JWMutant Posted December 31, 2019 Share Posted December 31, 2019 2 hours ago, charlescc1000 said: I'm having issues with getting the handshake to successfully occur. I have WG setup on my Unraid server using the public IP. (I will use DDNS later, but I'm trying to reduce variables to solve this problem.) I am running an EdgeRouter and setup a port forward to my unraid server. I've ensured bridging is enabled on eth0. I have configured a peer as "Remote Access to LAN" and tested this config using the QR code method on my iPhone. I can't get my iPhone to handshake with Unraid. I have Local server uses NAT set to Yes for now. Will setup the static route later once I can get the basic stuff working. Here is an screenshot of my configuration: I read through this whole thread and saw some people had the same issue as me and tried the different solutions that worked for them, but none worked for me. Any thoughts on what I can do to identify the issue? Thanks! At a guess I would say check your port forwarding is correct as I have exactly the same setting as your screenshot and works fine. Quote Link to comment
bonienl Posted December 31, 2019 Share Posted December 31, 2019 Another thing you can try is to set a smaller MTU size, like 1400 bytes. Quote Link to comment
darkreeper Posted December 31, 2019 Share Posted December 31, 2019 I'm having issues with getting the handshake to successfully occur. I have WG setup on my Unraid server using the public IP. (I will use DDNS later, but I'm trying to reduce variables to solve this problem.) I am running an EdgeRouter and setup a port forward to my unraid server. I've ensured bridging is enabled on eth0. I have configured a peer as "Remote Access to LAN" and tested this config using the QR code method on my iPhone. I can't get my iPhone to handshake with Unraid. I have Local server uses NAT set to Yes for now. Will setup the static route later once I can get the basic stuff working. Here is an screenshot of my configuration: I read through this whole thread and saw some people had the same issue as me and tried the different solutions that worked for them, but none worked for me. Any thoughts on what I can do to identify the issue? Thanks! I had the same issue using the QR code on Android. I downloaded the config instead and imported it directly in the app. That solved it for me. Now it is working as expected. As a side note. I had to change the filename of the conf file. Otherwise the app told me it can't import it The shown QR code is just an example without function for reference. Gesendet von meinem MI 8 mit Tapatalk Quote Link to comment
GreenEyedMonster Posted January 2, 2020 Share Posted January 2, 2020 Can you only have one connection to a peer at a time? Would I have to make a new peer for every device? Quote Link to comment
bonienl Posted January 2, 2020 Share Posted January 2, 2020 One WireGuard tunnel can support multiple peers, you'll need to create a peer configuration for each device that you want to connect. Quote Link to comment
RAINMAN Posted January 3, 2020 Share Posted January 3, 2020 I'm still getting weirdness connecting to my dockers. From certain external IPs they can't connect at all to any of my docker services unless i disable the vpn connection. Other external Ips are working fine so i am not sure how this would get messed up? Quote Link to comment
itimpi Posted January 3, 2020 Share Posted January 3, 2020 10 minutes ago, RAINMAN said: I'm still getting weirdness connecting to my dockers. From certain external IPs they can't connect at all to any of my docker services unless i disable the vpn connection. Other external Ips are working fine so i am not sure how this would get messed up? Do you know what IP subnet the dockers and problem sites are on? I have encountered routing issues where the remote subnet and the LAN end are on the same subnet. Not sure if this is an inherent problem or I just do not know how to set up things correctly, but just in case I have moved my home LAN to not be on 192.168.0.x or 192.168.1.x ranges as these are commonly used elsewhere. Quote Link to comment
RAINMAN Posted January 3, 2020 Share Posted January 3, 2020 (edited) 11 minutes ago, itimpi said: Do you know what IP subnet the dockers and problem sites are on? I have encountered routing issues where the remote subnet and the LAN end are on the same subnet. Not sure if this is an inherent problem or I just do not know how to set up things correctly, but just in case I have moved my home LAN to not be on 192.168.0.x or 192.168.1.x ranges as these are commonly used elsewhere. The wireguard subnet is 10.9.0.x Local Lan is 192.168.254.x Remote IP example that doesn't work is 69.17.172.210 Remote IP example that does work is 140.238.153.159 Docker subnet 172.17.0.1? Edited January 3, 2020 by RAINMAN Quote Link to comment
JonathanM Posted January 4, 2020 Share Posted January 4, 2020 On 1/3/2020 at 7:23 AM, RAINMAN said: Remote IP example that doesn't work is 69.17.172.210 Remote IP example that does work is 140.238.153.159 What LAN addresses are you assigned on those remote WAN's? Quote Link to comment
RAINMAN Posted January 4, 2020 Share Posted January 4, 2020 2 hours ago, jonathanm said: What LAN addresses are you assigned on those remote WAN's? Those IPs are not connecting to wireguard. They are only connecting to the nginx docker via my external IP. The one is a 192.168.0.x network the other i dont know since its not mine but i doubt their internal network address would be relevant when they connect via my external public IP. The only reference to wireguard in this is that when its enabled they cant hit my dockers, when its disabled they can hit them fine. Its like a routing issue where the reply to the request is going out over the VPN instead of directly back, if that makes sense. Quote Link to comment
