MoWer Posted December 9, 2020 Share Posted December 9, 2020 Hello everyone, I've been trying to setup the wireguard for two days now and I'm still struggling with the "Complex Networks" part. When I use NAT option enabled and "Remote access to LAN", everything works as expected. I can reach physical devices on the local network without any issues (and can't reach docker containers on br0). When I set NAT option to 'No' and define static routing on my router, things do not go that well: With this routing I can access server and router through the VPN, but any other physical device is not accessible. When this entry is disabled I can access only the server. And as for now I have the "Host access to custom networks" option disabled. Am I missing something? Maybe I do not understand something and it should work that way Quote Link to comment
adminmat Posted December 11, 2020 Share Posted December 11, 2020 (edited) I successfully set this up but I have a couple questions: 1) Is there a way to access file shares from an android phone? 2) How do I view the shares on unRAID from Windows when connected over wireguard? I can navigate to different Containers, unRAID WebUI, etc from my Windows laptop using the IP addresses but no network devices show up in the "Networks" window. So how do I view the shares on unRAID from windows when connected over wireguard? Edited December 11, 2020 by adminmat Quote Link to comment
MoWer Posted December 11, 2020 Share Posted December 11, 2020 8 hours ago, adminmat said: How do I view the shares on unRAID from Windows when connected over wireguard? You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer: Or map network drive for easier access: 2 Quote Link to comment
adminmat Posted December 11, 2020 Share Posted December 11, 2020 10 hours ago, MoWer said: You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer: Or map network drive for easier access: Yep, This helped me. Thanks. I'm now able to connect to the shares remotely and move files. I can ping everything on the network remotely except strangely for one Windows 10 PC. It's set up to allow for Echo Request - ICMPv4-In. So I can't figure out why. I can ping that PC from other devices on the same Local network. Just not through Wireguard and my phone's hotspot. Quote Link to comment
akamemmnon Posted December 14, 2020 Share Posted December 14, 2020 I use swag to route all the traffic to my dockers, but wanted to set up wireguard using a subdomain, is there a way to not have that route through swag? if I put my home IP address it works fine. or can you use swag to point it to the right place? Quote Link to comment
Varean Posted December 22, 2020 Share Posted December 22, 2020 I'm trying to set up a new Peer in Unraid, but after I name the peer and generate both keys I try to hit 'Apply' and nothing happens, if I leave the page and go back the entry I created is gone. Anyone else see this kind of issue? Quote Link to comment
hdlineage Posted December 25, 2020 Share Posted December 25, 2020 Feature request: Allow users to configure custom PostUp and PostDown scripts. I have some iptables rules I want to use, but it gets overwritten everytime I change the config through GUI. Would be nice to have a field where we can use it in the GUI. Quote Link to comment
Selmak Posted January 7, 2021 Share Posted January 7, 2021 Hi I have been routing some of my dockers via a custom wireguard network . I got the idea from nickb.dev and Reddit The way I have it starting up is via the go file. I did install resolvconf from slackware.pkgs.org. You can also just use the --dns= flag on the docker containers. ip link add dev vpnac-us19 type wireguard wg setconf vpnac-us19 /etc/wireguard/vpnac-us19.conf ip address add 10.11.2.55 dev vpnac-us19 ip link set up dev vpnac-us19 printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x sysctl -w net.ipv4.conf.all.rp_filter=2 ip rule add from 172.18.0.0/16 table 200 ip route add default via 10.11.2.55 metric 2 table 200 ip rule add table main suppress_prefixlength 0 ip route add blackhole default metric 3 table 200 ip link set mtu 1420 up dev vpnac-us19 Everything seems to work I can access the web ui of the containers. If I manually bring down the link with ip link del dev vpnac-us19 the containers get null routed via. ip route add blackhole default metric 3 table 200 I have been playing with a script from reddit. If I run it manually it works.. however it does not seem to insert the dns into the /etc/resolv.conf file?. If I run the command manually it works. printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x I tried getting the script to run via the go file and the userscripts but for some reason it would not work?. Here is the script I have been using. #!