WireGuard quickstart


Recommended Posts

Everything was going great until it wasn't...

 

Hoping someone might have some insights – did a lot of Googling, but have hit a wall.

 

Issue: After many months of smooth sailing, I can no longer access the web when connected to WireGuard, I only have access to the LAN (Unraid Dashboard plus dockers, even those on their own IPs).

 

Desired behaviour: I want to route my mobile traffic through Unraid and my pi-hole when remote, like I had it going before, via Remote tunneled access.

  • Everything was working fine for months, then it suddenly stopped working
  • Changes to the server prior to the issue:
    • Upgraded from Unraid Plus to Pro
    • Added new parity drives and disks
    • Changed docker network type from macvlan to ipvlan (tried changing back, doesn't seem to be the cause)
  • Handshake and ping successful
  • Wireguard is on a different network pool, as required
  • Unraid v6.10.3

I've tried rebooting Unraid, switching back to macvlan, re-configuring Wireguard from scratch, using 8.8.8.8 as DNS instead of the router's DNS. None of that worked. Port forwarding on the router is correct; as mentioned, I'm able to connect to the VPN, but then just can't access anything external.

 

Here's my config, for what it's worth:

 

98516770_ScreenShot2022-08-22at5_21_08PM.thumb.png.ebd4ffea25f627de737ce5d69dc603c7.png
 

Edited by Refrigerator
Added a detail I missed.
  • Like 1
Link to comment

Hi all, completely new to Unraid and the wireguard.

 

I've followed the steps on the first page and when I try to connect it through my phone (not on wifi), I get an error message saying

 

'Error brining up tunnel: VPN service not authorised by the user'

 

I'm trying to figure out what's wrong and how to enable the service on the Unraid with no luck at all.

Link to comment

Hi guys,

 

I need some help, too, cause I can't figure out what to do even after some hours of research.

 

Problem: I am using Wireguard for some months and everything works fine since everyone who connects via Wireguard is supposed to have complete access to the LAN of the server. But on my server, there is one docker-container which I allow some friends to have access to. For that purpose, I used an OpenVPN container since I was able to restrict the VPN access to just one specific container (within the OpenVPN config, I was able to restrict certain users to certain IP mappings within the server's docker network). Now the OpenVPN docker is EOL for Unraid and coincidentally, my OpenVPN setup broke. My problem: how can I achieve to set this up via Wireguard in Unraid?

 

I do not want those people to access my whole server/LAN/... but only one specific docker container (IP is only "fixed" by the boot sequence of the docker containers - not by assigning a fixed IP to the container itself).

 

Hopefully, someone has some tipps for me :)

 

 

Edited by HojojojoWololo
Added info
Link to comment
On 8/23/2022 at 2:24 AM, Refrigerator said:

Everything was going great until it wasn't...

 

Hoping someone might have some insights – did a lot of Googling, but have hit a wall.

 

Issue: After many months of smooth sailing, I can no longer access the web when connected to WireGuard, I only have access to the LAN (Unraid Dashboard plus dockers, even those on their own IPs).

 

Desired behaviour: I want to route my mobile traffic through Unraid and my pi-hole when remote, like I had it going before, via Remote tunneled access.

  • Everything was working fine for months, then it suddenly stopped working
  • Changes to the server prior to the issue:
    • Upgraded from Unraid Plus to Pro
    • Added new parity drives and disks
    • Changed docker network type from macvlan to ipvlan (tried changing back, doesn't seem to be the cause)
  • Handshake and ping successful
  • Wireguard is on a different network pool, as required
  • Unraid v6.10.3

I've tried rebooting Unraid, switching back to macvlan, re-configuring Wireguard from scratch, using 8.8.8.8 as DNS instead of the router's DNS. None of that worked. Port forwarding on the router is correct; as mentioned, I'm able to connect to the VPN, but then just can't access anything external.

 

Here's my config, for what it's worth:

 

98516770_ScreenShot2022-08-22at5_21_08PM.thumb.png.ebd4ffea25f627de737ce5d69dc603c7.png
 

Hi l’m having the same problem ! everything was working great until it didn't... And personnaly I did not change anything. So if any one has an idea to fix this i'll be down. Thanks a lot

Link to comment
  • 1 month later...

