MasterMark Posted January 20, 2020 Share Posted January 20, 2020 (edited) Hi, I'm trying to set up WireGuard to UDP/53. From the logs I can see this: wireguard: wg0: Could not create IPv4 socket A link change request failed with some changes committed already. Interface wg0 may have been left with an inconsistent configuration, please check. I checked what's listening on port 53 and dnsmasq seems listening on TCP/53 and have a record on UDP but not listening as I can see: sudo lsof -i -P -n | grep :53 avahi-dae 9673 avahi 14u IPv4 29488 0t0 UDP *:5353 avahi-dae 9673 avahi 15u IPv6 29489 0t0 UDP *:5353 dnsmasq 26708 nobody 5u IPv4 76177 0t0 UDP 192.168.122.1:53 dnsmasq 26708 nobody 6u IPv4 76178 0t0 TCP 192.168.122.1:53 (LISTEN) (The 192.168.122.0 is not my network I do not know what is this for.) Is dnsmasq port prevents WireGuard to bind? No docker or VM listening on UDP/53. Any idea? Thanks, Mark Edited January 20, 2020 by MasterMark Quote Link to comment
Pico Posted January 20, 2020 Share Posted January 20, 2020 Hi, first of all, awesome work on Unraid and implementing WireGuard within it! I am able to connect remotely (with LTE/4G or separate Wi-Fi) without issues. I can access my UnRaid server and some Docker containers (in `host` mode). I am however stuck on making `Remote access to LAN` or `Remote tunneled access` work. When I am connected with my phone (or a test PC connected on another Wi-Fi network) I can't access any of the LAN devices. With `Remote tunneled access` I can't reach any website. I updated the config on my phone every time I made changes on Unraid. I did a `ping -t 1 192.168.0.1` on my phone using ADB to see what's wrong and emulate the `traceroute` command. This is the IP of my router (home LAN) that I can normally ping from any device connected to the LAN. The UnRaid server is at 192.168.0.13. I configured the WireGuard server to use the range `10.42.0.0/24` for peers. I see that the ping returns `10.42.0.1` which is the IP of the WireGuard server. It seems correct up to that point. Then I run `ping -t 2 192.168.0.1`. Here all packets are lost. I cannot go any further than the WireGuard server. Probably explaining why `Remote access to LAN` or `Remote tunneled access` don't work. I have `Local server uses NAT` (WireGuard), `Enable bridging` and `Enable bounding` (Network settings) all set to `Yes`. Does someone know where this could come from? Quote Link to comment
planetwilson Posted January 20, 2020 Share Posted January 20, 2020 On 1/14/2020 at 12:08 PM, bonienl said: If all is pingable then routing-wise everything is in place. I suspect something on a higher level is blocking the communication, hence my firewall hint. Okay I feel pretty stupid now. Checking the key values I can see I never managed to generate a prehared key. Once I did that it all started working. I tried with NAT off and it worked for a few secods then stopped even though I have a static route in place. With Nat on it just works so I'll just stick with that as I haveno dockers with custom IPs running anyway. Quote Link to comment
bonienl Posted January 21, 2020 Share Posted January 21, 2020 12 hours ago, Pico said: Does someone know where this could come from? Your phone must be in a different local network as 192.168.0..0/24, is that the case? Quote Link to comment
bonienl Posted January 21, 2020 Share Posted January 21, 2020 18 hours ago, MasterMark said: I'm trying to set up WireGuard to UDP/53. Why are you trying to use port 53? This conflicts with the DNS service Quote Link to comment
Pico Posted January 21, 2020 Share Posted January 21, 2020 6 hours ago, bonienl said: Your phone must be in a different local network as 192.168.0..0/24, is that the case? When I did this test, the phone was connected to 4G/LTE (so different network entirely) with the WireGuard VPN turned ON – I could access the UnRaid server using both IPs: 192.168.0.13 for LAN or via WireGuard's subnet at 10.42.0.1 (I believe phone is at 10.42.0.7). All physical devices are on 192.168.0.0/24 subnet since I have only one router (Ethernet/Wi-Fi) for the entire house. The UnRaid server is at 192.168.0.13 on this LAN (Ethernet / eth0). I am trying to remotely access using the WireGuard VPN, devices on this subnet. Quote Link to comment
MasterMark Posted January 21, 2020 Share Posted January 21, 2020 11 hours ago, bonienl said: Why are you trying to use port 53? This conflicts with the DNS service I'm trying to bypass firewalls. I am not hosting DNS service on Unraid neither on my router (to the WAN side). It should not conflicts with anything. How wireguard bind to a port? Can I set to bind to specific ip-address:port? Or can I disable somehow the dnsmasq service? Quote Link to comment
bonienl Posted January 21, 2020 Share Posted January 21, 2020 You are saying your Unraid server is behind a firewall out of your control? Quote Link to comment
