WireGuard quickstart


Recommended Posts

I've set up wireguard for a complex network but I'm unable to access my shinobicctv docker that is on a vlan.  The vlan has a subnet of 10.5.20.0/24.  I'm able to ping and tracert all ip addresses on the vlan through wireguard but can't access them via webgui.  I can access the router at 10.5.20.1 tough.  Any ideas?

Link to comment
  • 2 weeks later...

I've been trying for way too long to get a split tunnel VPN working... I've searched this post repeatedly but still am a bit confused.

 

My goal: I want to use my home DNS (dual piholes), have access to local IPs, with all external network data skipping the tunnel (limited upload at site).

 

I have a fully working remote tunneled access setup, wg0. This works perfectly on numerous clients.

 

[Interface]
#wg0
PrivateKey=deleted=
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
#01
PublicKey=deleted=
PresharedKey=deleted=
AllowedIPs=10.253.0.2

=====================================

[Interface]
#01
PrivateKey=deleted=
Address=10.253.0.2/32
DNS=192.168.1.112,192.168.1.111

[Peer]
#rehoboam
PresharedKey=deleted=
PublicKey=deleted=
Endpoint=deleted.com:51820
AllowedIPs=0.0.0.0/0

 

I have been trying (unsuccessfully) to get a split tunnel up. Here's my current not working config for wg1.

 

[Interface]
#wg1
PrivateKey=deleted=
Address=10.253.1.1
ListenPort=51821
PostUp=logger -t wireguard 'Tunnel WireGuard-wg1 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg1 stopped'

[Peer]
#01 
PublicKey=deleted=
PresharedKey=deleted=
AllowedIPs=10.253.1.2,192.168.0.0/21

======================================

[Interface]
#01 
PrivateKey=deleted=
Address=10.253.1.2/32
DNS=192.168.1.112,192.168.1.111

[Peer]
#rehoboamsplit
PresharedKey=deleted=
PublicKey=deleted=
Endpoint=deleted.com:51821
AllowedIPs=10.253.1.1/32, 192.168.1.0/24

 

I have repeated all configuration changes for the new tunnel including adding static routes and port forwarding.

 

Static routes

1624748708_staticroutes.PNG.89a97d95071fa9aa609352ae58066977.PNG

 

Port forwarding overview

361105218_portforwarding.PNG.eb78d138af7713dea7a75615327a395b.PNG

 

Detail of the new wg1 address, matches 51820

314630955_portforwardingdetail.PNG.4ddde09d0252e2c5749960701039c70e.PNG

 

Resulting WAN in firewall

880877591_waninfirewall.PNG.546915ff782458fc8d0357742ddcdcd5.PNG

Any tips what I'm doing wrong?

Link to comment
  • 3 weeks later...

I cannot add a peer or modify an existing Wireguard peer.  Every time I try, the message below appears:
 

I wanted to change a particular peer from Access to Server to Access to LAN but it's a no go due to this message about the peer name.  I cannot make any changes to peers at all.

 

I am running 6.10 RC1 on this server.  Could it be related to that version in particular?

image.png

 

UPDATE:  It looks like I was able to change it on another computer (Chrome instead of Firefox).  I did not get this popup message and it let me make the change after correcting the error in another peer name.  Apparently, allowed characters in peer names have changed since I first set up the peers.  A peer I was not trying to change in any way contained an invalid character (an apostrophe) and was triggering the warning even though it had nothing to do with my attempt to add a new peer or change an existing peer.

Edited by Hoopster
  • Like 1
Link to comment

Thanks for the brilliant guide - I followed it some time ago and it has been working fine. However I noticed some behaviour today that made me question if I knew just what I thought it was doing, or indeed how private data in the tunnel is.

 

Was at a mate's place who's ISP has some very strict content filters done at the ISP level, not at his home network level. I have WireGuard configured on my phone to connect back to my unRaid server in "Remote Tunneled Access" mode. Connecting to his WiFi and then turning WireGuard on I could access addresses on my home LAN - WireGuard was connected correctly. I then searched for a few terms that would trigger his ISP's content filter, and I was redirected to the "access denied" page from his ISP. I thought this wasn't possible? Surely my search should have been directed through the tunnel and out my home ISP? How is his ISP capturing the data in the tunnel between my phone and my server? We both use different ISP's, so it was very obvious that it was his ISP filtering/restricting my VPN traffic, not mine.

 

Things I tried:

  • Connect to my home lan via data/WireGuard - no restrictions.
  • Connect to my home lan via mate's Wifi/WireGuard - content restrictions.
  • Check "My IP" while connected via mate's WiFi/WireGuard - showed my home static address.