Hey all,

Quick question for the "Local endpoint" option in the VPN Manager. In the blue help box the first line reads:

Quote

This field is automatically filled in with the public management domain name www.<hash>.myunraid.net or the public address of the server.

What is the public management domain name exactly? Is it referring to the address setup for Remote Access via the My Servers plugin?

 

If so, does this mean I can use www.<hash>.myunraid.net instead of a Dynamic DNS service to maintain access to my VPN, even if my public IP address changes?

 

Right now the box is populated by default with external-ip.<hash> and I'm unclear what exactly I have to enter in this box.

 

Cheers.

Link to comment

Hi there

 

I am a newbie, and maybe just didn't understood the answer, when I was fastscroolling through the pages in search for an answer. My issue is following:

I have a main server, on which the WireGuard is correctly installed and running. Here is the setup (I don't know what is private and what not, so I just hid all stuff might be privat?

grafik.thumb.png.5a61edbfd558e3abbbfd14dbe468eaf6.png

 

Now I have installed a second server, which will be 24/7 on, and wanted to make sure WireGuard is also running on it, so I can get inside with each of the servers (as the main one will be in sleep mode most of the time).

I've tried to install it and here are the settings:

grafik.thumb.png.fa92231ae11ca6d0ea54448764359124.png

 

The only difference between this two servers are the UDP Ports and the IP adresses of the servers itself, which have to be setup inside the router. The IP's IPv4 and IPv6 in this settings are the same on both servers (they were added automatically, I didn't change anything).

 

On the new server, I can't press the "Actiave" switch. And in addition, when I changed stuff on the peer (interface), I got following message:

grafik.png.bcb3fecd6568cd97240cc1d6a59d2ca0.png

 

Does anyone know what I am doing wrong?

When I don't add the peer, I am able to activate the tunnel, but as soon as I add a peer for remote tunneled access, I get the error message for updating the peer and it changes to "inactive"

 

Thanks a lot in advance!

Cheers

 

 

 

Link to comment
6 hours ago, Doublemyst said:

Now I have installed a second server,

 

On the first system - do the initial setup and add a peer for the second system and download the files

On the second system - import the files you downloaded

 

Whenever you make a change on the first system that results in a "Peer update required" message, you'll need to replicate those changes on the second system.

Link to comment
21 minutes ago, ljm42 said:

 

On the first system - do the initial setup and add a peer for the second system and download the files

On the second system - import the files you downloaded

 

Whenever you make a change on the first system that results in a "Peer update required" message, you'll need to replicate those changes on the second system.

Hi, thanks for the reply. Sorry, I'm a bit slow and don't fully understand it.

I have two servers A (main - will be mostly in sleep mode) and B (small one with low power consumption). My server A is fully functioning at the moment and I have connection to it via my mobile phone.

On the server B I have issues, as I can't add a new peer. I have setup a new port forward for the server B in my router (new port - different to the server A).

 

My idea is to have both servers giving the possibility to remotly connect to them (mostly to the server B and wake up server A, but sometimes vice versa, when I need to reboot server A or do some maintenance on it for some reason).

 

So when I add another peer to server A, I'll need to update server B, understood. But what kind of connection should I select when setting up the peer?

grafik.png.ed9409ab394423c2eea7b38c4e2cb51f.png

 

Thanks again for your help!

 

Edited by Doublemyst
Link to comment
23 minutes ago, Doublemyst said:

Hi, thanks for the reply. Sorry, I'm a bit slow and don't fully understand it.

 

Don't feel bad, this is pretty advanced stuff. But I won't be able to give step by step.

 

In general, I would say to setup two tunnels on each server, one for your phone/laptop/whatever and one for server to server communication. That will simplify things for you.

 

Over here I have a guide on setting up LAN to LAN between two servers:

  https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

might be more than you are looking for but it should help.

 

Link to comment
On 10/18/2022 at 9:34 AM, Firejack said:

Hey all,

Quick question for the "Local endpoint" option in the VPN Manager. In the blue help box the first line reads:

What is the public management domain name exactly? Is it referring to the address setup for Remote Access via the My Servers plugin?