bonienl Posted January 5, 2020 Share Posted January 5, 2020 It definitely is important that local subnets are unique. A routing issue will occur when setting up a WireGuard tunnel and both peers use the same LAN subnet. Quote Link to comment
darkreeper Posted January 5, 2020 Share Posted January 5, 2020 It definitely is important that local subnets are unique. A routing issue will occur when setting up a WireGuard tunnel and both peers use the same LAN subnet. That is the case for all VPN variantsGesendet von meinem MI 8 mit Tapatalk Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 (edited) 3 hours ago, darkreeper said: That is the case for all VPN variants Gesendet von meinem MI 8 mit Tapatalk unraid is the peer as I mentioned before. The remote VPN server has: ens3: 10.0.0.5 lo: 127.0.0.1 tun0: 10.8.0.1 wg0: 10.9.0.1 Local unraid uses: br0: 192.168.254.3 docker0: 172.17.0.1 eth0: some ipv6 address? lo: 127.0.0.1 bunch of vethxxxx: ipv6 wg0 10.9.0.6 No overlaps except the wg interfaces on both which is proper. Note, I am not using wireguard to connect from outside in. I am using it to route unraid traffic out over vpn. Edited January 5, 2020 by RAINMAN Quote Link to comment
darkreeper Posted January 5, 2020 Share Posted January 5, 2020 unraid is the peer as I mentioned before. The remote VPN server has: ens3: 10.0.0.5 lo: 127.0.0.1 tun0: 10.8.0.1 wg0: 10.9.0.1 Local unraid uses: br0: 192.168.254.3 docker0: 172.17.0.1 eth0: some ipv6 address? lo: 127.0.0.1 bunch of vethxxxx: ipv6 wg0 10.9.0.6 No overlaps except the wg interfaces on both which is proper. Note, I am not using wireguard to connect from outside in. I am using it to route unraid traffic out over vpn.Just to be sure. You want to connect your unraid server to a VPN server somewhere in the world?Gesendet von meinem MI 8 mit Tapatalk Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 20 minutes ago, darkreeper said: Just to be sure. You want to connect your unraid server to a VPN server somewhere in the world? Gesendet von meinem MI 8 mit Tapatalk Thats correct. Quote Link to comment
darkreeper Posted January 5, 2020 Share Posted January 5, 2020 Thats correct.And this is some kind of VPN provider and no private person?Gesendet von meinem MI 8 mit Tapatalk Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 1 hour ago, darkreeper said: And this is some kind of VPN provider and no private person? Gesendet von meinem MI 8 mit Tapatalk It is a private VPN. I have 4 different VPS servers that I use for VPN. All have the same issue if I use a different one. Then again, they are all setup more or less the same but no other clients connecting to them have issues. Quote Link to comment
darkreeper Posted January 5, 2020 Share Posted January 5, 2020 It is a private VPN. I have 4 different VPS servers that I use for VPN. All have the same issue if I use a different one. Then again, they are all setup more or less the same but no other clients connecting to them have issues.If you connect your pc via VPN with your VPS it is working and with the unraid (same network) it doesn't?Gesendet von meinem MI 8 mit Tapatalk Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 1 minute ago, darkreeper said: If you connect your pc via VPN with your VPS it is working and with the unraid (same network) it doesn't? Gesendet von meinem MI 8 mit Tapatalk Yes. My desktop is always connected and my phone also is mostly connected. Quote Link to comment
bonienl Posted January 5, 2020 Share Posted January 5, 2020 All remote peers need a correct setting for "AllowedIPs" to reach the Unraid server and/or containers over the tunnel. Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 (edited) 7 minutes ago, bonienl said: All remote peers need a correct setting for "AllowedIPs" to reach the Unraid server and/or containers over the tunnel. There are no remote peers accessing unraid or dockers via vpn. Remote peers are accessing Dockers directly via external IP/port. Edited January 5, 2020 by RAINMAN Quote Link to comment
bonienl Posted January 5, 2020 Share Posted January 5, 2020 Then it looks like you have a routing issue. When Unraid is configured for VPN access, it will have a default route 0.0.0.0/0 pointing to the WG tunnel. Any containers with a host or bridge network will then not remotely accessible via your external IP/port Quote Link to comment
RAINMAN Posted January 5, 2020 Share Posted January 5, 2020 So basically if I have a VPN on unraid I can't use any Dockers from outside my network? Any way to correct the routing? But then why do some remote ips work still but others not? Quote Link to comment
bonienl Posted January 5, 2020 Share Posted January 5, 2020 7 minutes ago, RAINMAN said: So basically if I have a VPN on unraid I can't use any Dockers from outside my network? Any way to correct the routing? A VPN connection in essence means your system is only reachable over its VPN connection. Any other path is considered 'route leaking' and usually not what you want (security breach). 9 minutes ago, RAINMAN said: But then why do some remote ips work still but others not? You mean certain containers are still reachable? This is expected when these containers run on a custom (macvlan) network. Quote Link to comment
unRaide Posted January 6, 2020 Share Posted January 6, 2020 Hi, got this setup in a matter of minutes following the guide posted and connecting to my server works great!! Problem is that i cant access anything else on the web from the peer (iphone 11 pro on ios 13.) I tried both "Remote tunneled access" and "Remote access to Lan" access types with the same issue on both. Any ideas? Thx Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.