WireGuard quickstart


Recommended Posts

So, I had this working fine and for some reason it recently stopped.  I can't get it to show a connection or handshake.  I've tried to reconfigure and even deleted the tunnel and started from scratch.  I have upnp enabled on my router but the server is showing it's not set.  I also have the port forwarded to the server. I've switched to my wan ip instead of ddns that was working.  I've read through the troubleshooting tips at the start of this thread but am not sure where to look next.  Any recommendations on what info I can provide to help get this resolved? Client is on an Android phone, wifi is off in order to use cell network.

 

upnp.PNG.fbc491851e02207c4de7b7ca54d92d3c.PNGforward.PNG.f429b7523ec272946e7eb24eaa0e5f4e.PNGsettings.thumb.PNG.e6aeeca34e6267d78dd2eff9ec76736d.PNG

Link to comment
1 hour ago, Waltm said:

I can't get it to show a connection or handshake. 

 

Everything looks good. Once you start the WireGuard client on the phone, are you doing anything to trigger a data transfer? There won't be a handshake until you send data. 

Link to comment
12 hours ago, ljm42 said:

 

Everything looks good. Once you start the WireGuard client on the phone, are you doing anything to trigger a data transfer? There won't be a handshake until you send data. 

 

 

Yeah, I try to reach the unRaid server in the phones web browser using it's ip address, and splashtop to access other machines on the network. They are the only things I really use it for and both stopped working.

 

Oddly enough, after 3 days of trying everything I can think of, it just started working on it's own this morning.  I'm happy that it's working but it really bugs me when problems 'resolve' themselves without me knowing what caused them or why they suddenly work again.  I'll try switching it back to ddns when I get home tonight but don't think I'll have an issue with that now either.  

 

Thanks for chiming in with advice, I really appreciate the help.

 

It still shows upnp forwarding not set, but can I ignore that if it seems to be working again, or is it something I should be concerned with?

Link to comment
On 8/20/2021 at 4:42 AM, Waltm said:

 

 

Yeah, I try to reach the unRaid server in the phones web browser using it's ip address, and splashtop to access other machines on the network. They are the only things I really use it for and both stopped working.

 

Oddly enough, after 3 days of trying everything I can think of, it just started working on it's own this morning.  I'm happy that it's working but it really bugs me when problems 'resolve' themselves without me knowing what caused them or why they suddenly work again.  I'll try switching it back to ddns when I get home tonight but don't think I'll have an issue with that now either.  

 

Thanks for chiming in with advice, I really appreciate the help.

 

That is confusing, but I am glad it is working

 

On 8/20/2021 at 4:42 AM, Waltm said:

It still shows upnp forwarding not set, but can I ignore that if it seems to be working again, or is it something I should be concerned with?

 

Since you have manually setup a port forward, just change "Local gateway uses UPnP" to No.

 

Link to comment
7 minutes ago, Alex.b said:

Hey,

 

Quick question, I set Wireguard VPN for few members of my family, mainly to access to Overseer and Nextcloud.

 

I used "remote access to server" as tunneling for all clients.

In setting, they can connect to theserver using IP address 10.253.0.1

 

But, they also can access with the local address of the server (for my case 192.168.1.10), is that excepted behavior ?

Thanks !

 

If you click the little "eye" icon next to the peer and look at the AllowedIPs you'll see the IPs the client is able to connect to. It looks like it includes both the tunnel IP and the server's LAN IP. TBH I only expected to see the tunnel IP there, but I guess it doesn't hurt.

Link to comment
4 minutes ago, Alex.b said:

Oh yes, you're right : AllowedIPs=10.253.0.1/32, 192.168.1.10/32

But doesn't appear there :

 

image.png.8524cad6472a479539e5dbd7dc605d14.png

 

I tested the plugin few months ago, I'm pretty sure it wasn't possible to access with the server's LAN IP. I don't need to worry? Isn't that going to create a security issue or something ? I want to compartmentalize as much as possible. (Sorry I'm a little anxious to open the server! 😂)

 

WireGuard has two sets of "Allowed IPs", one that goes in the server config and one that goes in the client config.

