Jump to content


Community Developer
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by ljm42

  1. Try the timeout command: timeout 10 wget --user=user--password='pw' ftp://adr:port/file -O /root/keyfile That will start wget and then kill it if it is still running after 10 seconds. More details here: https://www.howtoforge.com/linux-timeout-command/
  2. Wireguard is very difficult to troubleshoot because it fails silently - there are no error messages or logs. But based on what you've said, it sounds like your port forward isn't working correctly. By default the guide gets you setup with one of the "split tunneling" options, where only traffic destined for your server (or LAN) goes through the tunnel. If you want all your traffic to go through the tunnel you need to choose the "Remote tunneled access" option instead. I'd suggest getting "Remote access to LAN" working first though.
  3. Try getting a free config from TunSafe and comparing them to see what is different? Also note the comment about DNS in the OP
  4. Am I wrong or does their implementation require you to use their NordLynx client? If so that won't work with the standard WireGuard client that we use. If you can provide a link that shows how to download a standard WireGuard config file, I'll link to that.
  5. The problem seems to be unique to your installation of Firefox. Try a new Private Window in Firefox. If that doesn't work, create a new blank profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
  6. That is a good data point, thanks! Oh and for the record, I am using UPnP. With bridging (not bonding) on br0.
  7. It isn't just you. I complicated my network a bit to try and reproduce this, and I'm seeing it too. I amended the guide to acknowledge this. Still looking for a solution. I'm glad everything is working for you @nuhll, but your network is rather unique I'm not sure how we can leverage that into a solution that will work for everybody.
  8. I have amended the guide, there is now a section for "Complex Networks" that talks about setting "Use NAT" to "No" and adding a static route in your router. This is needed if you have Dockers with custom IPs or certain VM setups. These changes should allow everything on the network to work normally. However, as several people have seen, your WireGuard clients may not be able to access those Dockers or VMs. This still needs to be figured out. If you find a solution, please comment
  9. Not sure what happened, but hopefully you saw this in the Troubleshooting section of the guide:
  10. Activity with no handshake is odd, I don't think I have seen that before. Not sure what you mean by "static route"? Are you trying to get around issues with VMs or dockers? I'd remove that until you get the basics down first. i'd recommend you start with the scenario in the guide, "remote access to LAN". If you can get that working that will prove all the basics are good. If you have issues with that, go through the troubleshooting section with a fine tooth comb. Once you have the basics working you can move on to the other options.
  11. No, as mentioned in the first post, you really need to trust the people that you give this VPN access to. Regardless of which access type you choose, assume the user could get full access to your LAN. If you really want to do it, you could potentially put WireGuard on a raspberry pi on its own VLAN. But that is well beyond the scope of what we are trying to do with this plugin.
  12. Depends on what you are trying to do. See the description and diagram in the first post of this thread.
  13. OK, so is the direct IP of your router, without using VPN. And is some sort of VPN running on your router? I see no evidence of Unraid being used as a gateway or anything super strange like that. I would look closer at how your router determines whether to send traffic through or Is it based on IP address or MAC address maybe? If so, you'll have to figure out why the router thinks the IP or MAC has changed.
  14. On the VM, try running "tracert www.google.com" in various configurations and see what changes. That will show you the path that the system is taking to get out to Google.
  15. I don't use dockers with custom IPs. The best information is in this thread, I'd suggest following the discussion over there rather than starting a new one Not that I can see. As mentioned in the OP, I'd suggest using a hosts file if you must have name resolution. You could possibly use the LAN's DNS server, but that doesn't make sense for split tunneling.
  16. When I was testing a few days ago, it seemed like I needed to add a DNS server for "Remote tunneled access" to work. Maybe i was just tired or something because my Android is currently connected using an unedited config file and it is working fine. All traffic is going through WireGuard without having to make any customizations. During this time I did upgrade the host from rc1 to rc3, which includes a newer version of WireGuard. So it is possible that made a difference. Edit - I did find a use case where you NEED to enter a DNS server for the tunnel. When my Windows laptop is connected to my home network via wifi, if I type "nslookup" it shows the DNS server is my local router. If I then make a "Remote tunneled access" connection to an Unraid system on another network, the router on my network is no longer available for DNS. So I have to include a DNS server in the WireGuard config. Specifying either the remote router or a global server like work equally well.