/bin/bash # Script to create a split tunnel wireguard interface that will only tunnel a specific # Docker network through wireguard. All other traffic will not be vpn'ed. The script will # create a boot configuration so the interface comes back online after reboots. # It also creates the routes so that WebGUIs are still accessible from the LAN and the # vpn'ed containers can still reach other docker containers. # Usage wireguard <up|down|status> ## Set variables # Name of the docker network to route through wireguard # This network will be created if it does not exist using 10.30.0.0/16 DOCKER_NET_NAME="vpn-docker" # Name of wireguard interface to create DEV_NAME="vpnac-us19" ########################################################################################## # Nothing to edit below this line tecreset=$(tput sgr0) COL="12G" set_ok () { echo -e -n "\\033[0G[ \E[0;32m OK $tecreset ] "; } set_failed () { echo -e -n "\\033[0G[ \E[0;31mFAILED$tecreset ] "; } echo_and_run () { echo -n -e "\\033[$COL$*" ; "$@" > /dev/null 2>&1; } while_check () { RETVAL=$? while [ $RETVAL -ne 0 ]; do set_failed; echo_and_run $1 echo $2 RETVAL=$? done set_ok; echo -e "\\033[$COL$CMD" } if_check () { CMD=$1 echo_and_run $1 CHECK=$2 RETVAL=$? if [ $RETVAL -ne 0 ]; then set_failed; echo exit 1 fi set_ok; echo } vpn_check () { VPNIP=`docker run -ti --rm --net=$DOCKER_NET_NAME appropriate/curl https://api.ipify.org` IP=`curl --silent https://api.ipify.org` if [[ $VPNIP == *"Could not resolve host"* ]]; then set_ok; echo "Not Connected to Endpoint: Blackhole active" elif [[ $VPNIP == $ENDPOINT_IP ]]; then set_ok; echo "Connected to $ENDPOINT_IP" elif [[ $VPNIP == $IP ]]; then set_failed; echo "Not Connected to Endpoint: Blackhole NOT active!" fi } # check module is installed MOD_CHECK=`lsmod | grep wire` RETVAL=$? if [ $RETVAL -ne 0 ]; then set_failed; echo -e "WireGuard Module Not Installed." exit 1 fi set_ok; echo -e "\\033[$COL WireGuard Module Installed" # check for conf file if [ ! -f "/etc/wireguard/$DEV_NAME.conf" ]; then set_failed; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf" exit 1 fi set_ok; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf" # check for wireguard module # Get IP addresses and subnets needed DOCKER_NET=`docker network inspect $DOCKER_NET_NAME | grep Subnet | awk '{print $2}' | sed 's/[",]//g'` INTERFACE_IP=`grep Address /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d/ -f1` ENDPOINT_IP=`grep Endpoint /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d: -f1` #FILE="/mnt/user/temppc/$DEV_NAME" up (){ # add wireguard interface CMD="ip link add $DEV_NAME type wireguard" CHECK=`ip addr | grep $DEV_NAME` if_check "$CMD" "$CHECK" # set wireguard conf CMD="wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf" CHECK=`wg showconf $DEV_NAME 2>/dev/null` if_check "$CMD" "$CHECK" # assign ip to wireguard interface CMD="ip addr add $INTERFACE_IP dev $DEV_NAME" CHECK=`ip addr | grep $INTERFACE_IP` if_check "$CMD" "$CHECK" # set sysctl CMD="sysctl -w net.ipv4.conf.all.rp_filter=2" set_ok; echo $CMD # set mtu for wireguard interface CMD="ip link set mtu 1420 up dev $DEV_NAME" set_ok; echo_and_run $CMD # bring wireguard interface up CMD="ip link set up dev $DEV_NAME" CHECK=`ip addr | grep $DEV_NAME | grep UP` if_check "$CMD" "$CHECK" # create docker network CMD="docker network create $DOCKER_NET_NAME --subnet 10.30.0.0/16 -o "com.docker.network.driver.mtu"="1420"" CHECK=`docker network inspect $DOCKER_NET_NAME > /dev/null 2>&1` while_check "$CMD" "$CHECK" # add table 200 CMD="ip rule add from $DOCKER_NET table 200" CHECK=`ip rule show | grep -w "lookup 200"` while_check "$CMD" "$CHECK" # add blackhole CMD="ip route add blackhole default metric 3 table 200" CHECK=`ip route show table 200 | grep -w "blackhole"` while_check "$CMD" "$CHECK" # add default route for table 200 CMD="ip route add default via $INTERFACE_IP metric 2 table 200" CHECK=`ip route show table 200 | grep -w $INTERFACE_IP` while_check "$CMD" "$CHECK" # add local lan route CMD="ip rule add table main suppress_prefixlength 0" CHECK=`ip rule show | grep -w "suppress_prefixlength"` while_check "$CMD" "$CHECK" # add dns CMD="printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x" set_ok; echo $CMD # check vpn ip vpn_check } down (){ # del wireguard interface CMD="ip link del $DEV_NAME" CHECK=`ip addr | grep $DEV_NAME` if_check "$CMD" "$CHECK" # check table 200 CMD="ip rule add from $DOCKER_NET table 200" CHECK=`ip rule show | grep -w "lookup 200"` while_check "$CMD" "$CHECK" # check blackhole CMD="ip route add blackhole default metric 3 table 200" CHECK=`ip route show table 200 | grep -w "blackhole"` while_check "$CMD" "$CHECK" # check to make sure blackhole is active vpn_check } status(){ # check blackhole CMD="ip route add blackhole default metric 3 table 200" CHECK=`ip route show table 200 | grep -w "blackhole"` while_check "$CMD" "$CHECK" # check to make sure blackhole is active vpn_check } command="$1" shift case "$command" in up) up "$@" ;; down) down "$@" ;; create) create "$@" ;; status) status "$@" ;; *) echo "Usage: $0 up|down|status" >&2; exit 1 ;; esac Does anyone know a better way to have it run? Quote Link to comment
wmcneil Posted January 10, 2021 Share Posted January 10, 2021 I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck. I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.) I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice. Quote Link to comment