 

The webgui allows you to edit the one that goes on the server. You can click the "eye" icon next to the tunnel name to confirm that.

 

The webgui modifies the one that goes in the client file depending on what you choose for "peer type of access". If you want to modify it further after installing on the client you can, but it is usually not necessary.

 

I can't think of a reason why having both IPs there would be a riskier than just having the tunnel IP. They both provide access to the server.

 

 

Link to comment
27 minutes ago, Alex.b said:

Okay, thanks for the clarification!

 

Last question, with the WebUI password and no access at all to Shares, I did what was necessary to "secure access" and prevent them from doing stupid things or uploading malware or something like this ?

 

Please see this from the first post:
 

Quote

 

Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise.  Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network. 

 

 

Link to comment

do people generally use remote tunneled access or remote access to LAN if they want an always-on connection from their iOS device to access their server / apps / pihole adblocking etc.?

 

and also - does anyone know what kind of battery life impact having an always-on wireguard VPN (with either access to lan or remote tunneled access option) would have on a typical iPhone 11 / 12 etc.?

Edited by Linguafoeda
Link to comment

I cannot access shares on unraid from my windows laptop.  I have "remote access to LAN" and indeed my laptop can ping my unraid server and my router, so I do indeed have connection to devices on my LAN.  I can also access my dockers webGUI's.  The wireguard connection is working in every way *except* I cannot access my shares.

Even if I type the network address into file explorer \\x.x.x.x\share it cannot access the share.

I tried setting tunnels both with specified NAT port forwarding and going UPnP alternatively.  No dice.  Before OpenVPN was deprecated I was using it as a docker image and was able to get remote access to my shares no problem... so I dunno what's going on here?

[SOLVED]
Had to stop the array and add the wireguard network pool to Settings > Network Services > SMB > hosts allow = 10.253.0.0/24   After I did that I could manually enter \\serverip\share in File Explorer and then map the drive.  Big success!

Edited by clay_statue
Solved!
Link to comment
11 hours ago, clay_statue said:

I cannot access shares on unraid from my windows laptop.  I have "remote access to LAN" and indeed my laptop can ping my unraid server and my router, so I do indeed have connection to devices on my LAN.  I can also access my dockers webGUI's.  The wireguard connection is working in every way *except* I cannot access my shares.

Even if I type the network address into file explorer \\x.x.x.x\share it cannot access the share.

I tried setting tunnels both with specified NAT port forwarding and going UPnP alternatively.  No dice.  Before OpenVPN was deprecated I was using it as a docker image and was able to get remote access to my shares no problem... so I dunno what's going on here?

[SOLVED]
Had to stop the array and add the wireguard network pool to Settings > Network Services > SMB > hosts allow = 10.253.0.0/24   After I did that I could manually enter \\serverip\share in File Explorer and then map the drive.  Big success!

 

Very interesting. I haven't heard of anyone having to do this before, what version of Unraid is it?

 

I don't see this setting anywhere, is it something you did under SMB Extras? Would you please post a screenshot so I can see how it all fits together?

Link to comment

I am having an issue where my android phone is working fine, but my windows laptop is not.

 

Both are configured identically, see picture. My android phone does everything. I can access my shares and web GUIs.

 

My laptop can access shares but cannot access ANY webGUIs (unraid, dockers, gateway) OR use RDP. My laptop can successfully ping my gateway/local DNS server, as well as the computer I am trying to RDP with. Unraid server can ping my laptop. The local computer I am trying to RDP onto cannot ping my laptop, however.

 

Phone and laptop are on identical wifi as of testing and I have already tried opening the firewalls. My laptop can only succesfully ping using IP address, not hostname, but NSLOOKUP shows correct entries coming from my local DNS/Gatewat.

 

Any thoughts? 

 

https://imgur.com/a/Tky0Bcp

Edited by Bulletoverload
Link to comment

I'm trying to get access to a docker that has custom Ip. I've tried to do everything listed in complex setups section, but just can't get it to work.

