BootyWarrior Posted December 14, 2019 Share Posted December 14, 2019 Does anyone know how to successfully setup the "server to server" connection? Is it just a matter of the remote server being able to hit my server and vice versa? My buddy and I share servers and I'd like to decom the VM that I have been using just to VPN into his network to access his storage. This is what I've done so far (waiting for him to return to his house to complete the config) - Created new peer named "Just The Two Of Us" (how corny?) - Selected "Server to server access" - Added the remote server's DDNS and port in "Peer endpoint" Quote Link to comment
J.Nerdy Posted December 14, 2019 Share Posted December 14, 2019 2 hours ago, bonienl said: Switch to "advanced view" and set "Local server uses NAT" = "Yes". (If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel) Derp! Thank you! Quote Link to comment
J.Nerdy Posted December 14, 2019 Share Posted December 14, 2019 (edited) 8 hours ago, bonienl said: Switch to "advanced view" and set "Local server uses NAT" = "Yes". (If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel) hmmm it was configure to yes.... odd. I am manually configuring DNS to see if that makes a difference (though it shouldn't) and will report back. Thanks! Edit: I am a knob... I configured the DNS client-side, but did not make the edits to already configured peers. FIXED Edited December 15, 2019 by J.Nerdy Double Derp Quote Link to comment
bonienl Posted December 14, 2019 Share Posted December 14, 2019 42 minutes ago, gadgethome said: My ip range is 192. and my VM firewall in 172. When I connect I can access everything on 192 but how do I add the 172 range so my firewall is active as well? Thanks What do you mean with "so my firewall is active"? Switch to advanced view and make sure "Local server uses NAT" = Yes Anything in a different network as 192.x.y.z needs two-way routing (but this is out of scope for Unraid) Quote Link to comment
FreeMan Posted December 15, 2019 Share Posted December 15, 2019 I got this set up on my main server and connected from my phone in no time! Very happy. I've added access for my laptop (I'll have to test this next time I leave my house) and will be adding in other family members soon, as well. My next step is to use this to connect to my off-site Backup server. I've used the ZeroTier docker, but frankly, I'd rather use this as everything will reside in my own server and it will be baked into the base OS sooner or later. I've created a "Backup" peer on my main server and set it up as "Server to Server" access. I clicked the eye and downloaded the config file. On the Backup server, I installed WG and added a peer by importing the config file from my main server. I can't test at the moment since the two boxes are sitting side by side while the initial backup completes. Was this the right process? Is there anything else that I'd need to do once Backup is back off-site? I remain impressed, overwhelmed and extremely pleased with the incredible support and features being built into unRAID, added via Dockers and plugins and the incredible support that I get here. Thanks! Quote Link to comment
bonienl Posted December 15, 2019 Share Posted December 15, 2019 4 hours ago, FreeMan said: Is there anything else that I'd need to do once Backup is back off-site? Make sure the local endpoint and peer endpoint are correctly set. This maybe a URL name which can be resolved or the public IP address of the server. If there are any routers/firewalls at either side, they need to do port forwarding to make outside access possible. Quote Link to comment
zeroclanzhang Posted December 15, 2019 Share Posted December 15, 2019 My ISP blocked port 80/443, could I run it securely with other ports? Quote Link to comment
daddygrant Posted December 15, 2019 Share Posted December 15, 2019 Interesting thing. I got it working last night from the phone without issue. Easy as pie. But, This morning I added a few more clients and none can connect including my phone that worked fine last night. The clients say connected but that isn't reflected on the server and traffic is not passing. Firewall ports and DDNS are good. Any thoughts? Quote Link to comment
Psybernoid Posted December 15, 2019 Share Posted December 15, 2019 On 12/14/2019 at 12:22 PM, bonienl said: Use "wg" instead root@vesta:/# wg interface: wg0 public key: +vmlfqmRg6XxRCo86Ynqzsobd4kN0HXZsq2bN13akCI= private key: (hidden) listening port: 51821 That worked, got an expected response. However, it remains that I cannot connect to wireguard on Unraid. If I move the NAT from my router to point at a Wireguard instance running on a VM (the VM isn't running on Unraid) that works. As soon as I move it to my Unraid server, it does not. I think there's something funky going on with having 2 physical NICs. Quote Link to comment