adminmat Posted January 10, 2021 Share Posted January 10, 2021 19 minutes ago, wmcneil said: I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck. I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.) I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice. When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip: ( In the WireGuard config, set "Use NAT" to No In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route: Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0) Gateway: <IP address of your Unraid system> On the Docker settings page, set "Host access to custom networks" to "Enabled". see this: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801 ) This is the only way I could get it to work. Maybe it was my router specifically causing the issue. I'm also using Remote Access to Lan which works as you are hoping. And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. Quote Link to comment
wmcneil Posted January 11, 2021 Share Posted January 11, 2021 21 hours ago, adminmat said: When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip: ( In the WireGuard config, set "Use NAT" to No In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route: Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0) Gateway: <IP address of your Unraid system> On the Docker settings page, set "Host access to custom networks" to "Enabled". see this: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801 ) This is the only way I could get it to work. Maybe it was my router specifically causing the issue. I'm also using Remote Access to Lan which works as you are hoping. And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method. Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server. I am out of things to try. I am going to have to give openVPN a try. Thanks again for posting the method that is working for you. Quote Link to comment
adminmat Posted January 11, 2021 Share Posted January 11, 2021 4 hours ago, wmcneil said: Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method. Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server. I am out of things to try. I am going to have to give openVPN a try. Thanks again for posting the method that is working for you. Maybe try a different phone? Or another remote client? Quote Link to comment
timmyx Posted January 30, 2021 Share Posted January 30, 2021 I had WG working flawlessly until I had to do a server reboot and apparently it's now broken, no idea why I can't get a handshake anymore, but I haven't changed anything on the router/tower, I have my ip updated thru duckdns any clues? 😟 Quote Link to comment
xupal Posted January 31, 2021 Share Posted January 31, 2021 I am having trouble getting a handshake. when I go to https://www.canyouseeme.org/ and forward 80 to 8080 on my router, I can see port 8080 is open. when I forward 51820 to 51820 it does not seem to open. Is this my router or my ISP preventing me from doing this? Quote Link to comment
adminmat Posted January 31, 2021 Share Posted January 31, 2021 On 1/29/2021 at 8:51 PM, timmyx said: I had WG working flawlessly until I had to do a server reboot and apparently it's now broken, no idea why I can't get a handshake anymore, but I haven't changed anything on the router/tower, I have my ip updated thru duckdns any clues? 😟 When you reboot the Wireguard gets switched to Inactive. Quote Link to comment
timmyx Posted February 1, 2021 Share Posted February 1, 2021 (edited) On 1/31/2021 at 6:23 AM, adminmat said: When you reboot the Wireguard gets switched to Inactive. Thanks, but I thought the autostart:on option would make it automatic? Edited February 1, 2021 by timmyx Quote Link to comment
ljm42 Posted February 1, 2021 Author Share Posted February 1, 2021 1 hour ago, timmyx said: Thanks, but I thought the autostart:on option would make it automatic? That screenshot shows that WireGuard is active, so it did start up after the reboot. Unfortunately, WireGuard fails silently so there are few clues as to where the problem lies. The second post in this thread gives some specific things to look for but it may help to think about all the places the connection must pass through: The client itself (WireGuard config, network config, DNS, local firewall, power savings mode) The client's local LAN and router config (unless this is a mobile device on a data connection) The client's Internet connection/ISP The Internet between the client and server The server's Internet connection/ISP The server's local LAN and router config The server itself (WireGuard config, network config) Since this was working before, consider whether anything changed at any of those places. If nothing clicks, try setting up a new WireGuard config 1 Quote Link to comment
ljm42 Posted February 1, 2021 Author Share Posted February 1, 2021 On 1/11/2021 at 5:35 AM, wmcneil said: all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server. What happens when you try accessing the webgui via IP address on the normal LAN? Does it redirect to another URL that requires name resolution? If so, the same thing will happen over WireGuard, so that final DNS url needs to resolve over the WireGuard connection too. Quote Link to comment
