WireGuard quickstart


Recommended Posts

2 hours ago, SPOautos said:

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?

Correct, VPN access to your house does not require a 3rd party service. You can set it up either on your router or on Unraid.

 

2 hours ago, SPOautos said:

Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

I'm not really sure, you'd want to investigate in the threads for those containers

 

These are two very different things, I'd recommend working on one at a time.

Link to comment

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

Link to comment

OK, I have been reading posts for 2 hours now and dont see where or what i messed up. 

 

I have DDNS setup with a new url just for wireguard. i use pihole and did input my pihole LAN IP in the config. I have tested on my phone(cell network) and my laptop(on cell hotspot-cell network)

 

both seem to connect fine, but nothing loads (public sites nor LAN sites). I notice in the client log(both on windows/laptop and android app) that its sending the handshake attempt multiple times. i see on the unraid dashbaord that there is no handshake. I can post screen shots as needed and would love to use this instead of openVPN. 

 

Any help or guidance is greatly appreciated. 

Screenshot 2020-09-13 181732.jpg

  • Like 1
Link to comment

Hello All,

 

So I recently made the move over from OpenVPN to WireGuard. I've got it setup so when im off LAN I can securely tunnel into my UnRAID server. I can access the likes of SabNZB, Radarr and Sonarr however when I access my UnRAID server once VPN'd in I get "cannot open the page because the server cannot be found" when using safari on my mobile. I also get a error when trying to access Plex server I get "Plex is Not reachable"

 

I'm struggling to understand what this could be. I have PiHole running on a Pi on my LAN. I've updated the "Peer DNS Server" in Wireguard settings but still having no luck..

Link to comment
  • 2 weeks later...

I was using Unraid with Wireguard just fine, until I moved the Unraid into site A where no public IP available (behind ISP NAT). Asking ISP to fix it is not gonna be a solution.

 

I have another site B with dynamic IP available. I am planning to buy a Rasberry Pi and install PiVPN (Wireguard) on it for Site B. The problem is, I am not sure how to configure properly in order to handshake a tunnel between 2 sites. My ultimate goal is to access my Unraid in site A by this route: Internet -> DDNS of site B->Site B's router (normal home router)->B's Wireguard (Rasberry Pi)->Tunnel-> Site A Wireguard (On Unraid) -> Unraid application/rest of the network. From my understanding, the handshake should be starting from Site A. So site A should have a WG client connecting to WG B in order to establish a tunnnel, and let packets from site A route into the tunnel.

 

May anyone please point me to the right direction of how to config a tunnel on the Unraid? It would be great to have a detailed explanation on how to setup on both unraid and rasberry pi.

 

The use of rasberry pi is not a must ( I haven't buy it yet). It is just the cheapest solution I can think of. Anyone can propose alternatives, thanks!

Edited by PzrrL
Link to comment

I am having a problem and hopefully someone can help me. I managed to get Wireguard to work just fine. But due to a really bad power outage and my UPS loosing power thus my server loosing power, it doesn't work anymore. I have tried everything that I can think of. Since I was just starting everything, I haven't done much to my server. With that being said, I even went so far to formatting the bootable thumb drive and trying again. But nothing that I do works any more. 

 

List of things that I have done (trying to do it in order):

 

Different configuration on server and peers.

Uninstalling/reinstalling the plugin and the programs on the peers.

Checked DDNS settings to make sure they were still pointing to my IP Address.

Checked my router settings to make sure that there was still port forwarding enabled.

Temporarily created a container with the same port settings in the port forwarding settings to see if I can access it through the web. I could.

Instead of using the domain name I used just the IP address.

Formatting the unRAID thumb drive and clearing everything.

Trying different configurations again.

 

None of these things have worked. Am I missing anything?

Link to comment

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

Link to comment
  • 2 weeks later...

I've found a neat problem. I have Wireguard up and running, super stable for weeks now. Logging onto the Unraid web interface allows me to add, remove, and modify peers as expected. However... If I do this while logged in remotely (via the Wireguard VPN), the "Active/Inactive" toggle gets switched off and doesn't auto-start again. Luckily I had a VNC server running on another computer from a previous project, so I connected to that over SSH and was able to flip the toggle switch from inside my LAN.

 

Tried recreating it several times, and the problem persists. Happens when I hit the "Apply" button in the web interface. From another computer on the same LAN/Subnet/etc as my Unraid server, it stays active. From a remote computer connected to the VPN, Wireguard inactivates.

 

More info: Not running any reverse proxies, Wireguard's "Autostart" toggle switch is on (and persists), remote clients connect with "Remote Tunnelled Access"

 

Anybody else seen this behaviour? Any ideas?

Link to comment

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

Link to comment
6 hours ago, Mattyfaz said:

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

  

On 10/2/2020 at 3:44 AM, mishmash- said:

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

 

The Cloudflare proxy is designed for http traffic, it does not know how to proxy other traffic such as WireGuard. You have to disable the Cloudflare proxy for WireGuard to function.

