WireGuard quickstart


Recommended Posts

Hello everyone, I've been trying to setup the wireguard for two days now and I'm still struggling with the "Complex Networks" part.

When I use NAT option enabled and "Remote access to LAN", everything works as expected. I can reach physical devices on the local network without any issues (and can't reach docker containers on br0).
image.png.5ea067ba1eb077b991c4104d276bde1e.png

When I set NAT option to 'No' and define static routing on my router, things do not go that well:
image.png.f907c9cb5c0b482b8d162ee73ef396ea.png

image.png.fd57a168778d93875433ec7a84a14566.png

 

With this routing I can access server and router through the VPN, but any other physical device is not accessible. When this entry is disabled I can access only the server.


And as for now I have the "Host access to custom networks" option disabled.

Am I missing something? Maybe I do not understand something and it should work that way :D 

Link to comment

I successfully set this up but I have a couple questions:

 

1) Is there a way to access file shares from an android phone? 

 

2) How do I view the shares on unRAID from Windows when connected over wireguard? I can navigate to different Containers, unRAID WebUI, etc from my Windows laptop using the IP addresses but no network devices show up in the "Networks" window. So how do I view the shares on unRAID from windows when connected over wireguard?

 

 

Edited by adminmat
Link to comment
8 hours ago, adminmat said:

How do I view the shares on unRAID from Windows when connected over wireguard? 

You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer:

image.png.581e8e8a500b94bfe0e00f8c23146e06.png

Or map network drive for easier access:

image.png.0014833c9cdecd2ffffaef31206c4395.png

  • Like 2
Link to comment
10 hours ago, MoWer said:

You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer:

image.png.581e8e8a500b94bfe0e00f8c23146e06.png

Or map network drive for easier access:

image.png.0014833c9cdecd2ffffaef31206c4395.png

Yep, This helped me. Thanks. 

I'm now able to connect to the shares remotely and move files. I can ping everything on the network remotely except strangely for one Windows 10 PC. It's set up to allow for Echo Request - ICMPv4-In. So I can't figure out why. I can ping that PC from other devices on the same Local network. Just not through Wireguard and my phone's hotspot. 

Link to comment
  • 2 weeks later...

Hi I have been routing some of my dockers via a custom wireguard network .

I got the idea from nickb.dev and Reddit

 

The way I have it starting up is via the go file.

I did install resolvconf from slackware.pkgs.org. You can also just use the --dns= flag on the docker containers.

ip link add dev vpnac-us19 type wireguard
wg setconf vpnac-us19 /etc/wireguard/vpnac-us19.conf
ip address add 10.11.2.55 dev vpnac-us19
ip link set up dev vpnac-us19
printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x  
sysctl -w net.ipv4.conf.all.rp_filter=2
ip rule add from 172.18.0.0/16 table 200 
ip route add default via 10.11.2.55 metric 2 table 200 
ip rule add table main suppress_prefixlength 0
ip route add blackhole default metric 3 table 200
ip link set mtu 1420 up dev vpnac-us19

Everything seems to work I can access the web ui of the containers.

If I manually bring down the link with

ip link del dev vpnac-us19

the containers get null routed via.

ip route add blackhole default metric 3 table 200

 

I have been playing with a script from reddit. If I run it manually it works.. however it does not seem to insert the dns into the /etc/resolv.conf file?.  If I run the command manually it works.

printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x 

I tried getting the script to run via the go file and the userscripts but for some reason it would not work?.

 

Here is the script I have been using.

