WireGuard quickstart


Recommended Posts

What do you mean by 

 

16 minutes ago, evocraigst said:

my unraid server crashes

 

18 minutes ago, evocraigst said:

trouble shooting steps

If the GUI is completely unresponsive etc, then under Settings - Syslog server, enable mirror syslog to flash and after the crash post the resulting file stored on the flash drive (logs folder)

Link to comment
1 minute ago, Squid said:

What do you mean by 

 

 

If the GUI is completely unresponsive etc, then under Settings - Syslog server, enable mirror syslog to flash and after the crash post the resulting file stored on the flash drive (logs folder)

gui goes offline , all dockers and vm's turn off and have to hard reboot the system i deleted my 2 vpn peer profiles and it runs and added 1 back seems ok for now tho , but just in case there a big bug 

zues-diagnostics-20191113-1401.zip

Link to comment
24 minutes ago, bonienl said:

Highly unlikely your system crashes, and the diagnostics seem to confirm that.

 

1. What exactly did you configure as WireGuard settings?

2. There is something going on with Docker and its virtual interface is going up and down. You can try to test with the Docker service stopped

well all my dockers turn off and vms turn off and web gui is non responding could be net work issue then and servers in another room , wire guard server i can turn on , but having 2 peers ( clients ) set up is when it fails can duplicate ips cause this on peers , i deleted both and added one back and its still online 2 hours later tho

Link to comment
On 11/13/2019 at 9:23 AM, Can0nfan said:

under the wg0 tunnel Local endpoint: is your public facing IPv4 address 

 

under the peer (your phone) make sure peer end point is the static internal IP of your unraid server

 

Hi Can0nfan,

 

The endpoint is set to my subdomain.domain.tld . I don't have a static public IP, so I use ddclient to update my domain to my current IP when it changes. And I have tried setting it to my current IP to rule out any issue there. My phone talks to the server but won't complete the handshake as you can see there is data being sent and received on the server. I also tried my work android phone as well and its doing the same thing. It's like the server is actively blocking the connection when its seeing it from the external source as it will connect just fine if my phone is on the same network.

 

This is the first service that I've had an issue getting it to connect externally. My openvpn-as docker is still working just fine at the moment. I'm going to update to rc6 and see if that helps any.

 

Also a side note: With the VPN enabled on my phone I can still access the internet even though my VPN connection turned on. On my OpenVPN if I lose my VPN connection I lose connection to everything until my VPN reconnects (As a VPN should be). I'm not sure why wireguard is letting data flow though my cell connection and not trying to go though the VPN (even with the handshake not being established).

 

Edit: RC6 didn't resolve the issue.

Edited by Trites
Update
Link to comment
1 hour ago, Trites said:

My phone talks to the server but won't complete the handshake as you can see there is data being sent and received on the server. I also tried my work android phone as well and its doing the same thing. It's like the server is actively blocking the connection when its seeing it from the external source as it will connect just fine if my phone is on the same network.

Wireguard is very difficult to troubleshoot because it fails silently - there are no error messages or logs.  But based on what you've said, it sounds like your port forward isn't working correctly.

 

1 hour ago, Trites said:

Also a side note: With the VPN enabled on my phone I can still access the internet even though my VPN connection turned on. On my OpenVPN if I lose my VPN connection I lose connection to everything until my VPN reconnects (As a VPN should be). I'm not sure why wireguard is letting data flow though my cell connection and not trying to go though the VPN (even with the handshake not being established).

By default the guide gets you setup with one of the "split tunneling" options, where only traffic destined for your server (or LAN) goes through the tunnel. If you want all your traffic to go through the tunnel you need to choose the "Remote tunneled access" option instead. I'd suggest getting "Remote access to LAN" working first though.

Link to comment
26 minutes ago, ljm42 said:

Wireguard is very difficult to troubleshoot because it fails silently - there are no error messages or logs.  But based on what you've said, it sounds like your port forward isn't working correctly.

I thought it was a port forward issue as well. So I tried configuring wireguard to use UDP port 1194 (The port my openvpn uses) and I get the same results. Connect but no handshake.

 

Edit: I think I'm going to setup my Dev Sever and test, just to verify its not a config issue on my Prod server.

 

Edited by Trites
Update
Link to comment
On 10/12/2019 at 5:15 AM, ljm42 said:
  • Remote access to server: Use your phone or computer to remotely access your Unraid server, including:
    • Unraid administration via the webgui
    • Access dockers, VMs, and network shares as though you were physically connected to the network
       
  • Remote access to LAN: Builds on "Remote access to server", allowing you to access your entire LAN as well.
     
  • Remote tunneled access: Securely access the Internet from untrusted networks by routing all of your traffic through the VPN and out Unraid's Internet connection

...

 

Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise.  Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network. 

 

I plan on installing wireguard for

- Remote tunneled access

- Remote access to server

 

I guess, the remote tunneled access provides the same access to the LAN as remote access to LAN, right? So, what kind of access exactly this gives out? That is, what does this "Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network." mean in practice? Is the other party able to access the shares and server storage without any further authentication or do they still need to know the share and server passwords to achieve that?

Link to comment

When you look at the picture included in the built-in help, you will see that "Remote tunneled access" gives you access to the server, the LAN and the Internet.

 

WireGuard provides unrestricted access, this means that once a tunnel is set up and access is allowed to server and/or LAN, the remote user has the same access rights as a local user. Be careful with sharing WireGuard configuration information (especially the keys) if don't want unsolicited users to access your systems.

Link to comment
1 hour ago, bonienl said:

WireGuard provides unrestricted access, this means that once a tunnel is set up and access is allowed to server and/or LAN, the remote user has the same access rights as a local user. Be careful with sharing WireGuard configuration information (especially the keys) if don't want unsolicited users to access your systems.

By "same access rights as a local user" you refer to a local user in the unraid server? So, the remote computer/user will have, for example, access to all the shares from inside the unraid server?

 

The reason I am asking is that if the remote computer gets infected by, for example, a ransomware virus. What kind of access and risk this would had for the unraid server?

Link to comment
8 minutes ago, Ruato said:

By "same access rights as a local user" you refer to a local user in the unraid server?

No "local user" as another computer on your LAN accessing the Unraid server.

 

10 minutes ago, Ruato said:

What kind of access and risk this would had for the unraid server?

Similar risks as a local computer accessing your server.

  • Like 1
Link to comment
  • 2 weeks later...

I'm also having problems with the wireguard plugin. I followed the instructions under quickstart, and forwarded my router on port 51820 and set up my peer as my phone. However, I am unable to connect on my phone to wireguard. Even on the same WiFi as my server, my phone will still not be able to connect to wireguard. It seems unable to make a handshake with the server. Wireguard is on, peer is setup with a QR code and remote to LAN. Has anyone had an issue like this?

Link to comment
On 11/13/2019 at 9:22 AM, evocraigst said:

gui goes offline , all dockers and vm's turn off and have to hard reboot the system i deleted my 2 vpn peer profiles and it runs and added 1 back seems ok for now tho , but just in case there a big bug 

zues-diagnostics-20191113-1401.zip 167.49 kB · 1 download

The fact you have allocated 50G to your docker image makes me suspect you have had issues with your docker applications filling the docker image, so perhaps your problem has nothing to do with wireguard at all.

 

I always recommend 20G for docker image and it is extremely unlikely to need even that much. If your docker image is growing beyond 20G then you have one or more of your applications writing to a path that is not mapped. Making docker image larger will not fix that problem, it will just make it take longer to fill and corrupt.

 

Also your system share is not on cache and not cache-prefer as it should be. Normally your docker image is in the system share, but I see you have yours at /mnt/user/docker.img. That is not in any user share and it isn't clear which disk that would be on. I had mine at /mnt/cache/docker.img for a long time and eventually put it in the system share just to get more in line with the standard way of doing things. I'm not entirely sure how a file at the top level of the user shares, and so not actually part of any user share, would be handled.

 

So maybe you should clean up your docker setup and then see if you still have problems.

Link to comment
  • itimpi pinned this topic

With wireguard, if I set it up on my local network let's say 10.0.0.x and get my backup unRAID box all setup then move it to my parents place on a different IP range will wireguard just work? As in do the normal port forward to new IP but I'll still be able to just connect?

 

I also gotta look into server to server wireguard as I'm planning to put in a backup off-site. What would be the best to sync to the backup? rsync?

Link to comment

So, I have this fully up and running. The speed is insane. I am easily getting speed tests of 100Mbps on my Gbit connection, and I don't have the greatest cell reception when testing.

 

My question is, if my IP changes on my WAN, does Wireguard automagically see this and make the update, or do I have to manually stop wireguard and start it again?

Link to comment

Random question.  I would like to have two different Wireguard connections that I can connect to. One that has PIA (I know I'm going to change soon.) always on.  So when I connect to Wireguard instance I also get my PIA address out of the network. The other one is just direct to my network with all traffic coming out of my home IP.  They both would have full access to my home network.  Is that something that would be possible?

Link to comment
On 11/16/2019 at 5:55 PM, Trites said:

I thought it was a port forward issue as well. So I tried configuring wireguard to use UDP port 1194 (The port my openvpn uses) and I get the same results. Connect but no handshake.

 

Edit: I think I'm going to setup my Dev Sever and test, just to verify its not a config issue on my Prod server.

 

So I never got a chance to get my Development server up and running but today I installed RC9 and decided to try this again. Its now working, I've changed nothing network wise since last time, only change was RC9. not sure what fixed it but its working.

Link to comment

Is it possible to configure client so it has access only to specific IP adress on the network? Or to specific docker container?

I have some docker containers and VM in unraid that has different IP adress, can I somehow route client to have access only to specified docker containers or VM's?

Link to comment
On 12/8/2019 at 9:28 PM, GreenEyedMonster said:

Random question.  I would like to have two different Wireguard connections that I can connect to. One that has PIA (I know I'm going to change soon.) always on.  So when I connect to Wireguard instance I also get my PIA address out of the network. The other one is just direct to my network with all traffic coming out of my home IP.  They both would have full access to my home network.  Is that something that would be possible?

Possible but not at the same time.

VPN tunneled access must be used exclusively.

Link to comment
20 hours ago, INTEL said:

Is it possible to configure client so it has access only to specific IP adress on the network? Or to specific docker container?

I have some docker containers and VM in unraid that has different IP adress, can I somehow route client to have access only to specified docker containers or VM's?

To give access to a specific IP address on the client side, you need to set the "Peer allowed IPs" accordingly. I.e. enter the address(es) which may be reached

 

Link to comment
On 12/8/2019 at 6:14 PM, Viper359 said:

My question is, if my IP changes on my WAN, does Wireguard automagically see this and make the update, or do I have to manually stop wireguard and start it again?

When the WAN IP address changes, your router needs to take care of it. WireGuard will follow automatically.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.