WireGuard quickstart


Recommended Posts

Hi, 

 

After a little playing around, WireGuard is now running great on my unRaid server and I can remotely connect. 

 

My one issue however is that in the WireGuard settings on unraid, I need to enter my home IP address in the "local endpoint" field. If I enter my custom domain name which is setup and running great with all my other dockers, it won't connect / initiate a handshake. 

 

I have DDCLIENT running which updates my IP to Cloudflare but no joy unfortunately. My routers port is forwarded correctly and I've ensured that my PiHole Docker is entered into WireGuards "Peer DNS Server" field. 

 

Any suggestions would be greatly appreciated. 

 

 

20200806_200406.jpg

20200806_200309.jpg

 

 

***Edit***

If it helps, here are two screenshots of my Cloudflare DNS record page along with my routers portforwarding page;

 

20200807_114706.jpg

20200807_114818.jpg

Edited by LoneTraveler
Link to comment
On 8/6/2020 at 12:11 PM, LoneTraveler said:

If it helps, here are two screenshots of my Cloudflare DNS record page

This is the issue. You need to change the Cloudfare Proxy status from "Proxied" to "DNS Only"

 

The WireGuard client can't connect through the Cloudfare Proxy, it needs to connect directly to your router's IP

  • Thanks 1
Link to comment
5 hours ago, ljm42 said:

This is the issue. You need to change the Cloudfare Proxy status from "Proxied" to "DNS Only"

 

The WireGuard client can't connect through the Cloudfare Proxy, it needs to connect directly to your router's IP

Hello, 

 

Many thanks for replying. 

 

I have amended the proxy status to DNS Only as per your advice, for the A-record which points to my IP however it still does not connect. I feel as though I'm so close but it's just a simple entry amendment that's needed to get me over the line. 

 

I've attached three screenshots below of all my Cloudflare entries. Any clarification would be greatly appreciated. 

 

For reference, all of the CNAME entries point to apps via reverse proxy;

nextcloud.mydomain.uk

The A-record entry is formatted as;

mydomain.uk

20200808_100912.jpg

20200808_101030.jpg

20200808_101158.jpg

Edited by LoneTraveler
Link to comment

Hello, 

 

Further to my last, I have tried disabling proxy for all entries, however still no luck I'm afraid, when I enable Wireguard, no handshake takes places. 

 

I think I must be missing another entry within Cloudflare. 

 

***Edit***

I've managed to get it working. For anyone else having similar issues, it turns out I needed a dedicated subdomain, ie wireguard.mydomain.uk

 

As soon as I set that, and pointed the WireGuard configuration to wireguard.mydomain.uk:51820 everything clicked into place. 

 

***2nd edit***

It looks like my impatience is the cause. @ljm42 was spot on, it was just the proxy that I needed to disable. I did this for just the A-record, however it turns out I wasn't giving it chance to take effect. Also, I can scrap the WireGuard subdomain. 

Edited by LoneTraveler
Link to comment

 

On 8/7/2020 at 8:48 PM, ljm42 said:

This is the issue. You need to change the Cloudfare Proxy status from "Proxied" to "DNS Only"

 

The WireGuard client can't connect through the Cloudfare Proxy, it needs to connect directly to your router's IP

OMG, Thank you!!! This is exactly the same thing that was happening to me and the reason i was about to post!

 

 

19 hours ago, LoneTraveler said:

I've managed to get it working. For anyone else having similar issues, it turns out I needed a dedicated subdomain, ie wireguard.mydomain.uk 

 

First off, thank you for having the same unraid setup as me (custom domain, using cloudflare, same issue with wireguard). Secondly, I took your suggestion and went with it.

 

I didn’t like having my domain root (domain.com) not being protected by cloudflare’s proxy. So i created a subdomain (vpn.domain.com) for this purpose. So my A record still is protected by Cloudflare, but now my subdomain’s CNAME record isn’t. I know in the end it still points to the same place, but I still feel better having it setup this way.

