WireGuard quickstart


Recommended Posts

21 minutes ago, ljm42 said:

A client making a "remote tunneled access" or "remote access to LAN" connection should be able to access computers on the LAN, although if you read through recent comments some people are having trouble with that. 

 

Once that is working, I'm pretty sure a computer on the LAN would be able to ping the remote client via its tunnel IP address.

Yes I can ping peer to lan computer but not lan computer to peer... And Ip on lan computer of peer is the ip of wireguard server and not its ip.

Edited by jbg77
Link to comment
32 minutes ago, jbg77 said:

Yes I can ping peer to lan computer but not lan computer to peer... And Ip on lan computer of peer is the ip of wireguard server and not its ip.

Have you setup the static route on your router so that LAN computers will know how to reach the tunnel? On the Unraid WireGuard setup page, switch to advanced mode and read the remarks.

 

What happens if you ping the Tunnel IP of the client? First try it from the Unraid server, then from the other computer on the lan.

Link to comment
1 hour ago, RevelRob said:

This is great!

Is it possible to create a client who has remote tunnel access to the internet but no LAN access?

ie. Same public IP?

So I kind of figured it out. Under "Local tunnel firewall" I entered my lan subnet and "Deny".

The only problem is that my UnRAID server is in that subnet and I still have access to it. Even if I put the UnRAID IP in there, it still allows it through. Obviously because that's the tunnel address. I assume there's a way to do this that I'm just not seeing.

Any help would be greatly appreciated.

(I'm trying to provide my family with a remote PiHole but don't want them to have access to my UnRAID IP).

Thanks!

Link to comment
On 8/30/2020 at 12:03 PM, Angryman said:

Hi All,

 

I would like to setup wireguard to bypass CGNat - I see the install is as a plug in and wanted to know if can I pass my traffic through my second Nic on my raid server to my docker & VM images? 

 

my thinking is along the following lines

 

Primary Raid Nic will be used as per normal all local lan & internal traffic

 

Nic 2 on the raid server will tunnel to a wireguard server / VPS - how to I direct that traffic to let'sencrypt port 80/443  rather then the unraid port 80/443 do I do this with the Sub Domain?

 

thanks in advance

Mark

 

On 8/30/2020 at 12:03 PM, Angryman said:

I now have this working 

 

 

  • Like 1
Link to comment
18 hours ago, ljm42 said:

Have you setup the static route on your router so that LAN computers will know how to reach the tunnel? On the Unraid WireGuard setup page, switch to advanced mode and read the remarks.

 

What happens if you ping the Tunnel IP of the client? First try it from the Unraid server, then from the other computer on the lan.

Yes I can ping from unraid server, but not from lan computer, so I have to add a route to my router ? I think it's not possible with mine..

Link to comment

Hi, I need some help.

I got this to work and I can access my Unraid dashboard on my phone while connected through Wireguard (while on 4G not WiFi). But somehow I cannot access my container webUI's of the ones that I routed through a privoxyvpn container.

While I am on my home netword on my phone I can access those.

I thought Wireguard would make it so Unraid would think that my phone is on the home network. Is my assumption wrong is?

Link to comment

I have been looking at different nas solutions and I'm considering unraid. Security is a very important issue for me, which is what brought me to this thread. However the router I'm running is a little different than most (Gryphon mesh from gryphonconnect.com) and it comes with its own app for my phone that can VPN tunnel back into my network (Homebound). So I'm wondering can I skip using wireguard and just use the app that comes with my router to do this ? Or will it be a difficult convoluted mess? I really like the options and freedom that Unraid can provide compared to the other Solutions out there but I also don't want to spend years trying to set this up versus something like a Synology unit. I have plenty of extra hardware though and I would rather set it up as a server then have it go to waste.

 

I also run AdGuard pro on my phone which I believe runs a pseudo VPN locally on the phone (I had to create my own trusted certificate for it) so I'm curious if that will cause any issues as well? I also am not sure if unraid can provide a solution like surveillance station where I can watch my network cameras and store the footage on the nas itself?

 

Please help me decide as I really need to figure out a solution for secure nas without going crazy in the process lol 

 

Thanks!

Link to comment
On 9/3/2020 at 6:00 AM, bobohazel said:

Hi, I need some help.

I got this to work and I can access my Unraid dashboard on my phone while connected through Wireguard (while on 4G not WiFi). But somehow I cannot access my container webUI's of the ones that I routed through a privoxyvpn container.

While I am on my home netword on my phone I can access those.

I thought Wireguard would make it so Unraid would think that my phone is on the home network. Is my assumption wrong is?

Two potential issues come to mind:
1) Have you setup dockers with their own IP addresses? If so you need to follow the "complex networks" portion of the first post.
2) Does any of what you are trying to do require DNS resolution from the remote network? That doesn't work through the tunnel by default, either access things using IP address or see the "About DNS" portion of the first post.

Link to comment

I'm having trouble accessing the WebUI through Wireguard on Windows 10.

 

However, I can SSH into the server from the same Windows machine.  I can also access the WebUI from an Android phone using the same tunnel/peer configuration on the same remote network (WiFi, not cell connection).

 

I tried disabling the Windows firewall entirely, just in case that was interfering, but I still couldn't access the WebUI.

