Jump to content
laterdaze

WireGuard VPN support

24 posts in this topic Last Reply

Recommended Posts

I think supporting wireguard would be very useful for a lot of users.  It could make unRAID a preferred home based cloud storage device.  At least for me, anyway ;>)

I built wireguard using the latest Slackware live iso and the info at https://slackbuilds.org/repository/14.2/network/WireGuard/ but couldn't figure how to insert it into the unRAID kernel.  Probably would be trivial for you guys but not clear to me.

Share this post


Link to post

Did you try and create a wireguard VM? Doesn't have to be slack. That should be trivial. Unraid KVM makes it easy.

Adding to base os it's not trivial

Sent from my chisel, carved into granite

Share this post


Link to post
21 hours ago, tr0910 said:

Did you try and create a wireguard VM? Doesn't have to be slack. That should be trivial. Unraid KVM makes it easy.

Adding to base os it's not trivial

Sent from my chisel, carved into granite
 

I have only tried what I described so far.  Since it seems WireGuard will be in the Linux kernel soon I just thought it would be a natural fit for unRAID. I just see remotely separated unRAID systems bi-directionaly syncing data via WireGuard vpn with no need for a particularly powerful router as just port forwarding would be required.  I do something similar with pfSense/OpenVPN and rclone. A private personal cloud by invitation only.

Share this post


Link to post

I look forward to these kind of tools becoming more easily accessible. However you and I are in the minority. Unraid biggest user group are data hoarders, who don't really care much about security. I'm glad Tom keeps the product fresh and fully patched.

 

Never hurts to ask. If he can do it easily, it may happen.

 

Sent from my chisel, carved into granite

 

 

 

 

Share this post


Link to post

For what its worth, I accomplished the same thing by employing OPNSense routers running WirdGuard VPN software on both sites.  Using rclone cron jobs I can copy/sync/move folders between my unRAID servers.  Probably better this way, no additional setup in the router other than WireGuard.  Works great. 

Share this post


Link to post

any news on wireguard in unraid?

 

I'd like to connect my unraid build to my public server already running wireguard as a secure tunnel to home. I guess now the only way would be to have an additional VM running as the wireguard client?

Share this post


Link to post

Wireguard++

I created a simplified app to create wireguard mesh networks with docker, maybe can be used as application for unraid, but first we need the kernel module!

https://github.com/segator/wireguard-dynamic

 

I use wireguard for network overlay for my multisite kubernetes cluster.

Now I would like to be able to add baremetal unraid as a worker

Share this post


Link to post

The next release has wireguard included. The GUI component to manage wireguard will be available as a plugin.

 

Share this post


Link to post
On 8/20/2019 at 3:31 AM, bonienl said:

The next release has wireguard included. The GUI component to manage wireguard will be available as a plugin.

 

As in next beta of 6.7.3?  Or another version?

Share this post


Link to post
46 minutes ago, dorgan said:

As in next beta of 6.7.3?  Or another version?

I would expect it to be a 6.8 beta or rc.

Share this post


Link to post
1 minute ago, segator said:

Have a look on the repo https://github.com/segator/wireguard-dynamic there are instructions and explanation, if you have questions after read that let me know

Unraid 6.8 has a full fledged WireGuard implementation and GUI to manage WireGuard tunnels and peers.

Maybe I should rephrase my question: "what does your app add to the existing WireGuard implementation in Unraid 6.8" ?

 

Share this post


Link to post

I'm not a fan of GUI's I undertand for lot of people can not be interesting, i'm not trying to say that this implementation is better than the current one,

is a diferent alternative :) 

 

my app provides:
- Automatic  configuration on all the nodes of the cluster (new/update/remove nodes)

- Support for dynamic IP: it update the endpoint of the node that the public IP changed an the rest of the nodes.

 

 

Share this post


Link to post

It seems you build WireGuard in a Docker container, this approach looses all the advantages of WireGuard in Unraid 6.8

- Native support in kernel and associated high performance

- Instant availability of WireGuard tunnels regardless of the array running or not (Docker won't run with the array down)

 

Your app seems more suitable for older versions of Unraid without WireGuard included?

 

Share this post


Link to post
1 hour ago, segator said:

if you have questions after read that let me know

Some security related questions:

- Looks like node addition is unrestricted. This poses a huge security risk, your network may get infiltrated with unsolicited nodes without knowing.

- How trustful is this free service kvdb.io?  Storing keys with an unknown party is questionable.

- How is key management handled between peers? Is it possible to update/revoke keys?

- Any control on what nodes can access, a single device or a complete LAN?

 

1 hour ago, segator said:

is a diferent alternative

To me, this is really not an alternative to what is offered with Unraid 6.8, did you try the Unraid implementation?

Share this post


Link to post

the release comes with docker or just a binary.

Wireguards runs on the kernel, the docker or my app only send the commands to the kernel. so the performance is native as unraid plugin.

 

- Looks like node addition is unrestricted. to be able to add a node you need the clusterID, but the security of course should be improved.

- How trustful is this free service kvdb.io? you are right, maybe we should upload data encripted then problem solved.

- How is key management handled between peers? public keys are uploaded to the configuration manager and shared with rest of nodes of the cluster

- Is it possible to update/revoke keys? nope

- Any control on what nodes can access, a single device or a complete LAN? both are supported

 

Hey @bonienl I don't expect this app as a replacement of what already exists on unraid, what we have now in unraid is what wireguard offers and thats great.

 

What my app does is simplify big  node cluster deployment.

try to configure 50 nodes peer to peer between them and the half have dynamic public IP that changes 1 time a week.

Is not something people in unraid will need, only some nerds like me.

I didn't built that even in high security in mind, I only wanted something to simplify the deployment and allow dynamic public IP provided by internet companies.

If I have time some day I will add to UPNP and UPD hole punching support so people won't need to open ports on their routers.

 

 

Share this post


Link to post

Don't get me wrong.

Your app has a place and can be useful to specific use cases (as it seems). 😀

I just tried to get a clear(er) perspective so users can make a more weighted decision.

 

Ps. Unraid 6.8 does UPnP for wireguard (this can be turned on or off)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.