WireGuard quickstart


Recommended Posts

I have an issue with my laptop similar to some people here with no solution. Maybe I missed but here it is:

In the config for "remote tunneled access" I can access everything using my android phone. Internet & LAN. While being on the same connection, my laptop with exactly the same vpn settings, does not connect to LAN. I downloaded the same profile that I created for the phone and on the laptop it still does not access LAN.

If I create a new profile in wireguard config as "LAN access" and use that on the laptop, I can access unraid tower from browser but still no network drives are visible.
 

So my deduction is that something is fishy from the laptop, since laptop is the only thing different. Either laptop settings or something about the vpn client app. If someone could shed some light it would be awesome.

Link to comment

Hello. I hope someone can give me a piece of routing wisdom.

What i have now

Router with static IP and wireguard port forwarded to unraid server.

Docker containers can access commercial VPN service via dedicated privoxy container.

Usecase

I connect with my laptop from afar and have an access to my docker containers, LAN and internet via router connection

What I want to achieve

I connect with my laptop from afar and have an access to docker containers, LAN and internet via commercial VPN service

It would be great to route dockers via the same VPN

 

As far as I understand, I am trying to build a chained VPN but I can not find any manuals on this issue.

I'd be extremely happy if someone could explain me how to achieve it or offer a better setup

Link to comment
On 4/22/2022 at 12:20 PM, ljm42 said:

 

For security, WireGuard fails silently, so there isn't much to go on if it doesn't work. All I can suggest is to go through the first two posts again. It really does work :) 

Is this the correct settings on android phone?

File : peer-Tower-wg0-1.conf

 

[Interface]

#MyAndroid

PrivateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Address=10.253.0.2/32

[Peer]

#MyHome
VPN
PresharedKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

PublicKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

Endpoint=xxxxxxxxxxxx.duckdns.org:51820

AllowedIPs=10.253.0.1/32, 192.168.9.0/24
 

Note:  I masked out the keys and dynamic DNS address.

 

Link to comment
11 hours ago, JetRun15 said:

So I have followed the setup here (https://www.youtube.com/watch?v=HIJiYuPDzKs&t=5s) and in the past this worked. However, I wanted to change my DNS name and started from scratch again. However, when I follow the video I can never get the eye icon to work. Is there a reason for this? I have followed the basic stuff such as ensuring the port is being port forwarded, bridging is enabled, etc. etc. 

Capture.PNG

Have you press the "apply" button at the bottom of the VPN manager screen?

  • Like 1
Link to comment
  • 2 weeks later...
On 6/4/2022 at 2:37 PM, EG-Thundy said:

I have an issue with my laptop similar to some people here with no solution. Maybe I missed but here it is:

In the config for "remote tunneled access" I can access everything using my android phone. Internet & LAN. While being on the same connection, my laptop with exactly the same vpn settings, does not connect to LAN. I downloaded the same profile that I created for the phone and on the laptop it still does not access LAN.

If I create a new profile in wireguard config as "LAN access" and use that on the laptop, I can access unraid tower from browser but still no network drives are visible.
 

So my deduction is that something is fishy from the laptop, since laptop is the only thing different. Either laptop settings or something about the vpn client app. If someone could shed some light it would be awesome.

An update on my issue... This seems an issue with Windows 11 only. Same config works on Win 10. That brings the question if win 11 has some settings that is causing this cause Win10 is just plug and play for me.

What I've tried:

-Set Inbound/outbound rules for firewall
-Turned Windows Firewall on/off

-Set the network adapter to private
-Used Tunsafe to see if it was wireguard app related
-Used "secpol" and adjusted the stettings there too.

Is there any potential setting that I'm missing?

Link to comment

My Plan is to use a Ubuntu Server 20.04 VPS as a reverse proxy for various gameservers/Plex and other stuff to mask my IP. What i gathered on reddit and other forums is, that it is definitely possible by setting up Wireguard on Unraid and the VPS as LAN-To-LAN. So far i got everything setup and the VPS is able to ping my server, but ONLY my server. No Docker with a custom IP or any other device in my network. (Host access is enabled)


I think the problem is caused by the Static Routing tables. Or to be more precise by the VPS which has no private IP-Address. like none at all. It has a public one, which is configured as the "private" IP of the network interface (A 93.xxx Adress is in no private range) and that's it (see the output below for reference).

 

Do i really need Lan-to-Lan Access or is Remote Access to LAN enough to host a reverse Proxy on a VPS ? And if LAN-to-LAN is the real-deal is the routing really the culprit, or am i missing something ?

 

Any help would be appreciated i already wasted 8 hours on research.