 

Any thoughts?

Link to comment
7 hours ago, fritzdis said:

I'm having trouble accessing the WebUI through Wireguard on Windows 10.

 

However, I can SSH into the server from the same Windows machine.  I can also access the WebUI from an Android phone using the same tunnel/peer configuration on the same remote network (WiFi, not cell connection).

 

I tried disabling the Windows firewall entirely, just in case that was interfering, but I still couldn't access the WebUI.

 

Any thoughts?

Try accessing it by IP address instead of by name. If it redirects to something like "tower.local", that isn't going to resolve over the wireguard tunnel by default. See the "About DNS" portion of the first post.

Link to comment
2 hours ago, J05u said:

Basically i managed to setup Wireguard only as Remote tunneled access, any other options just not pinging.

But anyway, with this option i can access only my server and dockers.

Any chance to manage to access entire home network ?

"Remote access to lan" and "Remote tunneled access" should both allow that yes. It is likely a DNS resolution issue, see the "About DNS" portion of the first post.  You could also try accessing the remote devices by IP instead of name.

 

If you can't access the devices by IP address then you will need to add a static route in your router.  See the "complex networks" portion of the first post. 

Link to comment
4 hours ago, ljm42 said:

Try accessing it by IP address instead of by name. If it redirects to something like "tower.local", that isn't going to resolve over the wireguard tunnel by default. See the "About DNS" portion of the first post.

Unfortunately, I was already using IP addresses.  Tried 10.253.0.1 and 192.168.1.xxx with no luck on Windows (for the WebUI).

 

For further testing, I tried accessing the built-in FTP server from Windows and Android.  On Windows, I could browse some directories and download very small files, but large directory listings timed out, and downloads of most files did not work.  On Android, everything seemed to work OK, including large file downloads.

 

I've now installed BlueStacks on Windows to emulate Android with Wireguard installed.  Through BlueStacks, I am able to access the WebUI, Dockers, and download files (speed not great).  It's not ideal, but it's better than using my phone.

 

It certainly seems like it's the Windows client or Windows itself doing something weird.  I'm thinking playing around with MTU settings might have some impact.  I can't do that right now, however, because when I make config changes on Chrome remotely, the interface stays inactive.

Edited by fritzdis
Link to comment
34 minutes ago, Marcjwebb said:

ok am a little lost. I configured everything following this plan step by step, however even after I have set up my port forwarding, it still says configure port forwarding.

Those remarks always show up.  The plugin has no idea if you actually configured the port forwarding on your router so it just keeps reminding you to do so.

 

WireGuard is working on my server with all clients (phones and laptops) able to connect successfully, but I still see the port forwarding and peer networking LAN remarks on the WireGuard VPN settings page.

Link to comment

I'm super new to all of this so please excuse if I dont use proper terminology and my lack of understanding.

 

Currently I have Wireguard setup like the top left image in this picture, where I use the app to create a connection allowing me to remote in to my Unraid server. However, I would like to setup Wireguard in a different way, but have no idea how to go about it and am hoping you guys may can tell me what it will take.....

 

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

 

My server motherboard (Asus x99 Deluxe II ) has two lan ports, so can I just change the cabling around to get my router behind the server? Currently it goes from cable modem to wifi router (which has lan ports) and the router feeds everything including wired to the server. Can I just go from cable modem to the server then out the other lan to the wifi router? That should effectly put everything  behind the server correct?  Would that be necessary? Really my server is the most important piece in the network and moving it in front of the router seems like it removes a layer of protection (but maybe not).  Also I'm not sure how it would work with issuing IP addresses and such since the router has been doing all that kind of work and the server would be in front of it.  Anyway, then I thought I would get a VPN that provides secure internet to ALL of the entire network, not just my server.

 

I just dont understand all this well enough to know if this would work, if its needed to change the cabling around, what kind of issues I may run into, how difficult it will be to setup and manage.....I cant have anything that is flakey and having issues because I go out of town a lot and no one else will understand any of it. Once setup it just needs to fade in the background and work.

 

 

 

wireguard-help.png.453a3c3e8373a35d11debf9ba1bf7e7a.png

Edited by SPOautos
Link to comment
4 hours ago, SPOautos said:

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

Link to comment
1 hour ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

I am just looking to be able to access the NAS when I am not home, but also dont want it to stop all my web browsing to have this benefit

 

Link to comment
38 minutes ago, Marcjwebb said:

I am not using and dont plan to use an extern VPN service. I just want a secure way for my unraid to be accessible remotely. 

just seems odd that I can only do that if I sacrifice all other web related things

Keep working on it. There is no need for a VPN service. I can access my whole network with WireGuard through Unraid.

Link to comment
8 hours ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

 

Thanks for this info....I dont know much about routers and networking. Since reading your post I've looked closer at what all my router can do and it has router capabilities. It appears that I can set it up to remote into it and also tie it to a VPN for internet access. Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

 

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?  It looks like it lets me generate a certificate and then the router has a link to the OpenVPN website where I can go download the client app to the remote computer, put in the certificate info, and it reads like it will connect up. Does that sound correct?  

 

I suppose maybe I should start a new thread as my questions to you are getting too far off topic from the thread now that I've discovered all of this isnt relative to the wireguard in Unraid

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.