  17. diagnostics showing the problem are critical to helping understand what happened and how to prevent it for other people
  18. You are getting lots of these errors: Unraid-Server kernel: tun: unexpected GSO type: 0x0, gso_size 1366, hdr_len 1432 Also see:
  19. Unraid uses PHP's built-in session handler. So once you have been inactive for an hour (i.e. you close the tab that was logged in to Unraid), anytime a PHP script runs there is a 1% chance that it will run PHP's session cleanup code and delete your session. If the session hasn't been deleted, then the next time you access a page in the Unraid webgui the session will be extended. Sessions are based on temporary cookies. So you can also kill your session by completely closing your browser or by deleting your cookies. Note that if you just close a tab that will not delete the temporary cookies. If you leave a tab open and pointed at the Unraid webgui, there are scripts that poll the server regularly that will prevent the session from timing out. So to recap: If you login to the Unraid webgui and leave the tab open, it is unlikely that the session will ever expire and log you out. If you close the tab, you could be logged out after one hour but it may not happen If you close the browser entirely or otherwise clear your cookies, you will be logged out
  20. Thanks for this call out, I've added it to Troubleshooting section. I think you might be right about needing to specify a DNS server when in "Remote tunneled access" mode. I'll do some more testing
  21. Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk. This guide explains how to make an outgoing WireGuard VPN connection to a commercial VPN provider. If you are trying to access your Unraid network from a remote location, see the original WireGuard quickstart guide. Commerical VPN Providers Several commercial VPN providers support WireGuard, a few are listed below. No endorsement is implied, you need to research and determine which one meets your needs. Comment below if you are aware of others: TunSafe (currently free) Azire VPN Mullvad IVPN Note that with the current state of WireGuard, VPN providers cannot guarantee the same amount of privacy as they can with OpenVPN. See: https://restoreprivacy.com/wireguard/ Typically the objections are not around security, but around the fact that it is harder for them to guarantee that they cannot track you. Configuring VPN tunneled access Download a config file from your preferred commercial VPN provider On the Settings -> VPN Manager page, click the "Import Config" button and select the file on your hard drive. This will create a new tunnel specific to this provider. There are no settings to change, except perhaps to give it a name. Click Apply. Note: You do not need to forward any ports through your router for this type of connection Change the Inactive slider to Active Now ALL of your Unraid traffic will go through the commercial VPN tunnel. In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel. Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks. Note that currently Unraid will ignore any DNS server that is specified in the downloaded config file. Unraid's DNS should be set to something that will work whether the tunnel is up or down, such as and Testing the tunnel Using Community Applications, install a browser such as the jlesage/Firefox Docker container Accept all defaults Launch Firefox and visit https://whatismyipaddress.com/ you should see that your IP address is in the country you selected when you signed up with the provider
  22. From the 6.8.0-rc1 release notes: Hi plugin authors, Unraid 6.8 includes a Content Security Policy metatag that blocks mixed content from loading: <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"> This means if the page is loaded over https and you try to include an http image/JS/CSS file, that resource will not load. It has no effect on pages that are loaded by http. More info here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content Refusing to load http content helps prevent man-in-the-middle attacks and ISP snooping. Anyway, if your plugin has issues loading content in 6.8, check to see whether the content is being loaded over regular http and change it to https. Also, if your plugin creates any popup dialog boxes of its own, please ensure they include both of these metatags: <meta name="robots" content="noindex, nofollow"> <meta http-equiv="Content-Security-Policy" content="block-all-mixed-content"> The first will keep well-behaved search engines from indexing the popup (although it is now somewhat redundant with the robots.txt file). And the second ensures that mixed content is not allowed on your popup. There should be no ill effects if a plugin implements this and it is installed on an earlier version of Unraid. Here is the relevant PR showing the changes that were needed to implement this in the webgui: https://github.com/limetech/webgui/pull/523
  23. You can set them to run "at first array start only". I'd prefer if you could run them prior to starting the array, but most of the time it is a close approximation to "at boot" Also, it will run php scripts as well.
  24. To clarify, what did you use for the DNS server? Was it the router on Unraid's LAN or something else?