Interestingly, I turned on the bundled VPN in the latest Opera mobile browser while connected to mate's WiFI - "My IP" showed an address in Sweden, and the same searches that would trigger the content filter while connected to my VPN would now work without restriction.

 

This experience has shaken my faith in using WireGuard on insecure networks, say coffee shops etc, as it seems as if a "man in the middle" is able to read the supposedly-encrypted traffic between my device and my server. I'd really appreciate if someone was able to cast some light on just what is going on here.

 

Thanks.

 

Link to comment

I am just getting started with Unraid but from what I can tell from @Curious_George scenario, it seems to me that he might be sending DNS queries to the locally connected LAN rather than sending the DNS queries back to his home network to be resolved by his home DNS server/ISP. I believe there is a setting for this in the Wireguard settings but I can't remember where it is now.

Edited by Arius
  • Like 1
Link to comment
On 10/25/2021 at 1:05 AM, Curious_George said:

Was at a mate's place who's ISP has some very strict content filters done at the ISP level, not at his home network level. I have WireGuard configured on my phone to connect back to my unRaid server in "Remote Tunneled Access" mode. Connecting to his WiFi and then turning WireGuard on I could access addresses on my home LAN - WireGuard was connected correctly. I then searched for a few terms that would trigger his ISP's content filter, and I was redirected to the "access denied" page from his ISP. I thought this wasn't possible? Surely my search should have been directed through the tunnel and out my home ISP? How is his ISP capturing the data in the tunnel between my phone and my server? We both use different ISP's, so it was very obvious that it was his ISP filtering/restricting my VPN traffic, not mine.

 

It sounds like your client is using the local LAN's DNS server. This shouldn't really be possible if you are in "Remote Tunneled Access" mode. 

 

Note that every time you make a change to the VPN settings, you need to download the new settings to the client. If I had to guess, I'd say you first set this up using one of the other modes, then changed the server to "Remote Tunneled Access" and forgot to forward the change to the client.

 

I'd suggest that you delete the client config, then confirm the server is set to Remote Tunneled Access and has the Peer DNS server set to whatever DNS you use on your LAN. Then download the config to the client again.

Link to comment
10 hours ago, Konstellis said:

I would like to make my SMB shares remotely accessible to a guest (read-only) via wireguard.

The shares are set to "Secure" and a guest account is present.

 

How can I create a WG tunnel/peer which is exclusively tied to the guest account?

 

WireGuard creates a VPN tunnel, it doesn't care what you do with it. There is no concept of exclusively tying it to an SMB guest account.

 

Link to comment
On 10/3/2021 at 7:16 PM, bigmak said:

I've been trying for way too long to get a split tunnel VPN working... I've searched this post repeatedly but still am a bit confused.

 

My goal: I want to use my home DNS (dual piholes), have access to local IPs, with all external network data skipping the tunnel (limited upload at site).

 

I have a fully working remote tunneled access setup, wg0. This works perfectly on numerous clients.

 

I have been trying (unsuccessfully) to get a split tunnel up. Here's my current not working config for wg1.

 

It is the peer/client that controls whether to use split tunneling or not. Because of this, you just need wg0.

 

* On wg0, you have already created a peer that uses "remote tunneled access". I assume you set the "Peer DNS Server" to your pihole.

* For split tunneling, on wg0 create another peer with "remote access to LAN". You will want to set the "Peer DNS Server" to your pihole here as well. 

* Download both peer configs to your client and switch between them as needed.

 

Link to comment
3 hours ago, Konstellis said:

 

Thank you for your reply!

So there is no way to make an SMB share remotely accessible with read-only permissions?

First make the share read only for a given user, then provide the user with a Wireguard config.

 

i.e. when you make the share read only for a given user, it is read only regardless of whether you are directly connected on the LAN or connected via Wireguard

Link to comment

I have followed the tutorials, guides and videos multiple times but I am unable to figure out the following; I cannot access my other 'lan' devices, be it another PC with an SMB share or my Synology NAS via Share or WebGUI. I have access to my server and docker containers hosted on the Unraid Server however.

 

I have set up the following on Unraid/Wireguard;

 

Use NAT = No
Use UPnP = Yes
Host access to custom networks = enabled
Local Network Pool = 10.253.0.0/24
Peer DNS = 1.1.1.1

Tried both Remote tunnled access and Remote Access to LAN

In my Router (TP-LINK) I have set the following;
Static Routing: dest-net 10.253.0.0 255.255.255.0 10.75.75.7 Enabled (Advanced Routing > Static Routing List)
Port Forwarding: 51820 > 51820 on 10.75.75.7 (I know this should not be needed with UPnP, just to be sure)

I have also tried;
- With "Use NAT" = Yes and "Host access to custom networks" = disabled (static route optional)
- With "Use NAT" = No and "Host access to custom networks" = disabled and static route 

Is there something I am totally overlooking as at this point I have no clue anymore. I tried different configs and double-checked stuff, assuming that "VMs and other systems on LAN - accessible!" also includes my other PC's and the Synology NAS?