  • Thanks 1
Link to comment
On 9/12/2020 at 2:25 AM, deusxanime said:

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

 

I am having this exact same issue.  Prior to enabling "Host access to custom networks" Wireguard worked perfect for over a year.  Since i have made this change it it no longer works.

  • Like 1
Link to comment
On 12/19/2019 at 5:57 PM, nuhll said:

anyone found a solution to make wireguard automatic reconnect?

 

I dont understand why it doesnt do it on his own. Ever night somewhere is a disconnect (and yes, ive set keepalive to 600s)

 

Every morning i need to deactivate it on my mobile and then activate it again...?!

"when a peer is behind NAT or a firewall, it might wish to be able to receive incoming packets even when it is not sending any packets. Because NAT and stateful firewalls keep track of "connections", if a peer behind NAT or a firewall wishes to receive incoming packets, he must keep the NAT/firewall mapping valid, by periodically sending keepalive packets. This is called persistent keepalives. When this option is enabled, a keepalive packet is sent to the server endpoint once every interval seconds. A sensible interval that works with a wide variety of firewalls is 25 seconds. Setting it to 0 turns the feature off, which is the default, since most users will not need this, and it makes WireGuard slightly more chatty. This feature may be specified by adding the PersistentKeepalive = field to a peer in the configuration file, or setting persistent-keepalive at the command line. If you don't need this feature, don't enable it. But if you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent, this option will keep the "connection" open in the eyes of NAT."

 

Source:https://www.wireguard.com/quickstart/

 

This is exactly my situation, my peer is not having a public IP due to ISP restriction. How do I configure persistant-keepalive in my Unraid Wireguard Peer setting?

Link to comment
On 10/19/2020 at 2:29 PM, chalk said:

 

I am having this exact same issue.  Prior to enabling "Host access to custom networks" Wireguard worked perfect for over a year.  Since i have made this change it it no longer works.

How can we raise a bug report for this issue?

Link to comment

Any idea why "Remote access to LAN" doesn't handshake with my device but if I keep everything the same but change the peer type of access to "remote tunneled access" it seems to work perfectly? I understand the difference between the two options but im confused as to why one of them works but the other doesn't if I've configured everything correctly. From reading the thread it seems like "Remote access to LAN is the more simple way to set everything up as well.

Link to comment

Hey @ljm42 I think the peer configs for "Server hub and spoke access" and "LAN hub and spoke access" might be incorrect:

- "Server hub and spoke access" is currently setup exactly like "Remote access to server", it doesn't really allow peers on the same tunnel to talk to each others

- "LAN hub and spoke access" does allow you to connect to other peers on the same tunnel (which is correct), but it does't allow peers to access your entire LAN (only the unraid server itself)

 

With my limited knowledge in networking, I think this might be because of how the "AllowedIPs" was set in the peer config file

- "Server hub and spoke access" gives you something like "AllowedIPs=10.253.0.1/32" which I think should be "AllowedIPs=10.253.0.0/24"

- "LAN hub and spoke access" gives you "AllowedIPs=10.253.0.0/24, 192.168.1.100/32" which I think should be "AllowedIPs=10.253.0.0/24, 192.168.1.0/24"

 

I'm using Unraid 6.8.3, this was the result of my testing for those 2 types (on things that I could access and things that I couldn't), but my understanding about networking and wireguard might be totally wrong

  • Like 1
Link to comment
On 11/8/2020 at 5:04 PM, malkaviancz said:

Hey @ljm42 I think the peer configs for "Server hub and spoke access" and "LAN hub and spoke access" might be incorrect:

- "Server hub and spoke access" is currently setup exactly like "Remote access to server", it doesn't really allow peers on the same tunnel to talk to each others

- "LAN hub and spoke access" does allow you to connect to other peers on the same tunnel (which is correct), but it does't allow peers to access your entire LAN (only the unraid server itself)

 

With my limited knowledge in networking, I think this might be because of how the "AllowedIPs" was set in the peer config file

- "Server hub and spoke access" gives you something like "AllowedIPs=10.253.0.1/32" which I think should be "AllowedIPs=10.253.0.0/24"

- "LAN hub and spoke access" gives you "AllowedIPs=10.253.0.0/24, 192.168.1.100/32" which I think should be "AllowedIPs=10.253.0.0/24, 192.168.1.0/24"

 

I'm using Unraid 6.8.3, this was the result of my testing for those 2 types (on things that I could access and things that I couldn't), but my understanding about networking and wireguard might be totally wrong

Just fighting the same problem, eventhough, I have tried to fix the AllowedIPs myself, it still does not work. Perhaps there need to be additional configuration done to Unraid such as enabling ip forwarding... Also IP forwarding seems a bit broken in my unraid 6.8.3
had to do quick fix
 

sysctl -w net.ipv4.ip_forward=1

but this is not persistent

Edited by Maor
Link to comment
On 11/12/2020 at 10:26 PM, Maor said:

Just fighting the same problem, eventhough, I have tried to fix the AllowedIPs myself, it still does not work. Perhaps there need to be additional configuration done to Unraid such as enabling ip forwarding... Also IP forwarding seems a bit broken in my unraid 6.8.3
had to do quick fix
 


sysctl -w net.ipv4.ip_forward=1

but this is not persistent

What you need is to keep the connection alive for any peer behind a NAT or firewall for them to be able to communicate with each other.