#!/bin/bash
# Script to create a split tunnel wireguard interface that will only tunnel a specific
# Docker network through wireguard. All other traffic will not be vpn'ed. The script will
# create a boot configuration so the interface comes back online after reboots.
# It also creates the routes so that WebGUIs are still accessible from the LAN and the
# vpn'ed containers can still reach other docker containers.
# Usage wireguard <up|down|status>

## Set variables
# Name of the docker network to route through wireguard
# This network will be created if it does not exist using 10.30.0.0/16
DOCKER_NET_NAME="vpn-docker"
# Name of wireguard interface to create
DEV_NAME="vpnac-us19"
##########################################################################################
# Nothing to edit below this line

tecreset=$(tput sgr0)
COL="12G"

set_ok () { echo -e  -n "\\033[0G[ \E[0;32m  OK  $tecreset ] "; }
set_failed () { echo -e  -n "\\033[0G[ \E[0;31mFAILED$tecreset ] "; }
echo_and_run () { echo -n -e "\\033[$COL$*" ; "$@" > /dev/null 2>&1; }

while_check () {
RETVAL=$?
while [ $RETVAL -ne 0 ]; do
        set_failed; echo_and_run $1
        echo $2
        RETVAL=$?
done
set_ok; echo -e "\\033[$COL$CMD"
}

if_check () {
CMD=$1
echo_and_run $1
CHECK=$2
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
        set_failed; echo
        exit 1
fi
set_ok; echo
}

vpn_check () {
VPNIP=`docker run -ti --rm --net=$DOCKER_NET_NAME appropriate/curl https://api.ipify.org`
IP=`curl --silent https://api.ipify.org`
if [[ $VPNIP == *"Could not resolve host"*  ]]; then
	set_ok; echo "Not Connected to Endpoint: Blackhole active"
elif [[ $VPNIP == $ENDPOINT_IP ]]; then
	set_ok; echo "Connected to $ENDPOINT_IP"
elif [[ $VPNIP == $IP ]]; then
	set_failed; echo "Not Connected to Endpoint: Blackhole NOT active!"
fi
}

# check module is installed
MOD_CHECK=`lsmod | grep wire`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
        set_failed; echo -e "WireGuard Module Not Installed."
        exit 1
fi
set_ok; echo -e "\\033[$COL WireGuard Module Installed"

# check for conf file
if [ ! -f "/etc/wireguard/$DEV_NAME.conf" ]; then
	set_failed; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf"
	exit 1
fi
set_ok; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf"

# check for wireguard module


# Get IP addresses and subnets needed
DOCKER_NET=`docker network inspect $DOCKER_NET_NAME | grep Subnet | awk '{print $2}' | sed 's/[",]//g'`
INTERFACE_IP=`grep Address /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d/ -f1`
ENDPOINT_IP=`grep Endpoint /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d: -f1`
#FILE="/mnt/user/temppc/$DEV_NAME"

up (){
# add wireguard interface
CMD="ip link add $DEV_NAME type wireguard"
CHECK=`ip addr | grep $DEV_NAME`
if_check "$CMD" "$CHECK"

# set wireguard conf
CMD="wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf"
CHECK=`wg showconf $DEV_NAME 2>/dev/null`
if_check "$CMD" "$CHECK"

# assign ip to wireguard interface
CMD="ip addr add $INTERFACE_IP dev $DEV_NAME"
CHECK=`ip addr | grep $INTERFACE_IP`
if_check "$CMD" "$CHECK"

# set sysctl
CMD="sysctl -w net.ipv4.conf.all.rp_filter=2"
set_ok; echo $CMD

# set mtu for wireguard interface
CMD="ip link set mtu 1420 up dev $DEV_NAME"
set_ok; echo_and_run $CMD

# bring wireguard interface up
CMD="ip link set up dev $DEV_NAME"
CHECK=`ip addr | grep $DEV_NAME | grep UP`
if_check "$CMD" "$CHECK"

# create docker network
CMD="docker network create $DOCKER_NET_NAME --subnet 10.30.0.0/16 -o "com.docker.network.driver.mtu"="1420""
CHECK=`docker network inspect $DOCKER_NET_NAME > /dev/null 2>&1`
while_check "$CMD" "$CHECK"

# add table 200
CMD="ip rule add from $DOCKER_NET table 200"
CHECK=`ip rule show | grep -w "lookup 200"`
while_check "$CMD" "$CHECK"

# add blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# add default route for table 200
CMD="ip route add default via $INTERFACE_IP metric 2 table 200"
CHECK=`ip route show table 200 | grep -w $INTERFACE_IP`
while_check "$CMD" "$CHECK"

