Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard quickstart

Featured Replies

7 hours ago, remati said:

It appears it is happening on both my unraid servers on Version: 6.8.3

Do you have anything installed to customize your GUI?

 

WireGuard supports multi-language, which is not available in Unraid 6.8, though it should display all text correctly.

 

Just made a quick test, this is a bug. Will correct it.

Edited by bonienl

  • Replies 979
  • Views 431.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

  • I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

  • I was having problems getting this all to work but I figured it out after about an hour.   I was able to connect to the vpn but was not able to connect to anything on my network or get an in

Posted Images

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

 

  • Author
1 hour ago, jameson_uk said:

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/

16 hours ago, ljm42 said:

 

WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/

Is there anyway of adding any form of authentication (beyond the shared keys)

Edited by jameson_uk

2 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

 

That fully depends on the device where you are installing WireGuard.

When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.

 

  • Author
3 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.

 
That fully depends on the device where you are installing WireGuard.
When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.
 
You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.
This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?
  • Author
3 hours ago, jameson_uk said:

This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?

 

On my Android (OnePlus 7 Pro), before unlocking the phone I can pull down from the top to access certain apps like the flashlight. VPN is in that list, but when I click it, I am immediately prompted to unlock the phone. It sounds like a security hole in your phone if it puts VPN in the same authentication-free category as the fliashlight!

 

I believe there are other Android clients out there, but rather than recommend anything I haven't used I'll just suggest you try Google :)  Also, nothing says you have to switch to WireGuard, if you are happy with OpenVPN you can continue to use it.

  • 2 weeks later...

I have tried a bit of skimming of this thread as well as searching - but is anyone able to answer a quick question regarding wireguard functionality.

Currently I have OpenVpn setup via docker container. This works great until you need to spin down the array. Will setting up wireguard, since it is a plugin and not a docker based solution, allow me to spin up and down the array while still maintaining vpn access?

WireGuard access is available independent of the array running or not.

This gives it a distinct advantage over docker or vm based solutions.

 

 

57 minutes ago, bonienl said:

WireGuard access is available independent of the array running or not.

 

 

Thanks for the info! Appreciate it.

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

  • Author
1 hour ago, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

Best guess based on what you have written... make sure you are trying to access the server by IP address and not by shortname.  i.e. make an SMB connection to \\ipaddress not to \\tower

 

I tried also with IP but nothing.

 

This is my configuration

 

image.png.e27f363872637ad7ceae1b5d768a1fb9.png

 

image.thumb.png.cf1648c13b9c0dd9acd58b65ac6ae47c.png

Hi All, I'm new to unRAID and really am loving it.  Currently I only have my media setup but am working through new functionality.

 

I'm confused with WireGuard though.  I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Thanks!

  • Author
On 5/3/2021 at 7:43 AM, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

14 hours ago, Claudio C said:

I tried also with IP but nothing.

 

This is my configuration

 

image.png.e27f363872637ad7ceae1b5d768a1fb9.png

 

image.thumb.png.cf1648c13b9c0dd9acd58b65ac6ae47c.png

 

You have "Use NAT" = No, there should be a remark telling you to setup a static route in your router, have you done that?  There are more details in the "complex networks" portion of the first post.  Until you work through that nothing on the LAN (including accessing the server by its LAN IP) will work.

 

FYI, you can also access the server by its tunnel IP. So SMB to \\10.253.0.1 should work regardless of the "Use NAT" setting or whether you have a static route setup.

  • Author
Quote

Hi All, I'm new to unRAID and really am loving it. 

Welcome!

 

1 hour ago, RuggedRaider said:

I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

nice!

 

1 hour ago, RuggedRaider said:

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

 

 

1 hour ago, RuggedRaider said:

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Yes you can have two VPN profiles/peers defined on your phone. Use "Remote access to LAN" when you trust the network you are on and just want to route the remote LAN traffic over WireGuard.  use "Remote Tunneled Access" when you are someplace with "risky" wifi and you want all your traffic going over WireGuard.

1 hour ago, ljm42 said:

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

Okay, that helps. For some reason I thought the remote access to LAN would rid me of the need for microsoft RDP. Makes sense now that I think about it.

 

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

Thank you!

  • Author
10 minutes ago, RuggedRaider said:

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

You should create a new peer config for each device. That will allow all of the devices to connect at the same time, and in the event that one device is lost or stolen, you only have to delete that one config from the server and the rest of the devices will continue to work.

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

  • Author
On 5/12/2021 at 6:02 AM, Gdtech said:

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

 

Please ensure you are on version the latest version of the plugin (currently 2021.05.10a). No point in troubleshooting older versions :) 

 

As a test, I just created a tunnel with 20 peers no problem. I wouldn't expect there to be a limit, pretty sure it just increments a counter.

 

I'd guess it is putting the cursor in a field that has a problem. If that doesn't seem to be the case, try switching from basic to advanced mode, perhaps the field with the problem is not visible in basic mode.

 

Still not working? We'll need to see a screenshot. You'll want to blank out any sensitive parts (keys, public ip addresses, endpoints)

Good afternoon,

 

 Currently searching for an option to my issue and hope wireguard might be the solution.

 

My only internet option currently is Starlink and due to CGNat I will not be able to access my plex server remotely.

 

Can this be used to allow external access to my plex server again?

 

Cheers,

 

Chris

I followed your guide and got it up and running. My question is regarding the relationship of a tunnel to a peer and how this should be configured rather than what can be done. 

 

With one tunnel, should I only have one peer? or should I set multiple peers for one tunnel assuming the subnet access level should be the same for all peers?

 

I am intending to use this for two use cases. 

    1- remote server management from 2 or 3 devices. my guess is one tunnel, 2-3 peers with the needed subnet configured. 

    2- privatizing mobile device traffic back to the server internet connection. this would be likely a lesser subnet range to strictly hairpin traffic back out to the web from the server internet connection (mobile device->server->web). I'm also guessing this would be a second tunnel for these peers?

 

Any guidance or clarity around this concept is greatly appreciated. 

A single tunnel can support multiple connections (peers). Each peer wiil have the same access rights, e.g. "Remote connection to LAN".

 

If you want different peers to have different access rights, you could set up multiple tunnels, each with a different connection type and let peers connect to one or the other.

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.