WireGuard quickstart


Recommended Posts

6 hours ago, ljm42 said:

Just to clarify - this pfsense screen is on VOID's network right?

 

And where you blacked out out the source and destination IPs - the "Source" column is NODE's public WAN IP and the "Destination" column is VOID's public WAN IP?

 

 

If my assumption above are correct then I'm afraid I'm stumped

You are correct on all counts. I have no clue what to make of it, I've recreated the tunnel and peer numerous times...


Could this be some sort of weird networking or router tech?  My only thoughts would be to turn on allowed connection logging and comparing the "good" connections to the "bad" connections.

Link to comment
On 2/1/2021 at 9:34 AM, ljm42 said:

 

WireGuard is designed to fail silently, so an open port detector will not be able to tell that the port is open.

 

Based on what you have written I would just say to be sure you forwarded a UDP port, not a TCP port. Other than that all I can suggest is to re-read the first two posts for ideas and think about all of the places that the data needs to pass through (see my reply to timmyx a few posts back)

I have tried to set it up numerous times.  I have tried UPnP and manually setting the firewall ports.  I have ensured that it is UDP and not TCP.  I am really at a loss here.

Link to comment
  • 3 weeks later...

Hi all,

 

thanks for this great plugin. I have WireGuard set up with the peer being "remote access to server". This works well, but I need some help with my configuration.

 

What I want to do:

I want to connect all my devices to the NAS using the same IP address, regardless of whether I'm on my local network or not and regardless of whether WireGuard is on (when on local network).

 

Current problem:

My unRAID is on 192.169.1.116 (local network). The standard "local tunnel address" was somewhere in the 10.xx.xx.xx range. This created the following problem: I have my NAS connected via samba under 192.169.1.116 (local address). Once I leave the house and I turn on WireGuard, that address cannot be used anymore and I need to add another server using the 10.xx.xx.xx address instead of the 192.169.1.116. That's of course not what I want.

 

So I changed the "local tunnel address" to 192.168.1.116 (and the tunnel to 192.168.1.1/24) which allows me to connect via WireGuard using the "local IP" BUT once I'm back on my local network and WireGuard is still activated, I cannot access the NAS. This makes sense, but I don't know what the solution could be.

 

Question:

Can anyone help me with my setup? I want to connect to the NAS using the same IP, regardless of whether I'm on my local network or not (and for when I'm at home, regardless of whether WireGuard is running).

 

Help is much appreciated, thanks so much!

 

All the best,

Benedikt

Edited by benediktleb
Link to comment
6 hours ago, benediktleb said:

So I changed the "local tunnel address" to 192.168.1.116

You'll need to revert that. Think of this as a tunnel *between* the local and remote networks. It is a unique network of its own, not part of either the local or remote.

 

6 hours ago, benediktleb said:

I have WireGuard set up with the peer being "remote access to server".

If you want to use the LAN's network address, switch to "remote access to LAN"

  • Like 1
Link to comment
38 minutes ago, ljm42 said:

You'll need to revert that. Think of this as a tunnel *between* the local and remote networks. It is a unique network of its own, not part of either the local or remote.

 

If you want to use the LAN's network address, switch to "remote access to LAN"

Works like a charm. Could have thought of that myself, too, what a simple answer. Thanks so much!

  • Like 1
Link to comment
On 2/1/2021 at 2:23 PM, ljm42 said:

That screenshot shows that WireGuard is active, so it did start up after the reboot.

 

Unfortunately, WireGuard fails silently so there are few clues as to where the problem lies.

 

The second post in this thread gives some specific things to look for but it may help to think about all the places the connection must pass through:

  • The client itself (WireGuard config, network config, DNS, local firewall, power savings mode)
  • The client's local LAN and router config (unless this is a mobile device on a data connection)
  • The client's Internet connection/ISP
  • The Internet between the client and server
  • The server's Internet connection/ISP
  • The server's local LAN and router config
  • The server itself (WireGuard config, network config)

Since this was working before, consider whether anything changed at any of those places.

If nothing clicks, try setting up a new WireGuard config

So thanks for your reply

 

I did some further testing and it seems something is broken when there's a reset: router (IP changes, although I set duckdns for wireguard) or server

 

autostart:on is set on unraid

 

remote connections/handshakes work flawlessly upon first setup (delete tunnel, set up a new one -- done this dozen times lol)

 

when there's a reset tho, everything goes south :(

 

I might need to revert to vpn since I cant trust my unraid with WG at this point -- and I can't know why!!!! :( 

Link to comment
On 3/4/2021 at 1:41 PM, ljm42 said:

 

Do you use the "local tunnel firewall"? There is a fix in Unraid 6.9.0 that should resolve a problem with the local tunnel firewall on reboot, see: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/18/?tab=comments#comment-944303  

 

Hey! Thanks for the response.

 

Mine is set like this (I think it's default - not exactly sure I changed anything here)

image.thumb.png.4e46de476bf4e512ffbd741d702cd4b5.png

 

I haven't updated to 6.9, should it work if I add the script in the /boot/config/go ?

Fingers crossed!

 

Link to comment

So I just set up WireGuard and used Remote Tunneled Access instead of Remote Access to LAN as my Peer Type of Access. I added the DNS.WATCH DNS Server to the Peer DNS Server option and I'm able to browse the internet, but I'm not able to access my Unraid server.

 

Am I right to assume that Remote Tunneled Access does NOT allow you to access your Unraid server? Does that mean I should create another Peer that has Remote Access to LAN to access Unraid?