# add local lan route
CMD="ip rule add table main suppress_prefixlength 0"
CHECK=`ip rule show | grep -w "suppress_prefixlength"`
while_check "$CMD" "$CHECK"

# add dns
CMD="printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x"
set_ok; echo $CMD

# check vpn ip
vpn_check
}

down (){
# del wireguard interface
CMD="ip link del $DEV_NAME"
CHECK=`ip addr | grep $DEV_NAME`
if_check "$CMD" "$CHECK"

# check table 200
CMD="ip rule add from $DOCKER_NET table 200"
CHECK=`ip rule show | grep -w "lookup 200"`
while_check "$CMD" "$CHECK"

# check blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# check to make sure blackhole is active
vpn_check
}

status(){
# check blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# check to make sure blackhole is active
vpn_check
}


command="$1"
shift

case "$command" in
    up) up "$@" ;;
    down) down "$@" ;;
    create) create "$@" ;;
    status) status "$@" ;;
    *) echo "Usage: $0 up|down|status" >&2; exit 1 ;;
esac

Does anyone know a better way to have it run?

 

 

 

Link to comment

I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck.  I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.)  I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice.

temp.jpg

Link to comment
19 minutes ago, wmcneil said:

I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck.  I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.)  I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice.

temp.jpg

When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip:

 

( In the WireGuard config, set "Use NAT" to No

In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:

Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)

Gateway: <IP address of your Unraid system>

On the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801

 

This is the only way I could get it to work. Maybe it was my router specifically causing the issue. 

 

I'm also using Remote Access to Lan which works as you are hoping. 

 

And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. 

Link to comment
21 hours ago, adminmat said:

When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip:

 

( In the WireGuard config, set "Use NAT" to No

In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:

Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)

Gateway: <IP address of your Unraid system>

On the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801

 

This is the only way I could get it to work. Maybe it was my router specifically causing the issue. 

 

I'm also using Remote Access to Lan which works as you are hoping. 

 

And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. 

Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method.  Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.  I am out of things to try. I am going to have to give openVPN a try.  Thanks again for posting the method that is working for you. 

Link to comment
4 hours ago, wmcneil said:

Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method.  Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.  I am out of things to try. I am going to have to give openVPN a try.  Thanks again for posting the method that is working for you. 

 Maybe try a different phone? Or another remote client? 

Link to comment
  • 3 weeks later...
On 1/29/2021 at 8:51 PM, timmyx said:

I had WG working flawlessly until I had to do a server reboot and apparently it's now broken, no idea why

 

I can't get a handshake anymore, but I haven't changed anything on the router/tower, I have my ip updated thru duckdns

 

any clues? 😟

When you reboot the Wireguard gets switched to Inactive. 

Link to comment
1 hour ago, timmyx said:

Thanks, but I thought the autostart:on option would make it automatic?

 

image.png.f15d1db7d3d48fcc6f5252cf4238f19c.png

That screenshot shows that WireGuard is active, so it did start up after the reboot.

 

Unfortunately, WireGuard fails silently so there are few clues as to where the problem lies.

 

The second post in this thread gives some specific things to look for but it may help to think about all the places the connection must pass through:

  • The client itself (WireGuard config, network config, DNS, local firewall, power savings mode)
  • The client's local LAN and router config (unless this is a mobile device on a data connection)
  • The client's Internet connection/ISP
  • The Internet between the client and server
  • The server's Internet connection/ISP
  • The server's local LAN and router config
  • The server itself (WireGuard config, network config)

Since this was working before, consider whether anything changed at any of those places.

If nothing clicks, try setting up a new WireGuard config

  • Like 1
Link to comment
On 1/11/2021 at 5:35 AM, wmcneil said:

all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.

What happens when you try accessing the webgui via IP address on the normal LAN? Does it redirect to another URL that requires name resolution? If so, the same thing will happen over WireGuard, so that final DNS url needs to resolve over the WireGuard connection too.