 

 

ifconfig -a
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 93.90.xxx.xxx  netmask 255.255.255.255  broadcast 93.90.xxx.xxx
        inet6 fe80::250:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether 00:50:mm:mm:mm:mm  txqueuelen 1000  (Ethernet)
        RX packets 23690  bytes 3395454 (3.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20433  bytes 3698928 (3.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 120  bytes 9704 (9.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 120  bytes 9704 (9.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

Link to comment

Just as a heads up, in case someone else wanted to try something like me:

Its partially working now. Everything is reach- and routeable through a Lan-to-Lan connection from my Unraid Server to the VPS and vice verse except for Devices in my LAN like my own PC etc. Due to the VPS having only a private IPV6-Adress, which is disabled in my router for various reasons. Which therefore makes it impossible to route the traffic of other network devices correctly.

Link to comment

I have Connected a Ubuntu Server 20.04 VPS with a LAN-to-LAN Connection in Wireguard to my Unraid Server. The VPS is reverse-proxying various Gameservers and Plex via iptables. So now you can connect to the Gameservers/Plex via the public IP of the VPS and port x. The Only Problem is, that in Plex and the Gameserver Dockers each client now gets the same IP: The Adress of the Wireguard Tunnel.

 

So now the question is, if there a way to pass the IP of the connecting client (for example a Plex app with the IP 12.34.56.78) to the Unraid machine through the Wireguard Tunnel, so that Plex can differentiate between clients.

Link to comment

Hoping someone can help.  I am able to access my server remotely via Wireguard.  However, I cannot access any other asset on the network (i.e., Home Assistant on a VM/another IP).  Additionally, I cannot access the internet.  Below is my configuration on VM Manager.  Any insight would be greatly appreciated.

 

image.thumb.png.e020b7ad7050238cda3a384f66e49b8c.png

 

 

Edited by BigMal
Link to comment

Hi, I tried to search but could not find a solution. I have a Wireguard server running on my Unraid Server and I have setup several "Remote tunneled access" peers. How can I achieve the following:

  • The remote peers need to connect to the Internet via my external network connection. This works currently.
  • The remote peers need to be restricted only to a certain IP and a port in the Unraid server (one docker image running in my Unraid Server). That is, I do not want them to be able to access the rest of my LAN or the Unraid server services.

How can the above restriction be achieved? Is there a setting in Wireguard peer config to achieve this or could be done with some iptables magic in the Unraid server?

 

Thank you very much for any help!

Link to comment

I was having the same issue, could ping the peer and could connect to unraid server, but couldn't reach the internet nor local network.

I disabled "Local server uses NAT" and manually set a static route, and everything now works

46qAbPG.pngQTtuWLp.png

Edited by Besh
  • Upvote 1
Link to comment
  • 2 weeks later...
On 7/8/2022 at 1:28 AM, Besh said:

I was having the same issue, could ping the peer and could connect to unraid server, but couldn't reach the internet nor local network.

I disabled "Local server uses NAT" and manually set a static route, and everything now works

46qAbPG.pngQTtuWLp.png

Mate you're a lifesaver, thanks for this! Solved my unraid access but no internet issue :) 

Link to comment

image.png.82029efebff21a629f105ff316ec0a37.png

 

Hi everyone, I've just setup WireGuard and everything is working well except I have an issue with a couple of specific docker containers where I route traffic via other containers.

 

I have a couple of instances of this setup but I've provided 1 example in the screenshot, essentially the tvheadend container the network is set to none with the parameter "--net=container:vpn-australia" to using the network of the vpn-australia container, the vpn-australia container is just openvpn using PIA to connect to their Australian server.

While connected to WireGuard on my phone I'm able to access all my other containers and I'm even able to access the vpn-australia container but I cannot access the tvheadend container.

 

Has anyone had a similar situation they've come up with a solution for?

 

Any help would be great. Thanks!

Edited by Trozmagon
Link to comment

Hopefully someone can help me out here.

 

I have been trying to minimize all my writes to my cache drive. I have uninstalled wireguard completely, but there seems to be a 'appdata/wireguard' folder that copies everything from appdata (both mnt/cache and mnt/user) into it (every hour or so it looks like). This is killing my writes endurance on my drive and I can't find where to stop unraid from doing this.

Link to comment
  • 3 weeks later...

I am sure that I am doing something completely stupid and there is an easy fix, but after some hours of troubleshooting I'd rather ask here for a change:

 

So, I am trying to set up site to site VPN with unRaid. And for some reason it works only from and to the servers but not beyond, could be a routing issue, could be firewall but I don't get what exactly is blocking what. 

