enabled user timemachine.
INFO: Samba - setting password
INFO: SET_PERMISSIONS=false; not setting ownership and permissions for /opt/timemachine
INFO: Avahi - completing the configuration in /etc/avahi/services/smbd.service...
INFO: running test for xattr support on your time machine persistent storage location...
INFO: xattr test successful - your persistent data store supports xattrs
INFO: Detected filesystem for /opt/timemachine is fuse.shfs
INFO: entrypoint complete; executing 's6-svscan /etc/s6'
dbus socket not yet available; sleeping...
nmbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
smbd version 4.18.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2023
*****

Samba name server TIMEMACHINE is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.27

*****

Additional Context

No response

[mbentley]

Can you manually connect to the Samba share using Finder when you’re on your VPN? Just curious if it is a routing problem when connected to the VPN.

Not sure how well it’ll perform over a connection like that but then again, it’s not exactly the fastest over any network.

[QuantumForced]

I am able to connect to Samba shares (such as: appdata, media) while Wireguard or Tailscale is turned on, ie 'smb://192.168.1.30/appdata'. However, 'smb://192.168.1.27/TimeMachine' leads to the error 'There was a problem connecting to the server "192.168.1.27"' while either VPN is turned on, but works fine with either VPN turned off.

[mbentley]

Sounds like a VPN config issue. If you post some wireguard configs without the private keys, I can spot check them.

[QuantumForced]

Here's some of the configs I've tried with Wireguard:

'Remote access to LAN'

[Interface]
PrivateKey = XYZ
Address = 10.253.0.2/32
DNS = 192.168.1.254

[Peer]
PublicKey = XYZ
PresharedKey = XYZ
AllowedIPs = 10.253.0.1/32, 192.168.1.0/24
Endpoint = 217.42.29.240:51820

'Remote tunneled access'

[Interface]
PrivateKey = XYZ
Address = 10.253.0.2/32
DNS = 192.168.1.254

[Peer]
PublicKey = XYZ
PresharedKey = XYZ
AllowedIPs = 0.0.0.0/0
Endpoint = 217.42.29.240:51820

[mbentley]

Looks like you're not forwarding any traffic. Typically that is done using PostUp/PostDown commands with iptables to allow forwarding on the end on your network (the "server", not the "client"); something similar to what's found here: https://www.reddit.com/r/WireGuard/comments/ky2kfg/wireguard_for_internet_and_remote_lan_access_my/

[QuantumForced]

Apologies for the late reply here! The two configs I posted above are client configs (not sure if you wanted the server one, in hindsight probably, i have added it below). In respect to the two client configs above, the first one grants me access to my LAN devices and the second one grants me access to my LAN + routes my internet traffic as I can see it changes my public IP address to that of my home. However, neither of the two allow me to connect to the time machine share on 192.168.1.27

Server config:

[Interface]
#QVPN
PrivateKey=XYZ
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started';/usr/local/emhttp/webGui/scripts/update_services
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped';/usr/local/emhttp/webGui/scripts/update_services
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200
PostUp=ip -4 route add 192.168.1.0/24 via 192.168.1.254 dev br0 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.1.0/24 via 192.168.1.254 dev br0 table 200

[Peer]
#QWG-LAN
PublicKey=XYZ
PresharedKey=XYZ
AllowedIPs=10.253.0.2

[Peer]
#QWG-TUNNELED
PublicKey=XYZ
PresharedKey=XYZ
AllowedIPs=10.253.0.3

I'm seeing some stuff in there related to 'br0', which I also notice is what's selected in the container settings under 'Network Type = Custom : br0' (see my screenshots at the top of the thread)

[mbentley]

When I had wireguard setup, I had this for my PostUp iptables rules with enp3s0 being my wireguard server's network interface:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

I fumble my way through iptables where I learn what I need to and quickly forget it after I've saved itso I am not sure if I would be of any help in understanding the differences there or if it would have any impact if you do not have the forwarding enabled.

[Nackophilz]

I've had no problems via TailScale, and no need to do any special configuration (via Tailscale Unraid plugin + macOS client).

Edit : Oups, forget it, doesnt work , i just mounted the drive on macOS with tailscale, but timemachine can't backup on it ^^

[QuantumForced]

Quick update: turns out a subnet clash while over VPN was the reason I was having issues. I recently setup an OPNsense firewall in place of my ISP's router, and resolved the issue upon changing from a 192.x address to a 10.x + assigning a static route. Not sure if I should close this, please close if appropriate - many thanks