Edited by Ocgineer
Link to comment
3 hours ago, Ocgineer said:

Is there something I am totally overlooking as at this point I have no clue anymore.

 

TBH I can't see any issues with your config, seems like it should give you access to your whole network. Unfortunately, I don't have any suggestions

Link to comment

After following the quickstart guide I can't get wireguard to create a handshake. I have set up my port forward and tried multiple connection methods, I want to use tunneled access but have been unsuccessful with any. I'm using duckdns. Is there a way I can verify if traffic is traversing through my unifi network at all?

Edited by wolfNZ
Link to comment

I’m having trouble successfully adding a second client.

 

I got everything functioning properly with a “remote tunnel access” setup for my phone following the directions for complex network setup. When I go to add an additional peer, the first peer no longer functions, even if they are not connected simultaneously.

 

I tried to work around this by setting up a second tunnel, each with one peer, but I seem to only be able to set one tunnel active at a time. 
 

is there any way to successfully add the second peer? 

Link to comment
  • 2 weeks later...

I've gone through the set-up and troubleshooting several times and still having issues with getting Remote Tunneled Access working correctly. Help, I'm stuck. 

 

Symptoms: 

  • Can connect to VPN but only able to access unraid (192.168.1.107)
  • No access to other LAN IPs. I know dockers with custom IPs wont work, but I can't even access IP cameras, other devices, router, etc.
  • No Access to Router (192.168.1.254).
  • No internet when using router ip as DNS. When adding a public dns like 1.1.1.1, I can access internet, but still no access to other LAN devices. 

Troubleshooting

  • Tried connecting from different wifi network that is on different subnet (192.168.68.x)
  • Tried connecting from 5G cell network
  • Tried on both cell phone (wifi and 5g) and laptop (wifi)
  • Updated apps, updated vpn files/config
  • UDP port forwarded
  • Settings>Network Settings>Enable Bridging = Yes
  • Settings>Docker>Host Access to Custom Networks = Yes

I used to use OpenVPN and didnt have issues so I'm pretty sure my network setup isn't overly complicated. Attached images of VPN and Network settings for reference. 

 

network settings.png

vpn settings.png

Link to comment
34 minutes ago, CorserMoon said:

haven't gotten any help so trying a new thread.

Please don't do this. If you feel you haven't gotten attention after a reasonable time, just bump the thread of your original post.

 

There are good reasons crossposting has been considered bad on message boards since before the world wide web. How can we coordinate responses if you have the same question in multiple threads?

 

I have merged your thread back into the original thread.

 

 

  • Like 1
Link to comment
On 11/24/2021 at 12:36 PM, CorserMoon said:

I've gone through the set-up and troubleshooting several times and still having issues with getting Remote Tunneled Access working correctly. Help, I'm stuck. 

 

Symptoms: 

  • Can connect to VPN but only able to access unraid (192.168.1.107)
  • No access to other LAN IPs. I know dockers with custom IPs wont work, but I can't even access IP cameras, other devices, router, etc.
  • No Access to Router (192.168.1.254).
  • No internet when using router ip as DNS. When adding a public dns like 1.1.1.1, I can access internet, but still no access to other LAN devices. 

Troubleshooting

  • Tried connecting from different wifi network that is on different subnet (192.168.68.x)
  • Tried connecting from 5G cell network
  • Tried on both cell phone (wifi and 5g) and laptop (wifi)
  • Updated apps, updated vpn files/config
  • UDP port forwarded
  • Settings>Network Settings>Enable Bridging = Yes
  • Settings>Docker>Host Access to Custom Networks = Yes

I used to use OpenVPN and didnt have issues so I'm pretty sure my network setup isn't overly complicated. Attached images of VPN and Network settings for reference. 

 

network settings.png

vpn settings.png

bump?

Link to comment

Going nuts trying to figure out what is causing my issue with wireguard. Connecting from windows 10 machines. Can access the internet with my browser after connecting to wireguard with the remote tunnelling option however I can not connect to my unraid server. I get "Hmmm… your Internet access is blocked Firewall or antivirus software may have blocked the connection." on 2 different laptops. My server dashboard shows the unraid server online but when I click local access I get the error message.  However on my android phone it works fine after I connect to wireguard. I am able to get to my unraid server and use the tunnel for internet access. Looking for suggestions. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.