WireGuard quickstart


Recommended Posts

Does anyone know how to successfully setup the "server to server" connection? Is it just a matter of the remote server being able to hit my server and vice versa? My buddy and I share servers and I'd like to decom the VM that I have been using just to VPN into his network to access his storage. This is what I've done so far (waiting for him to return to his house to complete the config)

 

- Created new peer named "Just The Two Of Us" (how corny?)

- Selected "Server to server access"

- Added the remote server's DDNS and port in "Peer endpoint"

 

Link to comment
8 hours ago, bonienl said:

Switch to "advanced view" and set "Local server uses NAT" = "Yes".

(If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel)

hmmm it was configure to yes.... odd.

 

I am manually configuring DNS to see if that makes a difference (though it shouldn't) and will report back.

 

Thanks!

 

Edit:  I am a knob... I configured the DNS client-side, but did not make the edits to already configured peers.  FIXED

 

Edited by J.Nerdy
Double Derp
Link to comment
42 minutes ago, gadgethome said:

My ip range is 192. and my VM firewall in 172. When I connect I can access everything on 192 but how do I add the 172 range so my firewall is active as well?

 

Thanks

What do you mean with "so my firewall is active"?

Switch to advanced view and make sure "Local server uses NAT" = Yes

Anything in a different network as 192.x.y.z needs two-way routing (but this is out of scope for Unraid)

Link to comment

I got this set up on my main server and connected from my phone in no time! Very happy. I've added access for my laptop (I'll have to test this next time I leave my house) and will be adding in other family members soon, as well. My next step is to use this to connect to my off-site Backup server. I've used the ZeroTier docker, but frankly, I'd rather use this as everything will reside in my own server and it will be baked into the base OS sooner or later. 

 

I've created a "Backup" peer on my main server and set it up as "Server to Server" access. I clicked the eye and downloaded the config file. On the Backup server, I installed WG and added a peer by importing the config file from my main server. 

 

I can't test at the moment since the two boxes are sitting side by side while the initial backup completes. Was this the right process? Is there anything else that I'd need to do once Backup is back off-site?

 

I remain impressed, overwhelmed and extremely pleased with the incredible support and features being built into unRAID, added via Dockers and plugins and the incredible support that I get here. Thanks!

Link to comment
4 hours ago, FreeMan said:

Is there anything else that I'd need to do once Backup is back off-site?

Make sure the local endpoint and peer endpoint are correctly set. This maybe a URL name which can be resolved or the public IP address of the server.

If there are any routers/firewalls at either side, they need to do port forwarding to make outside access possible.

Link to comment

Interesting thing.  I got it working last night from the phone without issue. Easy as pie.

 

But, This morning I added a few more clients and none can connect including my phone that worked fine last night.  The clients say connected but that isn't reflected on the server and traffic is not passing.   Firewall ports and DDNS are good.

 

Any thoughts?

Link to comment
On 12/14/2019 at 12:22 PM, bonienl said:

Use "wg" instead


root@vesta:/# wg
interface: wg0
  public key: +vmlfqmRg6XxRCo86Ynqzsobd4kN0HXZsq2bN13akCI=
  private key: (hidden)
  listening port: 51821

 

That worked, got an expected response.

 

However, it remains that I cannot connect to wireguard on Unraid. If I move the NAT from my router to point at a Wireguard instance running on a VM (the VM isn't running on Unraid) that works. As soon as I move it to my Unraid server, it does not.

 

I think there's something funky going on with having 2 physical NICs.

Link to comment
7 hours ago, daddygrant said:

Interesting thing.  I got it working last night from the phone without issue. Easy as pie.

 

But, This morning I added a few more clients and none can connect including my phone that worked fine last night.  The clients say connected but that isn't reflected on the server and traffic is not passing.   Firewall ports and DDNS are good.

 

Any thoughts?

 I found the problem.  Oddly enough,  the local endpoint information went blank. I re-entered the information and now I'm rocking with LAN access client profile.  The client profile for server only access is still not showing traffic.

Link to comment
On 12/14/2019 at 6:51 AM, bonienl said:

Yes, this works (I tested this using a bonded interface with 4 members)

I did get it to work - kind of.

 

I could access anything on my primary subnet (192.168.1.x) which is the same subnet my unraid server is on. But I couldn't ever connect to anything from any of my other subnets. Didn't see the traffic at my router at all - so I'm not sure the bridge is routing traffic from other subnets (?) up to the router.

 

I tried turning NAT on/off, no difference.

 

Works fine w/OpenVPN, so back I went. I will say that wireguard was fast and connected quickly for those nodes on my primary LAN. Very cool - just wish I could get to my other subnets. Untangle is going to add wireguard support, too, so I may just have to wait for that, as theirs will support multiple subnets/routing.

Edited by JasonJoel
Link to comment
On 12/15/2019 at 2:19 AM, bonienl said:

Make sure the local endpoint and peer endpoint are correctly set. This maybe a URL name which can be resolved or the public IP address of the server.

If there are any routers/firewalls at either side, they need to do port forwarding to make outside access possible.

Which side initiates the connection request? i.e. for my phone, the phone initiates the connection and I have to have the port forwarded at home. Can I force the Backup machine to initiate the connection so the same port forward at home will cover all VPN connections, or is it somewhat of a lottery which server starts the server-to-server connection, thus ports have to be forwarded at both ends? I'm pretty certain I can get to the router at the other end to do the forward, but I'd prefer not to if I can avoid it. 