MasterMark Posted January 21, 2020 Share Posted January 21, 2020 (edited) 13 minutes ago, bonienl said: You are saying your Unraid server is behind a firewall out of your control? No. I want to bypass firewall on the client side. Like when you connect a public wifi, and their firewall only allow specific ports. Like only 53/udp, 80/tcp and 443/tcp, It is a common strategy for VPN to put the service on these ports to bypass this "fool" firewalls without DPI. I got the idea from aptalca: Quote "I'm now using wireguard over 53 udp and openvpn over 80 tcp" Edited January 21, 2020 by MasterMark Quote Link to comment
bonienl Posted January 21, 2020 Share Posted January 21, 2020 You can do port translation on your router. The external port is 53 (to which your client is talking), the internal port is "default" 51820 (used by WG). Quote Link to comment
MasterMark Posted January 21, 2020 Share Posted January 21, 2020 (edited) 24 minutes ago, bonienl said: You can do port translation on your router. The external port is 53 (to which your client is talking), the internal port is "default" 51820 (used by WG). Hmm, well this should work. Thanks, I am going to try this. edit: Unless it will broke the QR-code and file, because this will contain the original port. Edited January 21, 2020 by MasterMark Quote Link to comment
bonienl Posted January 21, 2020 Share Posted January 21, 2020 4 minutes ago, MasterMark said: because this will contain the original port Yes, but you can change that in the client settings Quote Link to comment
MasterMark Posted January 21, 2020 Share Posted January 21, 2020 14 minutes ago, bonienl said: Yes, but you can change that in the client settings It is not working that way. The tunnel isn't establishing. Quote Link to comment
Pico Posted January 22, 2020 Share Posted January 22, 2020 Hi, I decided to go with a fresh start to see what could be the issue. I disabled bounding in the network settings since I don't have a use for it, removed the Dynamix WireGuard plugin, removed the WireGuard config folder on the USB and set up everything from scratch. After configuring my phone, everything worked as expected (Tunneled and/or LAN)! 😀 I setup WireGuard as part to the RC of 6.8. That probably messed things up somewhere 🤔 With Unraid 6.8.1 and a fresh version of the Dynamix WireGuard plugin (2020.01.17a), it solved the issues I were having. Maybe that will help someone in the future. Quote Link to comment
isvein Posted January 23, 2020 Share Posted January 23, 2020 (edited) Tried this and it worked on first try Easier to setup than OpenVPN. I guess only things you access on the LAN side is tunneled, not everything on the client? This will come in handy when Im setting up a remote server someday edit: Found out how to pipe everything from client through the tunnel Edited January 23, 2020 by isvein Quote Link to comment
Perforator Posted January 26, 2020 Share Posted January 26, 2020 Does anyone know if there is a WireGuard client that runs on an oDroid-N2 running Coreelec? Quote Link to comment
FreeMan Posted January 26, 2020 Share Posted January 26, 2020 (edited) I had this set up and working just fine, then issues started. I have my main server set up with the port-forwarded at my router. I can reach it from my phone, my kids can reach it from their laptops (in other states) - everything is good there. However, my backup server does seem to be able to reach it, but the GUI locks up on the backup server when I activate WG on it. There's a rather long saga of my attempts to resolve this at this thread: https://forums.unraid.net/topic/86607-webgui-not-responding/ Long story short, I rebuilt the USB stick on my backup server. I added plugins 1 by 1, enabling and configuring as I went. When I got to WG, I installed the plug in, then imported the .conf file. As soon as I click the "Inactive/Active" slider to activate the tunnel, the WebGUI hangs and never comes back. I had full access to the shares, and could telnet in, but now, I can't even do that. I have to go to the attached console and powerdown from there. When it reboots, it comes up with WG disabled and I have full access to the WebGUI. I can repeat this at will, though I don't really want to... Here's a screen shot of the config on my main server showing how it's set up And this is what it looks like on the Backup server The diagnostics dated 2020.01.26 are fresh from the backup server today. backup-diagnostics-20200126-1332.zip The diagnostics dated 2020.01.22 are from the backup server via the command line after I had enabled WG and the WebGUI hung. backup-diagnostics-20200122-1850.zip As I said, this had been working. I don't know what I've done differently now to make it not work, or if this was the initial cause of my WebGUI hangs a month ago. UPDATE for clarity: My goal is to have the backup server off-site and have it connect to the main server. I don't want LAN-to-LAN access, and I don't want the main server initiating the connection to the backup server. I'm not 100% certain that I'll have access to the remote location's router to punch a hole through for WG to pass through, thus, I want to initiate the connection from there. At the moment, the two servers are sitting side-by-side at my house, both on the same network (192.168.1.x). Edited January 26, 2020 by FreeMan Quote Link to comment