 

 

 

One last question though... 

From what I read, the Peer DNS Server should point to the router OR to another DNS server.

 

My network uses the 192.168.8.0/24, but WG uses the 10.253.0.0/24. So my server usually has 192.168.8.10, but gets assigned 10.253.0.1 through WG. So when it comes time to fill in the Peer DNS Server, would I put in the router’s IP as 192.168.8.1? Because when I do that, it doesn’t work — I can connect to the VPN, I can access the router at 192.168.8.1, but I cannot access the unraid server at 192.168.8.10 OR at 10.253.0.1. Oh, it DOES show that it’s trying to connect to my unraid server via the xxxxxxxxxxxxxxxxxxxxxxxx.unraid.net domain. So in the end I’m forced to put in 1.1.1.1 to get it all to work correctly.

 

I would prefer to just put in my router’s IP so that if i ever change the DNS Server, I just change it in one place (my router) as opposed to my router AND the WG settings.

Edited by HoLyCoW
  • Thanks 1
Link to comment
12 hours ago, HoLyCoW said:

So when it comes time to fill in the Peer DNS Server, would I put in the router’s IP as 192.168.8.1? Because when I do that, it doesn’t work — I can connect to the VPN, I can access the router at 192.168.8.1, but I cannot access the unraid server at 192.168.8.10 OR at 10.253.0.1.

I'm guessing that is not actually true. You can probably still access those IP addresses, it is just that from there you are being redirected to xxxx.unraid.net and since DNS isn't working that redirect is what fails.

 

Have you setup the recommended static route? On the WireGuard config page, switch to advanced view and make sure you have added the recommended static route to your router. Without that, the router won't know how to send traffic back to your WireGuard client.

Link to comment
3 hours ago, ljm42 said:

I'm guessing that is not actually true. You can probably still access those IP addresses, it is just that from there you are being redirected to xxxx.unraid.net and since DNS isn't working that redirect is what fails.

 

So are you saying that it SHOULD be 192.168.8.1? The IP of my original network?

 

3 hours ago, ljm42 said:

Have you setup the recommended static route? On the WireGuard config page, switch to advanced view and make sure you have added the recommended static route to your router. Without that, the router won't know how to send traffic back to your WireGuard client.

 

Yes, I already setup the static route.

Edited by HoLyCoW
Link to comment
3 hours ago, HoLyCoW said:

So are you saying that it SHOULD be 192.168.8.1? The IP of my original network?

In theory you should be able to put the IP address of your router in the DNS field. But something is preventing your client from communicating with the router. 

 

I personally do not put anything in the DNS field. Since my Unraid uses Lets Encrypt with xxxx.unraid.net I don't need a local DNS to resolve it. It sounds like yours is setup the same way so I would just leave it be :) 

Link to comment

Hi, i have a question regarding the remote access to server option.

 

On a windows client connected to my LAN i can see the files from the server under network in file explorer AND connect to the web GUI of the server using its local ip or name.

 

However, when connected via wireguard VPN with "remote access to server" I CANNOT find the files under network but i CAN connect to the web GUI by typing the IP provided by wireguard (10.253.0.1).

 

How do I access the files? I suspect it has to do with how the samba share is set up, but I dont know how it works.

 

I should mention that I can see the files from an Android phone using an app called network browser.

 

Any solution and maybe explanation of what is going on?

 

 

Edited by nabr
Typo
Link to comment
On 8/11/2020 at 9:54 AM, nabr said:

Hi, i have a question regarding the remote access to server option.

 

On a windows client connected to my LAN i can see the files from the server under network in file explorer AND connect to the web GUI of the server using its local ip or name.

 

However, when connected via wireguard VPN with "remote access to server" I CANNOT find the files under network but i CAN connect to the web GUI by typing the IP provided by wireguard (10.253.0.1).

 

How do I access the files? I suspect it has to do with how the samba share is set up, but I dont know how it works.