 

On the main server there's a 10.253.x.x IP address in the "peer tunnel address" and the same IP address is in the "Peer allowed IPs" entry. On the peer setup on Backup, which will be the "remote" box, I have the peer endpoint set to my DynDNS URL. There's a "peer tunnel address" which I have not configured, but the prompt text says it's mandatory. Do I put the "Peer allowed IPs" from the main server into the "peer tunnel address" on Backup?

 

Here's the Backup server side of the config:

1858345292_2019-12-1616_49_11-Backup_VPNmanager-Brave.thumb.png.2a0ac8dba49690cc4526287c09d5f63c.png

And here's the main side:

530629306_2019-12-1616_49_52-NAS_VPNmanager-Brave.png.ae78b705269935ba42855bf42a670f93.png

 

With this setup, it appears that they are talking to each other via the VPN, as shown on the VPN section of the Dashboard:

1017359230_2019-12-1616_53_20-NAS_Dashboard-Brave.png.cbe883ba953d2422ca5264bc1360cac8.png

Link to comment
On 12/7/2019 at 4:56 PM, SavellM said:

With wireguard, if I set it up on my local network let's say 10.0.0.x and get my backup unRAID box all setup then move it to my parents place on a different IP range will wireguard just work? As in do the normal port forward to new IP but I'll still be able to just connect?

 

I also gotta look into server to server wireguard as I'm planning to put in a backup off-site. What would be the best to sync to the backup? rsync?

I'm using rsync as detailed here:

 

Working very well for me running it by hand. I need to get a nice little script set up and schedule it cron.

Link to comment
9 hours ago, bonienl said:

If it works with openVPN, it should work with WireGuard too ...

It looks like the issue was indeed on the Allowed IPs on the peer side when I set it up via the QR code. I guess by default it only adds the subnet the Unraid server is on, and its 10.253.0.1 tunnel address (which makes sense).

 

Thanks for the pointer on Allowed Peer IPs!!! I didn't think to check that on the Android/peer side...

 

Edited by JasonJoel
Link to comment
On 12/14/2019 at 7:21 PM, BootyWarrior said:

Does anyone know how to successfully setup the "server to server" connection? Is it just a matter of the remote server being able to hit my server and vice versa? My buddy and I share servers and I'd like to decom the VM that I have been using just to VPN into his network to access his storage. This is what I've done so far (waiting for him to return to his house to complete the config)

 

- Created new peer named "Just The Two Of Us" (how corny?)

- Selected "Server to server access"

- Added the remote server's DDNS and port in "Peer endpoint"

 

Did you figure it out? I also have 2 unraid servers I would like to connect to each other.

Link to comment
11 hours ago, FreeMan said:

Which side initiates the connection request? i.e. for my phone, the phone initiates the connection and I have to have the port forwarded at home. Can I force the Backup machine to initiate the connection so the same port forward at home will cover all VPN connections, or is it somewhat of a lottery which server starts the server-to-server connection, thus ports have to be forwarded at both ends? I'm pretty certain I can get to the router at the other end to do the forward, but I'd prefer not to if I can avoid it

You can add your backup router as a second peer to the existing tunnel, next to your phone.

Like your phone set the backup router as "remote access to server (or LAN)". This allows the backup server to initiate the connection. For example a scheduled script can make contact and initiate the connection.

 

A server to server connection is intended to let both sides intiatie the connection setup, it doesn't matter which side does it. This is convenient if you want either side to be active in setting up the communication.

Link to comment
3 hours ago, bonienl said:

A server to server connection is intended to let both sides intiatie the connection setup, it doesn't matter which side does it. This is convenient if you want either side to be active in setting up the communication.

This makes sense and explains why it wasn't going to work the way I expected...

 

3 hours ago, bonienl said:

Like your phone set the backup router as "remote access to server (or LAN)". This allows the backup server to initiate the connection. For example a scheduled script can make contact and initiate the connection.

Perfect, I'll do this! Can I edit the existing connection parameters to change that and have it Just Work™ or will I have to send a new connection config file from Main to Backup? (Or, if necessary, manually edit both ends to indicate "remote access to 'x'")?

 

4 hours ago, bonienl said:

You can add your backup router as a second peer to the existing tunnel, next to your phone.

Not 100% sure I understand this: 

* Is the implication that there is but one tunnel into the system for all "Remote access to LAN" connections and that they all share it, or does each device get its own tunnel and I'm trying to read too much into your statement?

* Also, by "router" I presume you meant "server" and that's just a typo, or do I really need to do something with the router at the far end?

Link to comment
3 hours ago, FreeMan said:

* Is the implication that there is but one tunnel into the system for all "Remote access to LAN" connections and that they all share it, or does each device get its own tunnel and I'm trying to read too much into your statement?

Different peers can share the same tunnel, there is no need to create a new tunnel for each peer, unless you want to create a tunnel with other characteristics, e.g. a tunnel running over a different interface.

 

3 hours ago, FreeMan said:

* Also, by "router" I presume you meant "server" and that's just a typo,

Yes, a typo.

Link to comment
2 hours ago, bonienl said:

Different peers can share the same tunnel, there is no need to create a new tunnel for each peer, unless you want to create a tunnel with other characteristics, e.g. a tunnel running over a different interface.

Hmm... will have to look at that and scratch my head to see if/how/when I can understand that one. I was under the impression that each device connecting via VPN created its own tunnel to the host, I didn't realize that tunnels could be shared. Obviously, this young (that's my story and I'm sticking with it!) padawan has much to learn.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.