 

If so, does this mean I can use www.<hash>.myunraid.net instead of a Dynamic DNS service to maintain access to my VPN, even if my public IP address changes?

 

Right now the box is populated by default with external-ip.<hash> and I'm unclear what exactly I have to enter in this box.

 

Cheers.

 

Hmm, the helptext is old. For better privacy we don't offer the www host on the myunraid.net domain.

 

You can use the url that Unraid pre-fills, or you can use a url provided by another DDNS provider (one option - search Community Applications for "duckdns")

 

Link to comment
13 hours ago, ljm42 said:

 

Hmm, the helptext is old. For better privacy we don't offer the www host on the myunraid.net domain.

 

You can use the url that Unraid pre-fills, or you can use a url provided by another DDNS provider (one option - search Community Applications for "duckdns")

 

Thanks for the reply.

 

After updating unRAID to 6.11.1. In the VPN Manager, unRAID still sets Local endpoint to external-ip.<hash> . I'm not sure I made it clear. But unRAID replaces external-ip with my routers IP, however it isn't replacing <hash> with anything like I guess it should?

 

I'll give it another try tomorrow. Maybe try a DDNS provider as you suggest.

 

EDIT: Tried all kinds of *.<hash>.myunraid.net combinations using the hash from the Management Access settings page without success. Using an external DDNS provider worked first time. So I'll stick to that. Thanks.

Edited by Firejack
Update
Link to comment

Hello! New user here, so forgive me for my lack of knowledge.  I'm setting up my first UnRaid server and trying to get Wireguard working.  Things appear to go smoothly until I try to add a peer to the tunnel.  After that, the slider switched to inactive and will no longer stay active if switched.

 

EDIT: It seems I may be having the same issue as Doublemyst above but with only a single server.  I am running the latest UnRaid version and am using the built in Wireguard.  I'm trying to set up remote tunneled access for a couple phones and a laptop, but I can't get past adding the first peer without the tunnel switching to and staying inactive.  Was there a solution found for Doublemyst?

Edited by Ben24
Clarity of the issue
Link to comment
On 10/22/2022 at 10:03 AM, Ben24 said:

Hello! New user here, so forgive me for my lack of knowledge.  I'm setting up my first UnRaid server and trying to get Wireguard working.  Things appear to go smoothly until I try to add a peer to the tunnel.  After that, the slider switched to inactive and will no longer stay active if switched.

 

EDIT: It seems I may be having the same issue as Doublemyst above but with only a single server.  I am running the latest UnRaid version and am using the built in Wireguard.  I'm trying to set up remote tunneled access for a couple phones and a laptop, but I can't get past adding the first peer without the tunnel switching to and staying inactive.  Was there a solution found for Doublemyst?

 

If you have Unraid 6.11.1 see https://forums.unraid.net/topic/129257-6111-vpn-tunnel-failing/page/2/#comment-1182737

 

 

Link to comment

I set up Wireguard and added a peer (Remote access to LAN). I can successfully reach all of the devices that are on the same network as my Unraid Server. However, I can not access any of my devices on my other networks. There are no firewall rules preventing traffic between my networks and I confirmed via Terminal that the Unraid Sever itself can ping all of my other network devices.

 

Wireguard Configuration:

1320383704_Screenshot2022-11-03at12_34_49PM.thumb.png.b43b225974fe256a2c0ddea66d746ff4.png

 

My Unraid Server is on 10.0.40.2. When connected via Wireguard I can reach all devices that are on the same network address (i.e 10.0.40.112) but I can not reach devices on any of my other networks (i.e. 10.0.50.2)

 

Have I configured something wrong? The Unraid machine itself has access to all of those devices. Why can't I access them when connecting to the server via Wireguard?

Link to comment
On 10/11/2019 at 4:15 PM, ljm42 said:

If your "Peer type of connection" includes one of the LAN options but you can only access Unraid, go to Settings -> Network Settings and see whether "Enable bridging" is yes.  If bridging is disabled, you will not be able to access your LAN over WireGuard.