 

I should mention that I can see the files from an Android phone using an app called network browser.

 

Any solution and maybe explanation of what is going on?

It connects, but then tries to redirect to another url that isn't accessible through the tunnel.

 

For instance, if you have Unraid's Lets Encrypt SSL certificate, any time you connect it will redirect to:
  https://xxxxx.unraid.net
DDNS for that url will point to your LAN ip, something like 192.168.x.x, which isn't accessible when you choose "Remote access to server"

 

Because of this, you won't be able to access the webgui using "Remote access to server". Try "Remote access to LAN"

Link to comment
3 hours ago, ljm42 said:

It connects, but then tries to redirect to another url that isn't accessible through the tunnel.

 

For instance, if you have Unraid's Lets Encrypt SSL certificate, any time you connect it will redirect to:
  https://xxxxx.unraid.net
DDNS for that url will point to your LAN ip, something like 192.168.x.x, which isn't accessible when you choose "Remote access to server"

 

Because of this, you won't be able to access the webgui using "Remote access to server". Try "Remote access to LAN"

Hi,

 

Thanks for the comment. This might be accurate if I had letsencrypt and was trying to access using that url.

 

I actually just found out that the remote machine did not have "allow unauth guest access" in windows, and enabling that solved the issue. That is why it could access the webUI but the the network drive.

 

Using "remove access to server" does give access to both the webui and shares. They are under the VPN provided IP i.e. 10.253.0.1 in this case.

Link to comment

Is it normal, that (on the client) the public IP doesn't change, when connect to my home network? I have set the peer access mode to "Remote access to LAN".. From the client I can reach local services such as the Unraid Webinterface but if I check my internet IP it is still the one from my mobile network provider.. Confused..

 

And isn't it kind of dangerous putting a VPN Server on Unraid OS or is it encapsulated? At the moment I'm running a SoftEther VPN on Linux (Raspberry Pi) to which I connect via OpenVPN.

Edited by glockmane
Link to comment
5 hours ago, glockmane said:

Is it normal, that (on the client) the public IP doesn't change, when connect to my home network? I have set the peer access mode to "Remote access to LAN".. From the client I can reach local services such as the Unraid Webinterface but if I check my internet IP it is still the one from my mobile network provider.. Confused..

 

And isn't it kind of dangerous putting a VPN Server on Unraid OS or is it encapsulated? At the moment I'm running a SoftEther VPN on Linux (Raspberry Pi) to which I connect via OpenVPN.

"Remote access to LAN" uses split tunneling, so only the traffic destined for the LAN goes through the tunnel. If you want all traffic to go through the tunnel, use the "Remote tunneled access" option.

 

Anytime you open any port to any system there is some risk, but there isn't really any reason to think that WireGuard on Unraid is riskier than WireGuard on some other platform.  WireGuard itself compares quite favorably to other solutions, but that is probably something you would want to research yourself. Also, if you are happy with your current solution there is nothing that says you have to switch.

Link to comment

@ljm42

 

Interestingly it behaves the same with "Remote tunneled access", tried every option there, even rebooted server!

 

Regarding Security, what if there is a vulnerability in the wireguard server then in my understanding an attacker could get direct access to the unraid server while this could not happen, if wireguard runs on another machine.. Is this somewhat correct? I could use a TP-Link Router with OpenWRT for this, if this is considered the safer choice..

Link to comment
11 minutes ago, glockmane said:

Interestingly it behaves the same with "Remote tunneled access", tried every option there, even rebooted server!

Did you re-download the config to the client after switching it to "remote tunneled access"? You'll also need to disconnect/reconnect the client.

15 minutes ago, glockmane said:

Regarding Security, what if there is a vulnerability in the wireguard server then in my understanding an attacker could get direct access to the unraid server while this could not happen, if wireguard runs on another machine.. Is this somewhat correct? I could use a TP-Link Router with OpenWRT for this, if this is considered the safer choice..

