February 7, 20224 yr bonsoir j'ai un soucis le remote tunneled access fonctionne pas chez moi ; j'arrive a me connecter au vpn avec mon telephone une fois connecté il a plus d'acces internet mes j'arrive a pingué mon téléphone depuis l'interface wireguard si quelqu'un a une idée merci Anthony
February 7, 20224 yr 1 hour ago, vmlinuz said: merci Anthony Anyone wishing to reply go to this thread
February 11, 20224 yr Running UnRAID 6.10.RC2 utilizing the built-in wireguard VPN. I can connect a phone and laptop just fine. I can ping the unRAID server and get to the internet all through the tunnel. What I can't do is get to other things on my local network that oare on teh same VLAN as the unRAID server. I have the tunnel set for "Remote tunnel access". Seems I am missing a route somewhere, but can't figure it out. Routing table shown below. unRAID is 10.5.254.80/24 and vpn clients are 10.5.253.2 and .3 Thoughts on this one? astro-server-diagnostics-20220211-1000.zip
February 11, 20224 yr Author On 2/5/2022 at 10:53 PM, J05u said: I am having no issues to connect to my server via wireguard, but i can't connect to dockers on my network 46 minutes ago, mgadbois said: Seems I am missing a route somewhere, but can't figure it out. Sounds like you need to add a static route to your *router* so that devices on your network can communicate with the WireGuard network pool. See the "Complex Networks" portion of the first post in this thread. If you continue to have issues, read the section below that that explains how "Use NAT", "host access to custom networks", and having a static route all interact. Certain combinations do not work well together.
February 15, 20224 yr I was on vacation for a week, when I got back my flash drive had some issues so I restored from a week old backup. Anyways everything is fine except my WireGuard isn't working. It won't stay Active. I click slider, it shows Active, I change tabs and go back and it's Inactive. I uninstalled the Plugin, reinstalled and same thing, my old Peers still there too. Any ideas? How do I completely erase WireGuard so when I install it, it's brand new? Logs show nothing.
February 16, 20224 yr I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something?
February 16, 20224 yr Author On 2/14/2022 at 9:59 PM, nxtiak said: How do I completely erase WireGuard so when I install it, it's brand new? Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option.
February 16, 20224 yr Author 18 hours ago, MylesM said: I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something? You'll want to ping the tunnel IPs, not the lan/wan IPs. The tunnel has its own network range: The server usually has a .1 address in that pool: And then each peer has a unique address in that pool:
February 16, 20224 yr 7 minutes ago, ljm42 said: Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option. Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ?
February 16, 20224 yr Author 2 minutes ago, nxtiak said: Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ? When you hit save, does the cursor move to a new field so you can fix a value? i.e. maybe you are using an invalid character in the name. If not, try switching the slider from basic to advanced and see if it moves to a field now.
February 17, 20224 yr 4 hours ago, ljm42 said: When you hit save, does the cursor move to a new field so you can fix a value? i.e. maybe you are using an invalid character in the name. If not, try switching the slider from basic to advanced and see if it moves to a field now. When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens.
February 17, 20224 yr Author 3 hours ago, nxtiak said: When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens. Can you try a different browser?
February 17, 20224 yr 1 hour ago, ljm42 said: Can you try a different browser? I just tried with Firefox and same thing happens. Screen refreshes when I click Apply.
February 17, 20224 yr Can you open a terminal window and show the output of (assuming you want to activate tunnel 0) wg-quick up wg0
February 18, 20224 yr 8 hours ago, bonienl said: Can you open a terminal window and show the output of (assuming you want to activate tunnel 0) wg-quick up wg0 root@Server:~# wg-quick up wg0 wg-quick: `/etc/wireguard/wg0.conf' does not exist root@Server:~#
February 21, 20224 yr The conf file should reside on your usb drive. Have tried to do a file system repair of the usb drive? Take the drive out (after shutting down) and run a repair on a windows machine.