daddygrant Posted December 16, 2019 Share Posted December 16, 2019 7 hours ago, daddygrant said: Interesting thing. I got it working last night from the phone without issue. Easy as pie. But, This morning I added a few more clients and none can connect including my phone that worked fine last night. The clients say connected but that isn't reflected on the server and traffic is not passing. Firewall ports and DDNS are good. Any thoughts? I found the problem. Oddly enough, the local endpoint information went blank. I re-entered the information and now I'm rocking with LAN access client profile. The client profile for server only access is still not showing traffic. Quote Link to comment
LVLAaron Posted December 16, 2019 Share Posted December 16, 2019 Ive been implementing OpenVPN personally and professionally for 15 years now... WIREGUARD IS AWESOME 2 Quote Link to comment
JasonJoel Posted December 16, 2019 Share Posted December 16, 2019 (edited) On 12/14/2019 at 6:51 AM, bonienl said: Yes, this works (I tested this using a bonded interface with 4 members) I did get it to work - kind of. I could access anything on my primary subnet (192.168.1.x) which is the same subnet my unraid server is on. But I couldn't ever connect to anything from any of my other subnets. Didn't see the traffic at my router at all - so I'm not sure the bridge is routing traffic from other subnets (?) up to the router. I tried turning NAT on/off, no difference. Works fine w/OpenVPN, so back I went. I will say that wireguard was fast and connected quickly for those nodes on my primary LAN. Very cool - just wish I could get to my other subnets. Untangle is going to add wireguard support, too, so I may just have to wait for that, as theirs will support multiple subnets/routing. Edited December 16, 2019 by JasonJoel Quote Link to comment
bonienl Posted December 16, 2019 Share Posted December 16, 2019 19 minutes ago, JasonJoel said: But I couldn't ever connect to anything from any of my other subnets. Did you add those subnets to the list of allowed IPs for the client? Quote Link to comment
JasonJoel Posted December 16, 2019 Share Posted December 16, 2019 Just now, bonienl said: Did you add those subnets to the list of allowed IPs for the client? Hmm... Good question, I'll go through it again tonight and double check. Entirely possible it was user error. Quote Link to comment
bonienl Posted December 16, 2019 Share Posted December 16, 2019 16 minutes ago, JasonJoel said: Entirely possible it was user error If it works with openVPN, it should work with WireGuard too ... Quote Link to comment
FreeMan Posted December 16, 2019 Share Posted December 16, 2019 On 12/15/2019 at 2:19 AM, bonienl said: Make sure the local endpoint and peer endpoint are correctly set. This maybe a URL name which can be resolved or the public IP address of the server. If there are any routers/firewalls at either side, they need to do port forwarding to make outside access possible. Which side initiates the connection request? i.e. for my phone, the phone initiates the connection and I have to have the port forwarded at home. Can I force the Backup machine to initiate the connection so the same port forward at home will cover all VPN connections, or is it somewhat of a lottery which server starts the server-to-server connection, thus ports have to be forwarded at both ends? I'm pretty certain I can get to the router at the other end to do the forward, but I'd prefer not to if I can avoid it. On the main server there's a 10.253.x.x IP address in the "peer tunnel address" and the same IP address is in the "Peer allowed IPs" entry. On the peer setup on Backup, which will be the "remote" box, I have the peer endpoint set to my DynDNS URL. There's a "peer tunnel address" which I have not configured, but the prompt text says it's mandatory. Do I put the "Peer allowed IPs" from the main server into the "peer tunnel address" on Backup? Here's the Backup server side of the config: And here's the main side: With this setup, it appears that they are talking to each other via the VPN, as shown on the VPN section of the Dashboard: Quote Link to comment
FreeMan Posted December 16, 2019 Share Posted December 16, 2019 On 12/7/2019 at 4:56 PM, SavellM said: With wireguard, if I set it up on my local network let's say 10.0.0.x and get my backup unRAID box all setup then move it to my parents place on a different IP range will wireguard just work? As in do the normal port forward to new IP but I'll still be able to just connect? I also gotta look into server to server wireguard as I'm planning to put in a backup off-site. What would be the best to sync to the backup? rsync? I'm using rsync as detailed here: Working very well for me running it by hand. I need to get a nice little script set up and schedule it cron. Quote Link to comment
JasonJoel Posted December 17, 2019 Share Posted December 17, 2019 (edited) 9 hours ago, bonienl said: If it works with openVPN, it should work with WireGuard too ... It looks like the issue was indeed on the Allowed IPs on the peer side when I set it up via the QR code. I guess by default it only adds the subnet the Unraid server is on, and its 10.253.0.1 tunnel address (which makes sense). Thanks for the pointer on Allowed Peer IPs!!! I didn't think to check that on the Android/peer side... Edited December 17, 2019 by JasonJoel Quote Link to comment