Every open port is a risk. A Google search for "WireGuard vs OpenVPN" might help make the choice of which VPN software to use. Most comparisons will point out that while WireGuard is new, it only has 4000 lines of code to review, as compared to OpenVPN which has hundreds of thousands lines of code. 

 

In terms of where to host the VPN server... if there is a vuln in VPN and the bad guys get down to the underlying OS, control of your router vs control of Unraid - it would be bad either way.

Link to comment
  • 2 weeks later...

@ljm42

 

Please excuse my severe ignorance about this....I've just started a unraid trial and dont know anything about this stuff but I'm trying to get it setup.

 

I THINK I have everything configured correctly. In unraid it shows a handshake with 8MB data transfer (no idea what data since I've not logged into the VPN yet) and I can ping the tunnel address.

 

I have it setup in the windguard app by scanning QR and its toggled on. 

 

IGNORANT QUESTION.....on my phone, what do I type in the browser?? Should I just be able to type in http://Tower like I can locally on my laptop?

Edited by SPOautos
Link to comment

Hi All,

 

I would like to setup wireguard to bypass CGNat - I see the install is as a plug in and wanted to know if can I pass my traffic through my second Nic on my raid server to my docker & VM images? 

 

my thinking is along the following lines

 

Primary Raid Nic will be used as per normal all local lan & internal traffic

 

Nic 2 on the raid server will tunnel to a wireguard server / VPS - how to I direct that traffic to let'sencrypt port 80/443  rather then the unraid port 80/443 do I do this with the Sub Domain?

 

thanks in advance

 

Mark

 

 

Link to comment

when its all working properly, if I used DuckDNS shouldnt I be able to just pull up the browser on my phone and type in the DuckDNS url and it pull up Unraid?  If so, its not working....any ideas?

 

Okay, I see now that if I go to my mobile browser and type in the IP address in the upper right corner of Unraid it pulls up. However, it doesnt even bring me to the login screen, it just opens right up to the Main tab.....is there a way for it to open to the login screen to have a extra layer of protection?  Also, how can I set it up to have a custom url instead of typing in the ip address?  I'd like to purchase a url for this purpose. Can anyone give me some advice on that?

Edited by SPOautos
Link to comment
12 hours ago, SPOautos said:

on my phone, what do I type in the browser?? Should I just be able to type in http://Tower like I can locally on my laptop?

 

To get "tower" or "tower.local" to resolve you would need to put your router's IP address in the "Peer DNS server" field and re-download the config to the client.

 

Try navigating to the server's IP address instead, although if that normally redirects to tower.local then it would have the same DNS resolution problem.

 

The best way to configure this is to setup Unraid's built-in Let's Encrypt support under Settings -> Management Access (then turn on help). This will give the box a Fully Qualified Domain Name which can be used on the tunnel without needing to do anything special with DNS.

Link to comment
5 hours ago, SPOautos said:

Okay, I see now that if I go to my mobile browser and type in the IP address in the upper right corner of Unraid it pulls up. However, it doesnt even bring me to the login screen, it just opens right up to the Main tab.....is there a way for it to open to the login screen to have a extra layer of protection?  Also, how can I set it up to have a custom url instead of typing in the ip address?  I'd like to purchase a url for this purpose. Can anyone give me some advice on that?

The best way to configure this is to setup Unraid's built-in Let's Encrypt support under Settings -> Management Access (then turn on help). This will give the box a Fully Qualified Domain Name which can be used on the tunnel without needing to do anything special with DNS.

Link to comment
5 hours ago, jbg77 said:

Do you know if it’s possible to acces to a client with remote tunneled accces from a lan computer? I try to ping it but I have no response...

A client making a "remote tunneled access" or "remote access to LAN" connection should be able to access computers on the LAN, although if you read through recent comments some people are having trouble with that. 

 

Once that is working, I'm pretty sure a computer on the LAN would be able to ping the remote client via its tunnel IP address.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.