NOLA_DireWolff Posted January 27, 2020 Share Posted January 27, 2020 On 1/19/2020 at 9:17 AM, NOLA_DireWolff said: This may be the solution to my problem? If so - is there a CLI implementation or a work around? I am unable to access my CCTV streams remotely due to this. Thank you. *** SOLVED - 6.8.2 Fixed this problem. My dockers are able to be reached over WG. No change to any of my settings necessary other than upgrade to 6.8.2. Thank you! *** Quote Link to comment
FreeMan Posted January 27, 2020 Share Posted January 27, 2020 Unfortunately, the update to 6.8.2 (on both servers) doesn't appear to have resolved my issue. Quote Link to comment
pmcnano Posted January 28, 2020 Share Posted January 28, 2020 On 1/16/2020 at 1:33 PM, kapetanios said: Hey guys! Any news on a tutorial on Lan to Lan setup? Did you figure this out? Quote Link to comment
Xaero Posted January 28, 2020 Share Posted January 28, 2020 Here's a neat trick I wanted a shared folder unique to each of my Wireguard clients. You know - somewhere people can drop their own files, without it being publicly visible to everyone else with access to the server. Samba is pretty flexible, so I decided to take a whack at it. I created a new share, "Personal" and set export to no in the Shares tab. Then I added this entry to smb-extra.conf in the samba settings tab: [Personal Folder] access based share enum = yes allow hosts = 10.253.0. root preexec = /bin/bash -c '[[ -d "/mnt/user/Personal/%I" ]] || mkdir -m 0777 "/mnt/user/Personal/%I" && chown nobody:users "/mnt/user/Personal/%I"' browseable = yes writable = yes hide unreadable = yes path = /mnt/user/Personal/%I What does this do? Have a line by line breakdown: Name - how it shows up in the file explorer. access based share enum - Only show this if the user has permission to view it. allow hosts = 10.253.0. - allow any client with an IP matching 10.253.0.* to view this share root preexec - execute this code before showing the root of the folder. This can be expanded substantially. Currently it just makes a new folder for the IP of the client if one doesn't already exist. You could enforce quotas here by making a new image if one doesn't exist, and then mounting said image or any other number of crazy things. The rest is pretty standard aside from the path also using the variable "%I" Also note that you can use this same trick outside of wireguard and clients, with pxe boot clients to have individual write shares. Quote Link to comment
Ambivalent_Echo Posted January 31, 2020 Share Posted January 31, 2020 I’m having a similar issue to Pico above, but deleting everything and starting fresh didn’t help. I created a peer with “remote tunneled access” and set it up on my phone. When I use my mobile network I can connect to the VPN and access things on my local network without issue, but I can’t access anything outside the network. I’ve trying playing with all the settings but I can’t seem to connect to pages on the internet. Is anyone else having this issue that might have potential solutions? Quote Link to comment
bonienl Posted January 31, 2020 Share Posted January 31, 2020 1 hour ago, Ambivalent_Echo said: Is anyone else having this issue that might have potential solutions? Usually this is a DNS issue. Try to set a public DNS server on your phone, such as 1.1.1.1 Quote Link to comment
Ambivalent_Echo Posted January 31, 2020 Share Posted January 31, 2020 1 hour ago, bonienl said: Usually this is a DNS issue. Try to set a public DNS server on your phone, such as 1.1.1.1 Nailed it. I didn’t realize the DNS server could be set within the WireGuard app on my phone. Now if I figure out some automations to turn VPN on and off in iOS I’ll be golden. Thank you for your help! Quote Link to comment
CoZ Posted February 1, 2020 Share Posted February 1, 2020 I've been messing with this for a little bit, and I THINK I've got the hang of it. I'd just like a little hand-holding on one specific thing. I've got a iOS device from work and it's 'locked' down by the company. They monitor everything on this, inbound and outbound. The only VPN that I've been able to install is Wireguard. So I've successfully created a Remote Tunneled Access via the Wireguard / Unraid settings for the iOS device. That is what I need for the company to NOT see any data, correct? Will I still be able to access the unRaid GUI / Local LAN using that or is this strictly for 'masking' data to and from the internet? Also, I'm running a PiHole docker container at 192.168.86.103. I put that in the DNS Servers on the iOS device and I have no connectivity. If I take it out and put a generic 8.8.8.8 I can browse the Internet albeit with Ads though. What am I doing wrong wit that? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.