 

Currently I can access Unraid server over the wg connection. I can access dockers that use the server ip. I can access other lan devices. But cannot access dockers with custom ip.

 

I have set Use NAT to No and I have Host access to custom networks enabled. I'm using DD-WRT on my router and have set static route as follows. Is it set correctly?

 

Edit: I have Peer type set to 'Remote access to LAN'.

 

routing.png.2fcbdb9d68217aeed28c2b71bb69faa1.png

Edited by lsaranto
Link to comment
2 hours ago, lsaranto said:

I'm trying to get access to a docker that has custom Ip. I've tried to do everything listed in complex setups section, but just can't get it to work.

 

Currently I can access Unraid server over the wg connection. I can access dockers that use the server ip. I can access other lan devices. But cannot access dockers with custom ip.

 

I have set Use NAT to No and I have Host access to custom networks enabled. I'm using DD-WRT on my router and have set static route as follows. Is it set correctly?

routing.png.2fcbdb9d68217aeed28c2b71bb69faa1.png

 

It looks like you have set the Gateway to the IP of your router? Per the OP that should be the IP of your Unraid system.

 

 

Link to comment
1 minute ago, ljm42 said:

 

It looks like you have set the Gateway to the IP of your router? Per the OP that should be the IP of your Unraid system.

 

 

 

Yes, I should have been more clear. My Unraid is 192.168.0.1. My router is 192.168.0.254. Call me weird, but I don't like the router taking the first address.

Link to comment

I think my docker settings were somewhat corrupted. I think even though 'Host access to custom networks' showed enabled it actually wasn't. Possibly for containers created after a certain Unraid update. I stopped and started docker service a couple of times and toggled Host access setting back and forth in-between. Now I got access to docker containers with custom ips, too.

Link to comment

Now I have an issue with the Local tunnel firewall option, which doesn't seem to have any effect. I've entered the IP of the docker I want to access and changed the rule to Allow. However when testing I can still access any IP on the LAN. I also tried rule Deny, but that didn't have any effect either.

 

Have I misunderstood the purpose of that setting?

Link to comment
3 minutes ago, lsaranto said:

Now I have an issue with the Local tunnel firewall option, which doesn't seem to have any effect. I've entered the IP of the docker I want to access and changed the rule to Allow. However when testing I can still access any IP on the LAN. I also tried rule Deny, but that didn't have any effect either.

 

Have I misunderstood the purpose of that setting?

 

I have actually never used that feature. Thinking out loud... I wonder if it can't block access to resources that are on this server? See if it works to block access to something else on your network.

Link to comment
On 9/11/2021 at 8:25 PM, Bulletoverload said:

I am having an issue where my android phone is working fine, but my windows laptop is not.

 

Both are configured identically, see picture. My android phone does everything. I can access my shares and web GUIs.

 

My laptop can access shares but cannot access ANY webGUIs (unraid, dockers, gateway) OR use RDP. My laptop can successfully ping my gateway/local DNS server, as well as the computer I am trying to RDP with. Unraid server can ping my laptop. The local computer I am trying to RDP onto cannot ping my laptop, however.

 

Phone and laptop are on identical wifi as of testing and I have already tried opening the firewalls. My laptop can only succesfully ping using IP address, not hostname, but NSLOOKUP shows correct entries coming from my local DNS/Gatewat.

 

Any thoughts? 

 

https://imgur.com/a/Tky0Bcp

Anything @ljm42?

 

 

Edit: Nevermind! I just got the wireguard update and its working now. weird. 

Edited by Bulletoverload
Link to comment

Hi guys, 

 

So I managed to set up Wireguard in UNRAID and everything runs fine so far. However, I noticed that I'm unable to access some of my Docker applications that are running behind an NGINX Reverse Proxy. Does anyone have an idea what might lead to them being unaccessible? 

 

Wireguard client is connected using 'Remote tunnelled access'

NAT is disabled in the Wireguard settings

I am running a static route to my UNRAID Server in my Unifi Controller

Wireguard's port is forwarded in Unifi's port forwarding settings

 

Happy to provide more information, if needed.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.