I am still having the issue where I can access the Unriad webui but I cannot access the share nor any other device on the network. I am using a MacBook Pro to connect to my VPN/server. Bridging is enabled on the server however this did not fix the issue. I have also updated the peer to make sure that the connection is set to "remote access to LAN"

Link to comment

My previous setup of pihole and wireguard with remote tunneled access worked flawlessly, and I was able to access my unraid server, dockers and the internet through the VPN. I have since updated to the latest unraid server version 6.11.3 and my pihole wireguard setup does not connect to the internet anymore. The currrent setup is with "Use NAT" = No and "Host access to custom networks" = enabled and static route setup as outlined in this guide. I am sort of stumped because I don't know what settings have changed.

 

I currently have access to my unraid server and its dockers but no access to the internet. Pihole fixed IP is 192.168.0.10 and unraid server ip is 192.168.0.201. Below are my wireguard, TP-Link Router and pihole docker settings.

 

Wireguard:

image.png.eb019946e35183536388b885ab453360.png

TP-Link Router:

image.png.c541a76bec346a317a035a3c57219aa5.png

Pihole:

image.png.88c235a5da48b982c180ea0bcc074d90.png

Link to comment
  • 2 weeks later...

Firstly, thank you for your contribution to the Unraid built-in Wireguard VPN.

 

I have a question about "Peer type of access" of the built-in Wiregurad.

I found the type of "Remote access to server" do not actually limit the peer to access other LAN address. According to my test, even I select "Remote access to server", the peer can still change the allowed ips to access my LAN. Then I checked the wg config file and there seems no restriction strategy to limit the peer.

 

This is my config (auto generated by the Unraid Web UI)

 

PrivateKey=XXXX
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200
PostUp=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev br0 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev br0 table 200

 

 

I also check the route table and iptables and there seems no restriction strategy. 

Is this a feature or bug? 

Though I do know how to restrict other peers to access my LAN by modifying iptables, I still hope that I can do this operation on the Web UI.

 

Unraid Version: 6.11.3 stable

Link to comment
7 hours ago, ArthurYZY said:

Firstly, thank you for your contribution to the Unraid built-in Wireguard VPN.

 

I have a question about "Peer type of access" of the built-in Wiregurad.

I found the type of "Remote access to server" do not actually limit the peer to access other LAN address. According to my test, even I select "Remote access to server", the peer can still change the allowed ips to access my LAN. Then I checked the wg config file and there seems no restriction strategy to limit the peer.

 

"Remote access to server" is not enforced by the server. It is actually a WireGuard client setting where the client gets to choose whether to access the tunnel IP or the LAN IP.

 

You may want to turn on the help and check out the "Local tunnel firewall" option

Link to comment
6 hours ago, ljm42 said:

 

"Remote access to server" is not enforced by the server. It is actually a WireGuard client setting where the client gets to choose whether to access the tunnel IP or the LAN IP.

 

You may want to turn on the help and check out the "Local tunnel firewall" option

I got this. Thanks. 

“Remote access to server” just seems to help generate a well-defined peer config for sharing. For security, it is still necessary to set the blacklist or whitelist on UI

  • Like 1
Link to comment

Hi, im using Wireguard with Remote tunneled acess, i can reach everything in my network except all docker or vms...even they have a sepperate ip. Any ideas how to change this ?

 

My Router: 192.168.1.1 (reachable via vpn)

Unraid: 192.168.1.200 (reachable via vpn)

 

eg Adguard Docker: 192.168.1.202 (NOT reachable via vpn)

 

 

Screenshot 2022-11-28 122959.jpg

Link to comment
12 hours ago, ymurawski said:

Hi, im using Wireguard with Remote tunneled acess, i can reach everything in my network except all docker or vms...even they have a sepperate ip. Any ideas how to change this ?

 

My Router: 192.168.1.1 (reachable via vpn)

Unraid: 192.168.1.200 (reachable via vpn)

 

eg Adguard Docker: 192.168.1.202 (NOT reachable via vpn)

 

 

Screenshot 2022-11-28 122959.jpg

 

Re-read the first two posts, in particular the section titled "Complex networks"

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.