WireGuard quickstart

ljm42

By ljm42
in Plugins and Apps

Recommended Posts

Hoopster Experienced

Hoopster

Posted
Posted
14 minutes ago, adminmat said:

Anyone successfully set up a Raspberry Pi Wreguard Peer? I

You are trying to setup a Raspberry Pi as a client (peer) from which to access unRAID server via WireGuard? Perhaps this tutorial will help?

 

I have WireGuard running on a Raspberry Pi from which I generated client (peer) profiles to access my LAN remotely from a phone or laptop if unRAID/WireGuard are down.  I also have Pi-Hole running on the same Raspberry Pi.  I used this guide and yes, it starts with imaging a Micro SD card for installing WireGuard but I was able to install Pi-Hole after that.

 

 

Link to comment
  • Replies 968
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

ljm42
ljm42

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

kaiguy
kaiguy

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

Can0n
Can0n

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

chris111486 Noob

chris111486

Posted
Posted

The answer to this question may be buried somewhere in previous pages.  But i have spent some time trying to figure out why I can’t use wire guard anymore just because i have changed out my router.  It was setup and working for the last couple years, and now that i have changed router I can’t seem to remotely connect to it anymore.  I have asked a few friends who i have created peers for to see if they can connect to it and same thing.  No connection.  I can’t even ping them once they have it setup and active on their device.  Could there be something so small I’m forgetting to do?  

 

I’m still running unraid 6.9.2 which I doubt is the reason it isn’t working.   After i setup port forwarding on new router i rebooted router to make sure changes took affect.  I put in my sub domain from duck dns instead of the endpoint IP to try and get it to connect.   I put my isp IP as the local end point and nothing.  I did read something somewhere that if router has UPnP then unraid would detect that, but mine is on and server didn’t detect it.

 

Any ideas would be greatly appreciated.  

 

Thanks

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
16 hours ago, chris111486 said:

The answer to this question may be buried somewhere in previous pages.  But i have spent some time trying to figure out why I can’t use wire guard anymore just because i have changed out my router.  It was setup and working for the last couple years, and now that i have changed router I can’t seem to remotely connect to it anymore.  I have asked a few friends who i have created peers for to see if they can connect to it and same thing.  No connection.  I can’t even ping them once they have it setup and active on their device.  Could there be something so small I’m forgetting to do?  

 

I’m still running unraid 6.9.2 which I doubt is the reason it isn’t working.   After i setup port forwarding on new router i rebooted router to make sure changes took affect.  I put in my sub domain from duck dns instead of the endpoint IP to try and get it to connect.   I put my isp IP as the local end point and nothing.  I did read something somewhere that if router has UPnP then unraid would detect that, but mine is on and server didn’t detect it.

 

Swapping out your router should be fine, seems like there must be an issue with your port forward. It is difficult to troubleshoot WireGuard because it fails silently. All I can suggest is to read the first two posts in this thread carefully, particularly the part about forwarding a UDP port and not a TCP port.

 

If WireGuard on 6.9.2 was working previously you should be able to get it working again. But note that it is rather old code at this point, and no fixes are available for this version. I recommend you look into upgrading to the current version of Unraid.

Link to comment
chris111486 Noob

chris111486

Posted
Posted
48 minutes ago, ljm42 said:

 

Swapping out your router should be fine, seems like there must be an issue with your port forward. It is difficult to troubleshoot WireGuard because it fails silently. All I can suggest is to read the first two posts in this thread carefully, particularly the part about forwarding a UDP port and not a TCP port.

 

If WireGuard on 6.9.2 was working previously you should be able to get it working again. But note that it is rather old code at this point, and no fixes are available for this version. I recommend you look into upgrading to the current version of Unraid.

I will look into the updating process to go from the version I am at now to whatever the newest is. If it seems like too much of a task I may have to wait until after the holidays and then try. But I will check the first 2 posts again in the thread and make sure I didn’t miss anything.  You don’t think I would have to go back to nothing and re set up everything again do you? I mean with WireGuard.  Not server.  😂 😂 

Link to comment
adminmat Contributor

adminmat

Posted
Posted (edited)
On 12/13/2022 at 12:54 AM, Hoopster said:

You are trying to setup a Raspberry Pi as a client (peer) from which to access unRAID server via WireGuard? Perhaps this tutorial will help?

 

I have WireGuard running on a Raspberry Pi from which I generated client (peer) profiles to access my LAN remotely from a phone or laptop if unRAID/WireGuard are down.  I also have Pi-Hole running on the same Raspberry Pi.  I used this guide and yes, it starts with imaging a Micro SD card for installing WireGuard but I was able to install Pi-Hole after that.

 

 

 

Thanks for this reply. I haven't had a chance to dig into this again. So basically I have a Raspberry Pi server running Raspbian Lite at my parents house. Main purpose is for remote backups. It's rack mounted with a 4TB HDD. I have it on it's own VLAN on that network. I want to connect to it via Wireguard periodically and Rsync to it. Currently I'm using ZeroTier for this but want to switch to WG.