INTEL Posted December 17, 2019 Share Posted December 17, 2019 On 12/14/2019 at 7:21 PM, BootyWarrior said: Does anyone know how to successfully setup the "server to server" connection? Is it just a matter of the remote server being able to hit my server and vice versa? My buddy and I share servers and I'd like to decom the VM that I have been using just to VPN into his network to access his storage. This is what I've done so far (waiting for him to return to his house to complete the config) - Created new peer named "Just The Two Of Us" (how corny?) - Selected "Server to server access" - Added the remote server's DDNS and port in "Peer endpoint" Did you figure it out? I also have 2 unraid servers I would like to connect to each other. Quote Link to comment
bonienl Posted December 17, 2019 Share Posted December 17, 2019 11 hours ago, FreeMan said: Which side initiates the connection request? i.e. for my phone, the phone initiates the connection and I have to have the port forwarded at home. Can I force the Backup machine to initiate the connection so the same port forward at home will cover all VPN connections, or is it somewhat of a lottery which server starts the server-to-server connection, thus ports have to be forwarded at both ends? I'm pretty certain I can get to the router at the other end to do the forward, but I'd prefer not to if I can avoid it You can add your backup router as a second peer to the existing tunnel, next to your phone. Like your phone set the backup router as "remote access to server (or LAN)". This allows the backup server to initiate the connection. For example a scheduled script can make contact and initiate the connection. A server to server connection is intended to let both sides intiatie the connection setup, it doesn't matter which side does it. This is convenient if you want either side to be active in setting up the communication. Quote Link to comment
bonienl Posted December 17, 2019 Share Posted December 17, 2019 On 12/15/2019 at 12:16 PM, zeroclanzhang said: My ISP blocked port 80/443, could I run it securely with other ports? WireGuard runs on any port. You can use the automatic port assignment of the GUI or choose your own port number. Quote Link to comment
FreeMan Posted December 17, 2019 Share Posted December 17, 2019 3 hours ago, bonienl said: A server to server connection is intended to let both sides intiatie the connection setup, it doesn't matter which side does it. This is convenient if you want either side to be active in setting up the communication. This makes sense and explains why it wasn't going to work the way I expected... 3 hours ago, bonienl said: Like your phone set the backup router as "remote access to server (or LAN)". This allows the backup server to initiate the connection. For example a scheduled script can make contact and initiate the connection. Perfect, I'll do this! Can I edit the existing connection parameters to change that and have it Just Work™ or will I have to send a new connection config file from Main to Backup? (Or, if necessary, manually edit both ends to indicate "remote access to 'x'")? 4 hours ago, bonienl said: You can add your backup router as a second peer to the existing tunnel, next to your phone. Not 100% sure I understand this: * Is the implication that there is but one tunnel into the system for all "Remote access to LAN" connections and that they all share it, or does each device get its own tunnel and I'm trying to read too much into your statement? * Also, by "router" I presume you meant "server" and that's just a typo, or do I really need to do something with the router at the far end? Quote Link to comment
bonienl Posted December 17, 2019 Share Posted December 17, 2019 3 hours ago, FreeMan said: * Is the implication that there is but one tunnel into the system for all "Remote access to LAN" connections and that they all share it, or does each device get its own tunnel and I'm trying to read too much into your statement? Different peers can share the same tunnel, there is no need to create a new tunnel for each peer, unless you want to create a tunnel with other characteristics, e.g. a tunnel running over a different interface. 3 hours ago, FreeMan said: * Also, by "router" I presume you meant "server" and that's just a typo, Yes, a typo. Quote Link to comment
FreeMan Posted December 17, 2019 Share Posted December 17, 2019 2 hours ago, bonienl said: Different peers can share the same tunnel, there is no need to create a new tunnel for each peer, unless you want to create a tunnel with other characteristics, e.g. a tunnel running over a different interface. Hmm... will have to look at that and scratch my head to see if/how/when I can understand that one. I was under the impression that each device connecting via VPN created its own tunnel to the host, I didn't realize that tunnels could be shared. Obviously, this young (that's my story and I'm sticking with it!) padawan has much to learn. Quote Link to comment
INTEL Posted December 19, 2019 Share Posted December 19, 2019 I would appritiate some screenshots of server to server setup, I just cannot figure it out. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.