Try setting the "Persistent keepalive" field of peer to 25 seconds (something < 2 mins), this is almost mandatory for a server hub or lan hub setup in my opinion.

You can read more about it here

Do let me know if it works at all;)

Link to comment

I am trying to configure Wireguard on my unRAID server (v6.8.3) for "remote tunneled access".  When I connect to my tunnel using the Wireguard Android app (v1.0.20200927) from my OnePlus 7 Pro (OxygenOS 10.0.9), I can access the unRAID web GUI (and docker containers) by IP only (no name resolution) but I cannot access any other devices on my network.

 

Tunnel settings:
    Local tunnel network pool: 10.253.0.0/24
    Local tunnel address: 10.253.0.1
    Local endpoint: vpn.mydomain.com:51820
    Local server uses NAT: Yes

 

Peer settings:
    Peer type of access: Remote tunneled access
    Peer tunnel address: 10.253.0.2
    Peer allowed IPs: 10.253.0.2
    Peer DNS server: 192.168.1.1

 

I forwarded port 51820/UDP to 192.168.1.5 (my unRAID server IP) on my pfSense router (IP: 192.168.1.1), which also acts as my DNS server.

 

I have my domain hosted with Cloudflare and have configured the vpn.mydomain.com subdomain to point to my public IP address with proxy disabled.

 

I would like to be able to access all my network devices through this Wireguard tunnel.  What am I doing wrong?

Link to comment
20 hours ago, r0zzy5 said:

I am trying to configure Wireguard on my unRAID server (v6.8.3) for "remote tunneled access".  When I connect to my tunnel using the Wireguard Android app (v1.0.20200927) from my OnePlus 7 Pro (OxygenOS 10.0.9), I can access the unRAID web GUI (and docker containers) by IP only (no name resolution) but I cannot access any other devices on my network.

 

Tunnel settings:
    Local tunnel network pool: 10.253.0.0/24
    Local tunnel address: 10.253.0.1
    Local endpoint: vpn.mydomain.com:51820
    Local server uses NAT: Yes

 

Peer settings:
    Peer type of access: Remote tunneled access
    Peer tunnel address: 10.253.0.2
    Peer allowed IPs: 10.253.0.2
    Peer DNS server: 192.168.1.1

 

I forwarded port 51820/UDP to 192.168.1.5 (my unRAID server IP) on my pfSense router (IP: 192.168.1.1), which also acts as my DNS server.

 

I have my domain hosted with Cloudflare and have configured the vpn.mydomain.com subdomain to point to my public IP address with proxy disabled.

 

I would like to be able to access all my network devices through this Wireguard tunnel.  What am I doing wrong?

Turns out I had "host access to custom networks" enabled in my docker settings. I don't think I actually need this, so I disabled it and now everything seems to be working correctly. I can access all my machines over Wireguard and the local DNS resolution from pfSense is also working over Wireguard.

Link to comment
16 hours ago, r0zzy5 said:

Turns out I had "host access to custom networks" enabled in my docker settings. I don't think I actually need this, so I disabled it and now everything seems to be working correctly. I can access all my machines over Wireguard and the local DNS resolution from pfSense is also working over Wireguard.

Glad you were able to figure it out. Myself and some others have run into similar problems with that setting enabled. Has anyone acknowledged it even yet?

Link to comment
7 hours ago, Turnspit said:

Using "Server to Server acces, is it also possible to reach the WIreguard Client from the network behind the Wireguard Server, having set up a corresponding static route in the router of the LAN?

See this guide for setting up LAN to LAN access:

 

 

Link to comment

Hi ljm, thanks for your response! 🙂

The thing is that I don't want to connect the whole two LANs with one another.

Baically the Home Unraid server just needs to reach my Remote Unraid server for daily backups, but I also want my Home LAN to reach the "Remote Unraid" server for config and monitoring and stuff, without the Remote LAN having access to my home LAN.

 

At the moment I'm using two Windows 10 Server connected via OpenVPN for this task, and this works exactly is I wish. No need to open any ports at the remote location, and no access of any device at the remote location to my LAN. Sadly, the OpenVPN Clients on Unraid are a huge pain and none of them connect correctly, which is why I thought Wireguard might be my solution here.

 

From what I can see, the closest config for my needs would be "Remote access to LAN", where my Remote Unraid server would be able to see my Home Unraid server as well as my Home LAN. Would just setting up a static route in my home router to the Wireguard network be the solution, or does Wireguard block the routing from other networks into the VPN network in this configuration?

Edited by Turnspit
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.