 

So my unraid server is running the WG server, the RasPi a few states away will be a WG Peer. I created the WG config file on unraid and SSH'd it to the Pi. Opened a port on the router. Opened a port on the Pi's firewall. But can't get it to connect. 

There was no straight forward way to install WG on that Pi since it's running Buster. 

I'll dig into it more this weekend and follow up. 

 

I have a fancy little OLED screen for this little server running a python script. And I know I'm going to break it if I install a new OS  😂

 

Attaching a couple images of my little 3D printed mount...

PXL_20210209_230910418.MP.jpg

PXL_20210209_224320292_2.jpg

Edited by adminmat
Link to comment
Hoopster Experienced

Hoopster

Posted
Posted
15 minutes ago, adminmat said:

There was no straight forward way to install WG on that Pi since it's running Buster

I had to re-image the Raspberry Pi a few months ago because it was still on Debian Stretch which Pi-Hole no longer supported.  In order to update Pi-Hole, I had to reimage with Debian Bullseye (Buster would have also worked) and that is the same RPi where where I also have WireGuard running.  However, as mentioned, that instance of WireGuard on the RPi is not a peer to the WG on unRAID.  It is a backup access point into my LAN if/when unRAID/WG are down so I can restart my unRAID server via IPMI.

Link to comment
  • 2 weeks later...
cholzer Apprentice

cholzer

Posted
Posted (edited)

I followed this guide to achive "Remote access to LAN" on 6.11.5.

My problem is that:

- I can access the Unraid GUI on 192.168.1.5

- I can access Plex on 192.168.1.5:32400
- I can NOT access my windows VM 192.168.1.10 running on Unraid using RDP
- I can NOT access any other device on my LAN (i.e. 192.168.1.1)

It looks like my WG connection terminates at 192.168.1.5 (Unraid) and can't access any other IP on the network - feels like a routing issue.

Ideas? :)

 

routes.jpg

Edited by cholzer
Link to comment
adminmat Contributor

adminmat

Posted
Posted

Is there a way to import a config file from another Wireguard server into unRAID? I am using a Raspberry Pi in another state. I want to connect it to my Wireguard unRAID server. How to I import the config into unRAID?

 

I would just set up the Raspberry Pi as a client but it seems there are no supported ways to do this at the moment. Thanks.  

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
On 12/30/2022 at 6:48 AM, cholzer said:

I followed this guide to achive "Remote access to LAN" on 6.11.5.

My problem is that:

- I can access the Unraid GUI on 192.168.1.5

- I can access Plex on 192.168.1.5:32400
- I can NOT access my windows VM 192.168.1.10 running on Unraid using RDP
- I can NOT access any other device on my LAN (i.e. 192.168.1.1)

It looks like my WG connection terminates at 192.168.1.5 (Unraid) and can't access any other IP on the network - feels like a routing issue.

Ideas? :)

 

Please read the first two posts in this thread very carefully, particularly the part titled "Complex networks"

 

  • Like 1
Link to comment
cholzer Apprentice

cholzer

Posted
Posted (edited)
6 hours ago, ljm42 said:

 

Please read the first two posts in this thread very carefully, particularly the part titled "Complex networks"

 


Thank you for your reply, my error was that I misread this section.
 

Quote

 

With "Use NAT" = Yes and "Host access to custom networks" = enabled (static route optional)

server and dockers on bridge/host - accessible!

VMs and other systems on LAN - NOT accessible

dockers with custom IP - NOT accessible

(avoid this config)

 


After I added a static route on my router it worked.

I guess the aspect which confused me was that wg-easy on the rpi did not require this, but the networking on Unraid is certainly different.

QUESTION:
Why cant this route be added directly inside Unraid? :)
Like in the "Routing Table" section.

Edited by cholzer
Link to comment
adminmat Contributor

adminmat

Posted
Posted
On 12/13/2022 at 12:54 AM, Hoopster said:

You are trying to setup a Raspberry Pi as a client (peer) from which to access unRAID server via WireGuard? Perhaps this tutorial will help?

 

I have WireGuard running on a Raspberry Pi from which I generated client (peer) profiles to access my LAN remotely from a phone or laptop if unRAID/WireGuard are down.  I also have Pi-Hole running on the same Raspberry Pi.  I used this guide and yes, it starts with imaging a Micro SD card for installing WireGuard but I was able to install Pi-Hole after that.

 

 

 

Hey @Hoopster just wanted to follow up on this. I installed WG using Wundertech's guide that you linked. Had it up and running as intended but on the first update (to the Pi OS) it pulled a bunch of unstable packages. (Most guides for Raspberry Pi OS were made prior to Wireguard being built into the new kernel release. Debian 11?) It took about 40 minutes to pull down all the packages and I noticed many stated "unstable."

 

Anyhow. Found this post on a RasPi forum that states you no longer need to install the additional supporting packages and you just install WG via sudo apt install wireguard. Add your config file and that's it. Done.

 

Now everything works as intended except I lose my local SSH connection when I connect the Wireguard tunnel back to my unRAID server.. Still working on how to solve that. 