ljm42 Posted February 1, 2021 Author Share Posted February 1, 2021 On 1/30/2021 at 11:08 PM, xupal said: I am having trouble getting a handshake. when I go to https://www.canyouseeme.org/ and forward 80 to 8080 on my router, I can see port 8080 is open. when I forward 51820 to 51820 it does not seem to open. Is this my router or my ISP preventing me from doing this? WireGuard is designed to fail silently, so an open port detector will not be able to tell that the port is open. Based on what you have written I would just say to be sure you forwarded a UDP port, not a TCP port. Other than that all I can suggest is to re-read the first two posts for ideas and think about all of the places that the data needs to pass through (see my reply to timmyx a few posts back) Quote Link to comment
weirdcrap Posted February 8, 2021 Share Posted February 8, 2021 (edited) I spoke to LJM42 about this a bit in my other thread but I figured i'd post in the proper thread for help as it still isn't working correctly... I have server to server setup for doing backup and sync activities between two remote unraid servers. My problem lies in that for some strange reason I can only ever start the tunnel from one side of the connection despite my setup being identical (from what I can tell). I've already tried completely deleting the tunnel on both ends and re-creating them. VOID and NODE are both WG1 on their respective servers and have all the properly defined endpoints (see screenshots below). VOID sits behind a PFSENSE box with a 2 port UDP range (51820-51821) forwarded for my two tunnels. I can always start the tunnel (WG1) from VOID. NODE sits behind a Zyxel USG110 with the same 2 port UDP range forwarded. I can never start the tunnel (WG1) from NODE. Once I send a ping from VOID to NODE, then and only then can NODE start talking to VOID. In pfsense when I am attempting to ping from NODE to VOID I am seeing blocked connections in the firewall originating from NODEs endpoint IP/port and coming to VOID but NOT on my forwarded ports so they are getting denied. I assume this is why I can't start the tunnel from the other side but why is it not respecting the set port? Do I just not understand how the ping function works? Edited February 8, 2021 by weirdcrap Quote Link to comment
ljm42 Posted February 8, 2021 Author Share Posted February 8, 2021 Oh bummer, I thought we got that working. 3 hours ago, weirdcrap said: Do I just not understand how the ping function works? The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it. So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense. Quote Link to comment
weirdcrap Posted February 8, 2021 Share Posted February 8, 2021 (edited) 1 hour ago, ljm42 said: Oh bummer, I thought we got that working. The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it. So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense. Yeah I thought so as well, I guess i didn't wait long enough for the tunnel to close. I don't get why WireGuard isn't using the ports I defined in the interface to communicate with the endpoints? My port forwards are for 51820 and 51821, but for whatever reason its trying to hit random ports like 49997, 26608, 10757, etc. It feels like I'm missing something really obvious that I've blatantly misconfigured, but I can't figure out what it is. Source is on the left, which is me on NODE trying to ping VOID. Destination is on the right which appears to be NODE trying random ports that the firewall is blocking because those aren't my forwarded ports. Edited February 8, 2021 by weirdcrap Quote Link to comment
SiggiSpak Posted February 10, 2021 Share Posted February 10, 2021 On 9/12/2020 at 9:25 AM, deusxanime said: I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well. Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients. So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected. Unfortunately I'm also experiencing this issue. Is there any possible fix for this? 1 Quote Link to comment
weirdcrap Posted February 11, 2021 Share Posted February 11, 2021 (edited) I am still perplexed by why WireGuard is not using the port specified in its config to hit my home server: Why the random ports instead of the defined port that I have a forward for? Edited February 11, 2021 by weirdcrap words are hard Quote Link to comment
ljm42 Posted February 12, 2021 Author Share Posted February 12, 2021 Just to clarify - this pfsense screen is on VOID's network right? And where you blacked out out the source and destination IPs - the "Source" column is NODE's public WAN IP and the "Destination" column is VOID's public WAN IP? 10 hours ago, weirdcrap said: Why the random ports instead of the defined port that I have a forward for? If my assumption above are correct then I'm afraid I'm stumped Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.