Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard VPN not working on UnRAID Server

Featured Replies

Hi all,

 

So a few days ago my USB failed for UnRAID. I formatted the USB drive and restored my flashbackup from My Servers. 

The server came back up and all my array etc...are intact fine. 

 

I also recently upgraded to the latest UnRAID 6.10.3 so WireGuard is now a native package as part of the OS.. 

 

I  just had a reason to use my VPN now, and realised that my WireGuard VPN isn't working. 

I'm not sure if its from the upgrade or the restore, since I havent used the VPN for about a month or so. 

 

From testing,my clients do connect to Wireguard and show status Active. However nothing will load. 

On checking the log I see the error "Handshake for peer 1 (myipaddress:51820) did not complete after 5 seconds, retrying (try 2). 

 

I've tried deleting the VPN and recreating it, and recreated all my keys etc...but still no change. 

 

It looks like something happened to my UnRAID's networks perhaps

 

I looked at the wg config in UnRAID (nano /etc/wireguard/wg0.conf) and noticed it should be trying to create some network rules

PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 table 200
PostUp=ip -4 route add 192.168.1.0/24 via 192.168.1.254 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.1.0/24 via 192.168.1.254 table 200

 

I spun up a test machine, and tried to set this up with Wireguard and again I have the same issue with no data transfer.

if I try and run these rules manually, I do get an error with adding the default rule "Nexthop has invalid gateway." This is the same on both my test and production UnRAID servers. 

root@Tower:~# logger -t wireguard 'Tunnel WireGuard-wg0 started'
root@Tower:~# iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
root@Tower:~# ip -4 route flush table 200
root@Tower:~# ip -4 route add default via 10.253.0.1 table 200
Error: Nexthop has invalid gateway.
root@Tower:~# ip -4 route add 192.168.1.0/24 via 192.168.1.254 table 200
root@Tower:~# 

 

When I look at network routes on both UnRAID servers, I don't see any entry for the 10.253.0.0/24 network

root@TOWER:~# ip route show
default via 192.168.1.254 dev br0 proto dhcp src 192.168.1.205 metric 1010 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.31.200.0/24 dev br-746f3d6b4b8d proto kernel scope link src 172.31.200.1 linkdown 
192.168.1.0/24 dev br0 proto dhcp scope link src 192.168.1.205 metric 1010 

 

Can anyone shed some light on how to get this working again? 

Solved by Benbarian

  • Solution

hi,

 

I´m experiencing almost similiar issues since today. I have multiple clients running and non of them can be activated. I did not really changed anything in regards of the settings.

I noticed, that the Dashboard, where all the WG connections are displayed, says "tunnel active:0, inactive: 1" and the switch button at the WG settings can´t be turned on. it stays inactive no matter what.

 

image.thumb.png.a0d35835682246b793a7b83ba4442739.png

 

Is this the same case on your side? 

I won´t have the chance to reboot my Unraid and would love to not have to delete and set up the WG config again. And I would really like to know what the trigger for this situation was in general.

hi,

 

I found the Cause: in one of the peers, the "Local endpoint" was missing a dot. So in case some info is false at the peers, the whole tunnel does not seem to work.

 

To get the debug info, the following command was used:

 

wg-quick up wg0

 

 

hope it helps.

9 hours ago, Benbarian said:

To get the debug info, the following command was used:

 

wg-quick up wg0

 

Excellent troubleshooting. FYI for normal operation you should always start a tunnel from the webgui as it does a few extra steps.

 

BTW, the next release of Unraid will log the output of wg-quick to make it easier to troubleshoot this sort of thing.

  • 2 weeks later...

Just to follow up... starting with Unraid 6.11.0-rc1, we now log what happens when we attempt to start and stop WireGuard tunnels (note: this does not log connections, just the results of running `wg-quick up wg0` and `wg-quick down wg0`). 

 

This will eliminate the need to manually run `wg-quick up wg0` to see what is going on.

 

You can view the log by opening a web terminal and typing:

cat /var/log/wg-quick.log

 

  • Author

Mine was embarssingly stupid. I had already generated new keys, it was the first thing I did. 

I assumed from the logs on the clients saying they were Active that it was finding the server so Wireguard was "running"

Turned out after restoring, I needed to reactivate the Tunnel. 

image.png.ee791018f81f7c0618aa06966d859f6b.png

 

Super basic, but perhaps for future there should be like a red banner or something saying the Tunnel isnt active, or that toggle should be red?

Did a lot of unnecessary troubleshooting because it wasnt easily apparent that I needed to switch that being grey. Since I set up Wireguard so long ago. 

  • 2 years later...

Got an issue where my wg instances couldn't be enabled.

The

wg-quick up wg0

command helped me figure out what was going on.
It turns out that after I changed the network my unraid was on (moved from a regular TP-Link router to OPNsense), wireguard did not update its route table. And that even after several reboots from the network change.
The fix was to change a prop (for example, the DNS address) on at least one of the peers and then click on apply then repeat that for each tunnel. That did the needed updates and I was then able to activate the tunnels.

Thanks to @Benbarian for the hint !

Edited by devexa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.