February 22, 20224 yr 5 hours ago, bonienl said: The conf file should reside on your usb drive. Have tried to do a file system repair of the usb drive? Take the drive out (after shutting down) and run a repair on a windows machine. So I did that last week and it found errors. So today I decide it's probably time to swap out the USB drive. Just did it and I'm able to save configuration but can't activate wg-quick up wg0 now gives an error: root@Server:~# wg-quick up wg0 [#] ip link add wg0 type wireguard Error: Unknown device type. Unable to access interface: Protocol not supported [#] ip link delete dev wg0 Cannot find device "wg0" root@Server:~#
February 27, 20224 yr I have wireguard up and running and I am able to connect to my unraid server from anywhere. It works awesome. I am working out of the country currently and I am still able to connect to my local network but I was under the impression that I could use the wireguard vpn to get around geo-blockers and visit websites and video services as if I was in my home country (USA). But when I try and hit for instance a local Florida news website www.WESH.com I get stopped saying: Quote Sorry, this content is not available in your region. My type of access is "Remote Tunneled Access" TIA
March 4, 20224 yr Hi, the setup "Remote access to LAN" works fine and the client is connected and can ping the IPs in the remote LAN. But in the config I said "Local tunnel firewall" Allow and only set 10.0.0.11 as allowed. Nevertheless am I able to ping 10.0.0.10 (Unraid Server itself) - no other hosts. Is that by design and cannot be removed? Attached the generated iptables config: # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *mangle :PREROUTING ACCEPT [585916432:1133041336885] :INPUT ACCEPT [40469455:499819706678] :FORWARD ACCEPT [546394462:633615039025] :OUTPUT ACCEPT [32114760:4849559837] :POSTROUTING ACCEPT [578543223:638470079442] :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT COMMIT # Completed on Fri Mar 4 21:31:04 2022 # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *nat :PREROUTING ACCEPT [98:29053] :INPUT ACCEPT [67:21594] :OUTPUT ACCEPT [32:2057] :POSTROUTING ACCEPT [60:9200] :DOCKER - [0:0] :LIBVIRT_PRT - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3875 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8181 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 4443 -j MASQUERADE -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3875 -j DNAT --to-destination 172.17.0.2:3875 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 7818 -j DNAT --to-destination 172.17.0.4:8181 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 1880 -j DNAT --to-destination 172.17.0.4:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18443 -j DNAT --to-destination 172.17.0.4:4443 COMMIT # Completed on Fri Mar 4 21:31:04 2022 # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *filter :INPUT ACCEPT [2045:465504] :FORWARD ACCEPT [188:71769] :OUTPUT ACCEPT [1269:1510752] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] :WIREGUARD - [0:0] :WIREGUARD_DROP_WG0 - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A FORWARD -j WIREGUARD -A OUTPUT -j LIBVIRT_OUT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3875 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4443 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0 -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP -A WIREGUARD_DROP_WG0 -j RETURN COMMIT # Completed on Fri Mar 4 21:31:04 2022 Edited March 4, 20224 yr by Thomas K
March 4, 20224 yr The WireGuard tunnel terminates on Unraid itself, you can not exclude Unraid as a destination. IPtables is used for accessing or blocking other devices in your LAN.
March 5, 20224 yr -A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0 -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP -A WIREGUARD_DROP_WG0 -j RETURN Why are the iptables rules created on br0 and not wg0? A tcpdump shows, that the traffic from the peer to the wireguard host is not crossing br0 - only wg0, so the rule does not match. Traffic from the peer to other local lan destinations cross br0 and so the rule matches. Edited March 5, 20224 yr by Thomas K
March 5, 20224 yr Worked it out, you have to filter the INPUT chain of the wg0 device incoming. My example if some else needs it: iptables -N WIREGUARD_INPUT iptables -N WIREGUARD_DROP_WG0_INPUT iptables -A INPUT -j WIREGUARD_INPUT iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0_INPUT iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -j DROP iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN
March 6, 20224 yr That would be great of a future update. Streamlined version building on existing WIREGUARD_DROP_WG0 iptables -N WIREGUARD_INPUT iptables -A INPUT -j WIREGUARD_INPUT iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.