WireGuard quickstart


Recommended Posts

Running UnRAID 6.10.RC2 utilizing the built-in wireguard VPN. I can connect a phone and laptop just fine. I can ping the unRAID server and get to the internet all through the tunnel. What I can't do is get to other things on my local network that oare on teh same VLAN as the unRAID server. I have the tunnel set for "Remote tunnel access". Seems I am missing a route somewhere, but can't figure it out. Routing table shown below. unRAID is 10.5.254.80/24 and vpn clients are 10.5.253.2 and .3

 

Thoughts on this one?

image.thumb.png.800ea133a7d69cf8943778e211c2ea74.png

astro-server-diagnostics-20220211-1000.zip

Link to comment
On 2/5/2022 at 10:53 PM, J05u said:

I am having no issues to connect to my server via wireguard, but i can't connect to dockers on my network

 

46 minutes ago, mgadbois said:

Seems I am missing a route somewhere, but can't figure it out.

 

Sounds like you need to add a static route to your *router* so that devices on your network can communicate with the WireGuard network pool. See the "Complex Networks" portion of the first post in this thread.

 

If you continue to have issues, read the section below that that explains how "Use NAT", "host access to custom networks", and having a static route all interact. Certain combinations do not work well together.

Link to comment

I was on vacation for a week, when I got back my flash drive had some issues so I restored from a week old backup.
Anyways everything is fine except my WireGuard isn't working. It won't stay Active. I click slider, it shows Active, I change tabs and go back and it's Inactive. I uninstalled the Plugin, reinstalled and same thing, my old Peers still there too.


Any ideas? How do I completely erase WireGuard so when I install it, it's brand new? Logs show nothing.

Link to comment
18 hours ago, MylesM said:

I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something?

 

You'll want to ping the tunnel IPs, not the lan/wan IPs.

 

The tunnel has its own network range:

image.png

 

The server usually has a .1 address in that pool:
image.png

 

And then each peer has a unique address in that pool:

image.png
 

Link to comment
7 minutes ago, ljm42 said:

 

Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option.

  

Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ?

Link to comment
2 minutes ago, nxtiak said:

Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ?

 

When you hit save, does the cursor move to a new field so you can fix a value?  i.e. maybe you are using an invalid character in the name.  If not, try switching the slider from basic to advanced and see if it moves to a field now.

Link to comment
4 hours ago, ljm42 said:

 

When you hit save, does the cursor move to a new field so you can fix a value?  i.e. maybe you are using an invalid character in the name.  If not, try switching the slider from basic to advanced and see if it moves to a field now.

 

When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens.

Link to comment
3 hours ago, nxtiak said:

 

When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens.

 

Can you try a different browser?

Link to comment
5 hours ago, bonienl said:

The conf file should reside on your usb drive.

Have tried to do a file system repair of the usb drive?
Take the drive out (after shutting down) and run a repair on a windows machine.

 


So I did that last week and it found errors. So today I decide it's probably time to swap out the USB drive. Just did it and I'm able to save configuration but can't activate wg-quick up wg0 now gives an error:

root@Server:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
root@Server:~#
 

Link to comment

I have wireguard up and running and I am able to connect to my unraid server from anywhere. It works awesome.

 

I am working out of the country currently and I am still able to connect to my local network but I was under the impression that I could use the wireguard vpn to get around geo-blockers and visit websites and video services as if I was in my home country (USA). But when I try and hit for instance a local Florida news website www.WESH.com I get stopped saying:

 

Quote

Sorry, this content is not available in your region.

 

My type of access is "Remote Tunneled Access"

 

TIA

  • Like 1
Link to comment

Hi,

 

the setup "Remote access to LAN" works fine and the client is connected and can ping the IPs in the remote LAN.

But in the config I said "Local tunnel firewall" Allow and only set 10.0.0.11 as allowed.

Nevertheless am I able to ping 10.0.0.10 (Unraid Server itself) - no other hosts.

 

Is that by design and cannot be removed?

Attached the generated iptables config:

 

# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*mangle
:PREROUTING ACCEPT [585916432:1133041336885]
:INPUT ACCEPT [40469455:499819706678]
:FORWARD ACCEPT [546394462:633615039025]
:OUTPUT ACCEPT [32114760:4849559837]
:POSTROUTING ACCEPT [578543223:638470079442]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Fri Mar  4 21:31:04 2022
# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*nat
:PREROUTING ACCEPT [98:29053]
:INPUT ACCEPT [67:21594]
:OUTPUT ACCEPT [32:2057]
:POSTROUTING ACCEPT [60:9200]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3875 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8181 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 4443 -j MASQUERADE
-A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3875 -j DNAT --to-destination 172.17.0.2:3875
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 7818 -j DNAT --to-destination 172.17.0.4:8181
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 1880 -j DNAT --to-destination 172.17.0.4:8080
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18443 -j DNAT --to-destination 172.17.0.4:4443
COMMIT
# Completed on Fri Mar  4 21:31:04 2022
# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*filter
:INPUT ACCEPT [2045:465504]
:FORWARD ACCEPT [188:71769]
:OUTPUT ACCEPT [1269:1510752]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:WIREGUARD - [0:0]
:WIREGUARD_DROP_WG0 - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -j WIREGUARD
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3875 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP
-A WIREGUARD_DROP_WG0 -j RETURN
COMMIT
# Completed on Fri Mar  4 21:31:04 2022

 

Edited by Thomas K
Link to comment

-A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP
-A WIREGUARD_DROP_WG0 -j RETURN

 

Why are the iptables rules created on br0 and not wg0?

A tcpdump shows, that the traffic from the peer to the wireguard host is not crossing br0 - only wg0, so the rule does not match.

Traffic from the peer to other local lan destinations cross br0 and so the rule matches.

Edited by Thomas K
Link to comment

Worked it out, you have to filter the INPUT chain of the wg0 device incoming. My example if some else needs it:

 

iptables -N WIREGUARD_INPUT
iptables -N WIREGUARD_DROP_WG0_INPUT
iptables -A INPUT -j WIREGUARD_INPUT

iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0_INPUT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -j DROP
iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.