 

To make it quick:

Network1: 192.168.0.0/24, Network2: 192.168.1.0/24

Unraid1: 192.168.0.2, Unraid2: 192.168.1.2

 

So what works is:

Connecting from one unRaid server to the other unraid Server and vice versa

Connecting and pinging from unraid 2 server to any client on network 1

Connecting and pinging from unraid 1 server to any client on network 2

Connecting and pinging from any client on network 1 to unraid 2

Pinging the tunnel address of unraid 1 from any client on network 2

Pinging the tunnel address of unraid 2 from any client on network 1

 

What doesn't work:

Pinging from any client other than unraid 2 on network 2 to anything on network 1

Pinging from any client on network 1 to any client on network 2 other than unraid 2

 

So I hope it is understandable. Basically I cannot get to network 1 from network 2 beyond unraid 2, as if the server is blocking it somehow.

 

I have set up routing and the rest exactly like in the tutorial. Any Ideas?

 

Link to comment
On 6/9/2022 at 3:36 PM, shchui said:

Have you press the "apply" button at the bottom of the VPN manager screen?

So actually figured it out but forgot to update all these months later. Turns out somehow when I removed WireGuard there were still remnants of the files from my old configuration there. When I used Krusader to remove the WireGuard configuration files, I was able to create a new one and the eye came back for me to use. Not sure if this will help others or if this is one off for me. 

Link to comment
On 7/17/2022 at 7:30 PM, Wheels35 said:

Hopefully someone can help me out here.

 

I have been trying to minimize all my writes to my cache drive. I have uninstalled wireguard completely, but there seems to be a 'appdata/wireguard' folder that copies everything from appdata (both mnt/cache and mnt/user) into it (every hour or so it looks like). This is killing my writes endurance on my drive and I can't find where to stop unraid from doing this.

 

The built-in WireGuard implementation does not store anything in appdata. Maybe you have a WireGuard docker? I'd recommend asking in that docker's support thread.  If you can't find that, ask in General Support. Be sure to upload your diagnostics (from Tools -> Diagnostics)

Link to comment
17 hours ago, ljm42 said:

 

This is one of the more complex things to do and it sounds like you got pretty far, nice!

 

In the OP there is a link to this post, have you seen it?

  https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

 

 

Yeah, I have followed pretty much this guide.

 

At the moment I have a IPSEC Site to Site VPN running between these Sites, but I am hoping for better performance when using Wireguard (IPSEC maxes out at about 35mbit/s in this particular hardware). 

 

Of course I have shut down the IPSEC VPN before setting up the Wireguard VPN to avoid problems with these. It was quite the ride as I was using jumphosts on either site to have access to the configurations. As I said, I am not sure if the issue lies with unraid or with the routers itself. If it helps, here are the configs (redacted a bit)...

 

Config on unraid 1

[Interface]
#Site2Site
PrivateKey=redacted
Address=10.253.0.1
ListenPort=51821
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 table 200
PostUp=ip -4 route add 192.168.0.0/24 via 192.168.0.1 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.0.0/24 via 192.168.0.1 table 200

[Peer]
#Unraid2
PublicKey=redacted
PresharedKey=redacted
Endpoint=redacted.tld:51822
AllowedIPs=10.253.0.0/24, 192.168.1.0/24

 

Config on unraid 2:

[Interface]
#Site2Site
PrivateKey=redacted
Address=10.253.0.2
ListenPort=51822
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.2 table 200
PostUp=ip -4 route add 192.168.1.0/24 via 192.168.1.1 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.1.0/24 via 192.168.1.1 table 200

[Peer]
#Unraid 1
PublicKey=redacted
PresharedKey=redacted
Endpoint=redacted.tld:51821
AllowedIPs=10.253.0.0/24, 192.168.0.0/24

 

Thanks for any input!

Link to comment

Hi, 

Is there a script that I can use to start wireguard? I'm having a issue where a vpn tunnel will become inactive for a unknown reason. As this is only a backup server for offsite storage I want to run a scipt once or twice a day to make sure that the tunnel is enabled so that the data transfer will work correctly. I am using a 600 second keep alive time and that has helped 2 other sites that I have but this site is my main site for backups. Any help would be much appreciated.

Link to comment

I followed this guide and got the basic connection working, but I am having issues with accessing dockers and VMs with custom IPs. 
My "Use NAT" is set to "No"
"Host access to custom networks" is enabled
I have a static route setup in my router
"Enable bridging" is set to "Yes" in my network settings

I have 2 peers, a "Remote tunneled access" and a "Remote access to LAN". Both can connect and handshake with no problems. I can access the unraid webUI but neither allows me to access anything outside of unraid server's IP. I can access my dockers that are on br0 but nothing that uses a custom IP, nor any of my VMs or other devices on my server's LAN.

Any ideas would be welcomed, have been pulling my hair out for a few days trying to figure this out. I can post images or anything to give more context if needed.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.