Link to comment
On 1/30/2021 at 11:08 PM, xupal said:

I am having trouble getting a handshake.  when I go to https://www.canyouseeme.org/ and forward 80 to 8080 on my router, I can see port 8080 is open.  when I forward 51820 to 51820 it does not seem to open.  Is this my router or my ISP preventing me from doing this?

 

WireGuard is designed to fail silently, so an open port detector will not be able to tell that the port is open.

 

Based on what you have written I would just say to be sure you forwarded a UDP port, not a TCP port. Other than that all I can suggest is to re-read the first two posts for ideas and think about all of the places that the data needs to pass through (see my reply to timmyx a few posts back)

Link to comment

I spoke to LJM42 about this a bit in my other thread but I figured i'd post in the proper thread for help as it still isn't working correctly...

 

I have server to server setup for doing backup and sync activities between two remote unraid servers. My problem lies in that for some strange reason I can only ever start the tunnel from one side of the connection despite my setup being identical (from what I can tell).

 

I've already tried completely deleting the tunnel on both ends and re-creating them.

 

VOID and NODE are both WG1 on their respective servers and have all the properly defined endpoints (see screenshots below).

 

VOID2NODE.thumb.jpg.b7f529a6b4bb63aaadbcf736823974db.jpgNODE2VOID.thumb.jpg.9ccefbd1232fe96171f77a0cb99ac149.jpg

 

VOID sits behind a PFSENSE box with a 2 port UDP range (51820-51821) forwarded for my two tunnels. I can always start the tunnel (WG1) from VOID.

 

NODE sits behind a Zyxel USG110 with the same 2 port UDP range forwarded. I can never start the tunnel (WG1) from NODE.

Once I send a ping from VOID to NODE, then and only then can NODE start talking to VOID.

 

In pfsense when I am attempting to ping from NODE to VOID I am seeing blocked connections in the firewall originating from NODEs endpoint IP/port and coming to VOID but NOT on my forwarded ports so they are getting denied.

 

I assume this is why I can't start the tunnel from the other side but why is it not respecting the set port? Do I just not understand how the ping function works? 

failed_pings.thumb.png.37c31a50c16b6197a81a6ec8fc4705c2.png

 

Edited by weirdcrap
Link to comment

Oh bummer, I thought we got that working.

 

3 hours ago, weirdcrap said:

Do I just not understand how the ping function works? 

The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it.

 

So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense.

Link to comment
1 hour ago, ljm42 said:

Oh bummer, I thought we got that working.

 

The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it.

 

So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense.

Yeah I thought so as well, I guess i didn't wait long enough for the tunnel to close.

 

I don't get why WireGuard isn't using the ports I defined in the interface to communicate with the endpoints? My port forwards are for 51820 and 51821, but for whatever reason its trying to hit random ports like 49997, 26608, 10757, etc.

 

It feels like I'm missing something really obvious that I've blatantly misconfigured, but I can't figure out what it is.

 

Source is on the left, which is me on NODE trying to ping VOID.

 

Destination is on the right which appears to be NODE trying random ports that the firewall is blocking because those aren't my forwarded ports.

 

1657337184_ScreenShot2021-02-08at2_04_27PM.thumb.jpg.a7a517248339d06199c22f8065d28097.jpg

 

34874264_ScreenShot2021-02-08at1_57.22PMcopy.thumb.png.34c24bd69baaea2cb1c46de8afcb8fd1.png

Edited by weirdcrap
Link to comment
On 9/12/2020 at 9:25 AM, deusxanime said:

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

 

Unfortunately I'm also experiencing this issue. Is there any possible fix for this? 

  • Like 1
Link to comment

Just to clarify - this pfsense screen is on VOID's network right?

 

And where you blacked out out the source and destination IPs - the "Source" column is NODE's public WAN IP and the "Destination" column is VOID's public WAN IP?

 

10 hours ago, weirdcrap said:

Why the random ports instead of the defined port that I have a forward for?

 

If my assumption above are correct then I'm afraid I'm stumped

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.