Edited by N¿¿B
Added some more information.
Link to comment

Hi, so tbh I am really lost about Wireguard. I've spent a day (more actually) on that trying different methods:

  • remote access to server
  • remote access to LAN
  • remote tunnelled access

I did setup my port forwarding correctly on port 51820 (internal and external) to my server (192.168.1.7) as UDP.

In Unraid my network interface (eth0 and eth1) have bridging enabled
I've tried with and without my dynDNS (duckdns) as a local endpoint
I also noticed that the local tunnel network pool is using /24 for subnet where my Wireguard client (my phone) was using /32. So I've tried /32 server & client side and also /24 server & client side.

I've tried with and without preshared key
I've tried with and without peer DNS server. And for the different DNS servers address used: 1.1.1.1 / 8.8.8.8 / 192.168.1.254 (my router)

 

As on client side, I did make sure that I was able to access my Unraid web interface and different services around (different ports) from my local network connected via WiFi.

As soon as I turn off WiFi and enable Wireguard I am not able to have a handshake nor I can access anything.

I've tried my local network local tunnel network on my phone none of them worked.

 

Here is more or less what I've used in my Wireguard settings

image.thumb.png.28669089df1ae5453dbe5f6f89b33426.png

 

I did disable battery saving abilities on my phone, background data & unrestricted data usage.

 

Someone would be able to help me ?

Thanks in advance

Link to comment
On 3/11/2021 at 1:21 AM, N¿¿B said:

So I just set up WireGuard and used Remote Tunneled Access instead of Remote Access to LAN as my Peer Type of Access. I added the DNS.WATCH DNS Server to the Peer DNS Server option and I'm able to browse the internet, but I'm not able to access my Unraid server.

 

Am I right to assume that Remote Tunneled Access does NOT allow you to access your Unraid server? Does that mean I should create another Peer that has Remote Access to LAN to access Unraid?

 

With Remote Tunneled Access you should be able to reach your Unraid server.  If that isn't working, go ahead and try Remote Access to LAN

Link to comment
1 hour ago, Wanty said:

I also noticed that the local tunnel network pool is using /24 for subnet where my Wireguard client (my phone) was using /32. So I've tried /32 server & client side and also /24 server & client side.

 

/32 is for a single ip address, /24 is for a network with 255.255.255.0 subnet mask. The plugin should give correct values here.

 

 

The things you have tried look great.

 

It is possible your ISP is blocking the UDP port you are trying to use, perhaps try a different one?

 

I would also try a different client. Somewhere in this thread I remember one person who couldn't get their phone to work but a laptop connected fine.

Link to comment
On 3/7/2021 at 8:38 AM, timmyx said:

Hey! Thanks for the response.

 

Mine is set like this (I think it's default - not exactly sure I changed anything here)

image.thumb.png.4e46de476bf4e512ffbd741d702cd4b5.png

 

I haven't updated to 6.9, should it work if I add the script in the /boot/config/go ?

Fingers crossed!

 

 

Hmm that particular fix is for people using the local tunnel firewall. You can try running the commands directly, if it helps then add it to your go script (I wouldn't want you to complicate your go script unnecessarily, it will make like difficult for you in the future)

Link to comment
On 3/13/2021 at 6:58 PM, ljm42 said:

 

/32 is for a single ip address, /24 is for a network with 255.255.255.0 subnet mask. The plugin should give correct values here.

 

 

The things you have tried look great.

 

It is possible your ISP is blocking the UDP port you are trying to use, perhaps try a different one?

 

I would also try a different client. Somewhere in this thread I remember one person who couldn't get their phone to work but a laptop connected fine.

So I've tried on different ports and with other clients (on my tablet, my desktop and another phone) and none of them worked.

In the logs from my desktop it says "Handshake did not complete after 5 seconds, retrying..."

Link to comment
4 minutes ago, danktankk said:

Will do.  I heard that PFsense 2.5 I think? was having an issue with wiregaurd.  Ill update mine as well.  Thank you.

 

Yeah the pfSense-sponsored WireGuard implementation for FreeBSD had some issues. Does not affect Unraid.

  • Like 1
Link to comment

I've tried searching but can't find anything relevant. Has anyone gotten Wireguard to work on unraid using untangle as a router? Yes, I know untangle has it as an app, but I'm not interested in paying 250 a year for the functionality. If I use pfsense, wireguard works as expected with almost not modifications. Using it with untangle only gives me server access even when remote tunneled access is selected. And if I create a rule to bypass all apps for the Wireguard subnet, still no joy.... I feel like I'm missing one setting somewhere but dont know what it is.

---

 

edit

 

putting my laptop in the subnet that Wireguard uses allows access to all devices on the lan across subnets but no internet access, even when changing DNS from local to something like 1.1.1.1

Edited by 1812
Link to comment
  • 2 weeks later...

Hello,

 

I would like from my wireguard vpn to access a custom virsh network, someone knows how to do it please ?

 

Network wg1 (network of wireguard vpn ) : 192.168.51.0/27

 

Network virbr0-lab : 192.168.50.0/27

 

I would like them to communicate together to access in RDP a vm present in the virbr0-lab network from a pc connected in VPN to the wg1 network

 

Cordially.

Edited by JamesAdams
Link to comment
6 minutes ago, remati said:

I think there is something wrong with my Wireguard plugin. Adding a 2nd Tunnel WG1 shows the fields all weird with underscores and any changes I make I cannot click the Apply button. Has anyone experienced this before?

 

 

Screenshot 2021-04-11 132811.jpg

What Unraid version?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.