 

Link to comment
Greyberry Apprentice

Greyberry

Posted
Posted (edited)

How can I run a script when a certain peer connects / disconnects?

 

I want to add a route to its LAN, but can't use the option "LAN <---> LAN" because it has no certain endpoint.

 

i get the intention of an endpoing beeing mendatory in the GUI, but it should not be necessary as long as one peer can connect to another.

Edited by Greyberry
Link to comment
HojojojoWololo Noob

HojojojoWololo

Posted
Posted
On 8/28/2022 at 5:36 PM, HojojojoWololo said:

Hi guys,

 

I need some help, too, cause I can't figure out what to do even after some hours of research.

 

Problem: I am using Wireguard for some months and everything works fine since everyone who connects via Wireguard is supposed to have complete access to the LAN of the server (wife and I). But on my server, there is one docker-container which I allowed some friends to have access to. For that purpose, I used an OpenVPN container since I was able to restrict the VPN access to just one specific container (within the OpenVPN config, I was able to restrict certain users to certain IP mappings within the server's docker network). Now the OpenVPN docker is EOL for Unraid and coincidentally, my OpenVPN setup broke. My problem: how can I achieve to set this up via Wireguard in Unraid?

 

I do not want those people to access my whole server/LAN/... but only one specific docker container (IP is only "fixed" by the boot sequence of the docker containers - not by assigning a fixed IP to the container itself).

 

Hopefully, someone has some tipps for me :)

 

 

Up :)

Link to comment
wayner Enthusiast

wayner

Posted
Posted

I am trying to use Wireguard with a "complex" network where I have dockers running with a br0 network type.  Wireguard is working, I can access most of my LAN via VPN, but I cannot access these dockers, like Pi-Hole.

 

I have followed these directions:  "With "Use NAT" = No and "Host access to custom networks" = enabled and static route " - the last item being creating a static route on my Unifi USG router through the Unifi Controller software.  

 

Any advice on how to troubleshoot this problem?

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted

  

On 8/28/2022 at 8:36 AM, HojojojoWololo said:

Hi guys,

 

I need some help, too, cause I can't figure out what to do even after some hours of research.

 

Problem: I am using Wireguard for some months and everything works fine since everyone who connects via Wireguard is supposed to have complete access to the LAN of the server. But on my server, there is one docker-container which I allow some friends to have access to. For that purpose, I used an OpenVPN container since I was able to restrict the VPN access to just one specific container (within the OpenVPN config, I was able to restrict certain users to certain IP mappings within the server's docker network). Now the OpenVPN docker is EOL for Unraid and coincidentally, my OpenVPN setup broke. My problem: how can I achieve to set this up via Wireguard in Unraid?

 

I do not want those people to access my whole server/LAN/... but only one specific docker container (IP is only "fixed" by the boot sequence of the docker containers - not by assigning a fixed IP to the container itself).

 

Hopefully, someone has some tipps for me :)

 

On 1/8/2023 at 1:01 PM, HojojojoWololo said:

Up :)

 

Have you ruled out the Local Tunnel Firewall feature? You can click the "?" in the upper right corner of the page to turn on help and see how it works.

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
2 hours ago, wayner said:

I have followed these directions:  "With "Use NAT" = No and "Host access to custom networks" = enabled and static route " - the last item being creating a static route on my Unifi USG router through the Unifi Controller software.  

 

Any advice on how to troubleshoot this problem?

 

Seems like this would do the trick. I would probably start by double checking the static route and making sure there is nothing in the router that is firewalling the traffic. Also make sure you haven't inadvertently blocked anything with the Local Tunnel Firewall in the WireGuard config. 

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
On 1/6/2023 at 4:10 PM, Greyberry said:

How can I run a script when a certain peer connects / disconnects?

 

I want to add a route to its LAN, but can't use the option "LAN <---> LAN" because it has no certain endpoint.

 

i get the intention of an endpoing beeing mendatory in the GUI, but it should not be necessary as long as one peer can connect to another.

 

I would add static routes in your router rather than trying to script it on individual computers.

 

BTW we have a separate guide for setting up LAN to LAN WG here:

  https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

 

Link to comment
wayner Enthusiast

wayner

Posted
Posted
16 minutes ago, ljm42 said:

 

Seems like this would do the trick. I would probably start by double checking the static route and making sure there is nothing in the router that is firewalling the traffic. Also make sure you haven't inadvertently blocked anything with the Local Tunnel Firewall in the WireGuard config. 

Here is the Wireguard config.  Should that Local tunnel firewall setting be changed?

 

Here are my settings for Wireguard, my static route on my Unifi router and my docker config.

 

image.thumb.png.8ac6d65ec40305c9c6bd6ea89ad3aa11.png

image.png.1a99862ac624d7da09ce32c6e9a4c9b3.png

image.thumb.png.76c6fec08fcd37b2d2dd04a88128a141.png

image.png

Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
17 hours ago, wayner said:

I changed the hop distance from 2 to 1 but that does not help, I still cannot access my br0 dockers.

 

Is the peer file on your iphone current? It needs to be manually updated whenever you make a change to the wireguard config on the server.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing