INTEL Posted December 11, 2019 Share Posted December 11, 2019 4 hours ago, bonienl said: To give access to a specific IP address on the client side, you need to set the "Peer allowed IPs" accordingly. I.e. enter the address(es) which may be reached Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible? Quote Link to comment
bonienl Posted December 11, 2019 Share Posted December 11, 2019 32 minutes ago, INTEL said: Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible? At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side. A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there. Quote Link to comment
INTEL Posted December 11, 2019 Share Posted December 11, 2019 3 minutes ago, bonienl said: At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side. A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there. Thank's, i figured it won't work like that. Quote Link to comment
Viper359 Posted December 11, 2019 Share Posted December 11, 2019 9 hours ago, bonienl said: When the WAN IP address changes, your router needs to take care of it. WireGuard will follow automatically. My router will take care of it, but, I have it on a UPS, much like UnRaid, so there will be no shutdown or reboot. So I assume, based on what you said, and I understand correctly, WireGuard will monitor and automagically update should the WAN IP change, without the need for a reboot, restart et, which is awesome sauce. Quote Link to comment
Faspina Posted December 12, 2019 Share Posted December 12, 2019 On 11/30/2019 at 1:58 PM, SupremeArmchair said: I'm also having problems with the wireguard plugin. I followed the instructions under quickstart, and forwarded my router on port 51820 and set up my peer as my phone. However, I am unable to connect on my phone to wireguard. Even on the same WiFi as my server, my phone will still not be able to connect to wireguard. It seems unable to make a handshake with the server. Wireguard is on, peer is setup with a QR code and remote to LAN. Has anyone had an issue like this? Using a IOS phone I am having the same problem. Port forwarding seems to working as my windows client is working. Its just the phone that has problems Quote Link to comment
Psybernoid Posted December 12, 2019 Share Posted December 12, 2019 Not having any luck getting this to work at all. I have 2 NICs. Bridging is enabled on both. I have VLANs enabled on eth1. Anyway, long story short, it seems that Wireguard isn't listening on my server. Here's the output of lsof -i -P -n | grep UDP rpcbind 2020 rpc 6u IPv4 14656 0t0 UDP *:111 rpcbind 2020 rpc 8u IPv6 14658 0t0 UDP *:111 rpc.statd 2025 rpc 5u IPv4 13692 0t0 UDP 127.0.0.1:929 rpc.statd 2025 rpc 8u IPv4 13695 0t0 UDP *:58404 rpc.statd 2025 rpc 10u IPv6 13699 0t0 UDP *:44546 ntpd 2055 ntp 16u IPv4 11914 0t0 UDP 127.0.0.1:123 ntpd 2055 ntp 17u IPv6 9942089 0t0 UDP [fe80::8423:1eff:feb5:9a7b]:123 ntpd 2055 ntp 18u IPv6 11918 0t0 UDP [::1]:123 ntpd 2055 ntp 19u IPv4 9937148 0t0 UDP 10.100.0.133:123 avahi-dae 4448 avahi 14u IPv4 21288 0t0 UDP *:5353 avahi-dae 4448 avahi 15u IPv6 21289 0t0 UDP *:5353 avahi-dae 4448 avahi 16u IPv4 21290 0t0 UDP *:46303 avahi-dae 4448 avahi 17u IPv6 21291 0t0 UDP *:49977 dhcpcd 24541 root 0u IPv4 9938170 0t0 UDP 10.100.0.133:68 dnsmasq 25171 nobody 3u IPv4 9944874 0t0 UDP *:67 dnsmasq 25171 nobody 5u IPv4 9944877 0t0 UDP 192.168.122.1:53 nmbd 25531 root 17u IPv4 9942622 0t0 UDP *:137 nmbd 25531 root 18u IPv4 9942623 0t0 UDP *:138 nmbd 25531 root 19u IPv4 9942639 0t0 UDP 10.100.0.133:137 nmbd 25531 root 20u IPv4 9942640 0t0 UDP 10.100.0.255:137 nmbd 25531 root 21u IPv4 9942641 0t0 UDP 10.100.0.133:138 nmbd 25531 root 22u IPv4 9942642 0t0 UDP 10.100.0.255:138 nmbd 25531 root 23u IPv4 9942643 0t0 UDP 192.168.122.1:137 nmbd 25531 root 24u IPv4 9942644 0t0 UDP 192.168.122.255:137 nmbd 25531 root 25u IPv4 9942645 0t0 UDP 192.168.122.1:138 nmbd 25531 root 26u IPv4 9942646 0t0 UDP 192.168.122.255:138 nmbd 25531 root 28u IPv4 9968888 0t0 UDP 172.17.0.1:137 nmbd 25531 root 29u IPv4 9968889 0t0 UDP 172.17.255.255:137 nmbd 25531 root 30u IPv4 9968890 0t0 UDP 172.17.0.1:138 nmbd 25531 root 31u IPv4 9968891 0t0 UDP 172.17.255.255:138 wsdd 25538 root 3u IPv6 9939632 0t0 UDP *:3702 It seems UDP 51820 isn't listening at all. Quote Link to comment
sirkuz Posted December 12, 2019 Share Posted December 12, 2019 (edited) Ran into a strange issue and fixed today, not sure if anyone has reported this but couldn't find anything in a rudimentary search. If you uninstall WG after having setup a connection, your wg0 interfaces remain and they are unable to be deleted manually via network settings/unraid routing table gui. You instead have to reinstall WG and then remove the config to correct. I think these routes should be removed once the plugin is uninstalled. Edited December 12, 2019 by sirkuz Quote Link to comment
trurl Posted December 12, 2019 Share Posted December 12, 2019 1 minute ago, sirkuz said: Ran into a strange issue and fixed today, not sure if anyone has reported this but couldn't find anything in a rudimentary search. Did you hit Submit to soon? Quote Link to comment
sirkuz Posted December 12, 2019 Share Posted December 12, 2019 3 minutes ago, trurl said: Did you hit Submit to soon? si! dang ctrl+enter reflex Quote Link to comment
trurl Posted December 12, 2019 Share Posted December 12, 2019 8 minutes ago, sirkuz said: I think these routes should be removed once the plugin is uninstalled. The plan is for this to become builtin instead of a plugin. Quote Link to comment
JasonJoel Posted December 12, 2019 Share Posted December 12, 2019 (edited) So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes. Thoughts? My network connections today: Eth0/Eth1 - bonded, bridging = false. Eth2 - VM/Docker LAN connections, bridging=true Eth3 - VM/Docker IoT connections, bridging=true Edited December 12, 2019 by JasonJoel Quote Link to comment
mattekure Posted December 13, 2019 Share Posted December 13, 2019 Thank you very much for this, and especially for the excellent setup instructions. Everything went super easy and smooth (once I realized I accidentally forwarded port 51280 instead of 51820). Quote Link to comment
Danny08 Posted December 13, 2019 Share Posted December 13, 2019 Hi, can i also use this to connect my unraid server to my already existing wireguard network? (on another not-unraid server). I tried it a little bit but it didnt do something. Quote Link to comment
J.Nerdy Posted December 13, 2019 Share Posted December 13, 2019 Excellent guide and it worked flawlessly, thank you. My knowledge base is thin, so sorry if this question is naive: when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi? Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN? Thanks! Quote Link to comment
ljm42 Posted December 13, 2019 Author Share Posted December 13, 2019 1 hour ago, J.Nerdy said: My knowledge base is thin, so sorry if this question is naive: when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi? Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN? It depends on which "Peer type of access" you choose. "Remote tunneled access" pushes everything through the VPN tunnel, the others do split tunneling (where only the traffic destined for Unraid's network use the VPN tunnel) 1 Quote Link to comment
ljm42 Posted December 13, 2019 Author Share Posted December 13, 2019 6 hours ago, Danny08 said: can i also use this to connect my unraid server to my already existing wireguard network? (on another not-unraid server). yes Quote Link to comment
Danny08 Posted December 13, 2019 Share Posted December 13, 2019 3 hours ago, ljm42 said: yes and.. how? i tried it like on every other server and it doenst do anything and i cant find logs. Quote Link to comment
bonienl Posted December 13, 2019 Share Posted December 13, 2019 8 hours ago, Danny08 said: and.. how? It is unclear to me what you try to achieve. If there is another server setting up a WG tunnel, then it might be as simple as setting routing for the Unraid server to the "external" WG tunnel, but this has nothing to do with the WG implementation on Unraid Quote Link to comment
ljm42 Posted December 13, 2019 Author Share Posted December 13, 2019 8 hours ago, Danny08 said: and.. how? i tried it like on every other server and it doenst do anything and i cant find logs. That is way beyond this guide and will require you to read up on Wireguard. The plugin takes care of all the details for you *if* it is managing the tunnel. If you are connecting to another tunnel that is not managed by Unraid, you will need to deal with setting up the private/public keys, assigning the IP address, determining the endpoint urls, etc. All of this is Wireguard specific, nothing to do with the fact that the client is Unraid. Once you have created a config file for the Unraid client that will connect to your other system, choose the "Import config" option in the plugin. I honestly haven't done that in a while so I don't recall the exact steps after that. But it should get you close. There is really only one caveat that I can think of - Unraid will ignore any dns server setting that is in the config file, probably best to just leave that out. Everything else is standard wireguard. Note that everything mentioned in the second post still applies - troubleshooting is very difficult because wireguard fails silently. There are no helpful logs to look at. It works or it doesn't. Quote Link to comment
NLS Posted December 14, 2019 Share Posted December 14, 2019 Fantastic easy VPN. I haven't seen such easy VPN since LANCOM hardware "drag n' drop" VPN. 1 Quote Link to comment
bonienl Posted December 14, 2019 Share Posted December 14, 2019 On 12/12/2019 at 5:35 PM, Psybernoid said: It seems UDP 51820 isn't listening at all. Use "wg" instead root@vesta:/# wg interface: wg0 public key: +vmlfqmRg6XxRCo86Ynqzsobd4kN0HXZsq2bN13akCI= private key: (hidden) listening port: 51821 Quote Link to comment
bonienl Posted December 14, 2019 Share Posted December 14, 2019 On 12/12/2019 at 8:54 PM, JasonJoel said: So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes. Thoughts? My network connections today: Eth0/Eth1 - bonded, bridging = false. Eth2 - VM/Docker LAN connections, bridging=true Eth3 - VM/Docker IoT connections, bridging=true Yes, this works (I tested this using a bonded interface with 4 members) Quote Link to comment
J.Nerdy Posted December 14, 2019 Share Posted December 14, 2019 I know that I missing something simple: when using remote tunneled access, I can hit my server and LAN without an issue, but the client can not browse to addresses outside the LAN (internet). I thought maybe it was DNS resolotion, but, entering IP addresses for sites still timeout. (I assume the server is routing all traffic when using tunneled access and sending back to client) Is there a configuration besides setting remote tunneled access that I will need to change? Quote Link to comment
bonienl Posted December 14, 2019 Share Posted December 14, 2019 Switch to "advanced view" and set "Local server uses NAT" = "Yes". (If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel) 1 Quote Link to comment
gadgethome Posted December 14, 2019 Share Posted December 14, 2019 My ip range is 192. and my VM firewall in 172. When I connect I can access everything on 192 but how do I add the 172 range so my firewall is active as well? Thanks Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.