bonienl Posted April 12, 2021 Share Posted April 12, 2021 (edited) 7 hours ago, remati said: It appears it is happening on both my unraid servers on Version: 6.8.3 Do you have anything installed to customize your GUI? WireGuard supports multi-language, which is not available in Unraid 6.8, though it should display all text correctly. Just made a quick test, this is a bug. Will correct it. Edited April 12, 2021 by bonienl Quote Link to comment
bonienl Posted April 12, 2021 Share Posted April 12, 2021 Correction available 1 Quote Link to comment
jameson_uk Posted April 14, 2021 Share Posted April 14, 2021 Is there anyway to add additional authentication in WireGuard? I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone. I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN. It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step Quote Link to comment
ljm42 Posted April 14, 2021 Author Share Posted April 14, 2021 1 hour ago, jameson_uk said: Is there anyway to add additional authentication in WireGuard? I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone. I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN. It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/ Quote Link to comment
jameson_uk Posted April 15, 2021 Share Posted April 15, 2021 (edited) 16 hours ago, ljm42 said: WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/ Is there anyway of adding any form of authentication (beyond the shared keys) Edited April 15, 2021 by jameson_uk Quote Link to comment
bonienl Posted April 15, 2021 Share Posted April 15, 2021 2 hours ago, jameson_uk said: Is there anyway of adding any form of authentication (beyond the shared keys) That fully depends on the device where you are installing WireGuard. When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel. Quote Link to comment
ljm42 Posted April 15, 2021 Author Share Posted April 15, 2021 3 hours ago, jameson_uk said: Is there anyway of adding any form of authentication (beyond the shared keys) You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first. Quote Link to comment
jameson_uk Posted April 15, 2021 Share Posted April 15, 2021 That fully depends on the device where you are installing WireGuard. When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel. You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).Are there any other Android clients that only open with biometric authentication? Quote Link to comment
ljm42 Posted April 16, 2021 Author Share Posted April 16, 2021 3 hours ago, jameson_uk said: This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone). Are there any other Android clients that only open with biometric authentication? On my Android (OnePlus 7 Pro), before unlocking the phone I can pull down from the top to access certain apps like the flashlight. VPN is in that list, but when I click it, I am immediately prompted to unlock the phone. It sounds like a security hole in your phone if it puts VPN in the same authentication-free category as the fliashlight! I believe there are other Android clients out there, but rather than recommend anything I haven't used I'll just suggest you try Google Also, nothing says you have to switch to WireGuard, if you are happy with OpenVPN you can continue to use it. Quote Link to comment
itsmepetey Posted April 26, 2021 Share Posted April 26, 2021 I have tried a bit of skimming of this thread as well as searching - but is anyone able to answer a quick question regarding wireguard functionality. Currently I have OpenVpn setup via docker container. This works great until you need to spin down the array. Will setting up wireguard, since it is a plugin and not a docker based solution, allow me to spin up and down the array while still maintaining vpn access? Quote Link to comment
bonienl Posted April 26, 2021 Share Posted April 26, 2021 WireGuard access is available independent of the array running or not. This gives it a distinct advantage over docker or vm based solutions. Quote Link to comment
itsmepetey Posted April 26, 2021 Share Posted April 26, 2021 57 minutes ago, bonienl said: WireGuard access is available independent of the array running or not. Thanks for the info! Appreciate it. Quote Link to comment
Claudio C Posted May 3, 2021 Share Posted May 3, 2021 Hi all, I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN It works fine but I don't have access to the share folder (SMB). Could you help me ? Quote Link to comment
ljm42 Posted May 3, 2021 Author Share Posted May 3, 2021 1 hour ago, Claudio C said: Hi all, I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN It works fine but I don't have access to the share folder (SMB). Could you help me ? Best guess based on what you have written... make sure you are trying to access the server by IP address and not by shortname. i.e. make an SMB connection to \\ipaddress not to \\tower Quote Link to comment
Claudio C Posted May 4, 2021 Share Posted May 4, 2021 I tried also with IP but nothing. This is my configuration Quote Link to comment
RuggedRaider Posted May 4, 2021 Share Posted May 4, 2021 Hi All, I'm new to unRAID and really am loving it. Currently I only have my media setup but am working through new functionality. I'm confused with WireGuard though. I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address. I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. My first question is regarding the "LAN" part of the access. What does that entail? Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use? My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other? Thanks! Quote Link to comment
ljm42 Posted May 4, 2021 Author Share Posted May 4, 2021 On 5/3/2021 at 7:43 AM, Claudio C said: Hi all, I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN It works fine but I don't have access to the share folder (SMB). Could you help me ? 14 hours ago, Claudio C said: I tried also with IP but nothing. This is my configuration You have "Use NAT" = No, there should be a remark telling you to setup a static route in your router, have you done that? There are more details in the "complex networks" portion of the first post. Until you work through that nothing on the LAN (including accessing the server by its LAN IP) will work. FYI, you can also access the server by its tunnel IP. So SMB to \\10.253.0.1 should work regardless of the "Use NAT" setting or whether you have a static route setup. Quote Link to comment
ljm42 Posted May 4, 2021 Author Share Posted May 4, 2021 Quote Hi All, I'm new to unRAID and really am loving it. Welcome! 1 hour ago, RuggedRaider said: I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address. I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. nice! 1 hour ago, RuggedRaider said: My first question is regarding the "LAN" part of the access. What does that entail? Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use? When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP. 1 hour ago, RuggedRaider said: My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other? Yes you can have two VPN profiles/peers defined on your phone. Use "Remote access to LAN" when you trust the network you are on and just want to route the remote LAN traffic over WireGuard. use "Remote Tunneled Access" when you are someplace with "risky" wifi and you want all your traffic going over WireGuard. 1 Quote Link to comment
RuggedRaider Posted May 4, 2021 Share Posted May 4, 2021 1 hour ago, ljm42 said: When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP. Okay, that helps. For some reason I thought the remote access to LAN would rid me of the need for microsoft RDP. Makes sense now that I think about it. Another question. Is the peer setup designed for the client type specifically or the type of connection. Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop? Thank you! Quote Link to comment
ljm42 Posted May 4, 2021 Author Share Posted May 4, 2021 10 minutes ago, RuggedRaider said: Another question. Is the peer setup designed for the client type specifically or the type of connection. Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop? You should create a new peer config for each device. That will allow all of the devices to connect at the same time, and in the event that one device is lost or stolen, you only have to delete that one config from the server and the rest of the devices will continue to work. 1 Quote Link to comment
Gdtech Posted May 12, 2021 Share Posted May 12, 2021 I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same. When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ? Thanks Quote Link to comment
ljm42 Posted May 13, 2021 Author Share Posted May 13, 2021 On 5/12/2021 at 6:02 AM, Gdtech said: I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same. When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ? Thanks Please ensure you are on version the latest version of the plugin (currently 2021.05.10a). No point in troubleshooting older versions As a test, I just created a tunnel with 20 peers no problem. I wouldn't expect there to be a limit, pretty sure it just increments a counter. I'd guess it is putting the cursor in a field that has a problem. If that doesn't seem to be the case, try switching from basic to advanced mode, perhaps the field with the problem is not visible in basic mode. Still not working? We'll need to see a screenshot. You'll want to blank out any sensitive parts (keys, public ip addresses, endpoints) 1 Quote Link to comment
drkCrix Posted May 15, 2021 Share Posted May 15, 2021 Good afternoon, Currently searching for an option to my issue and hope wireguard might be the solution. My only internet option currently is Starlink and due to CGNat I will not be able to access my plex server remotely. Can this be used to allow external access to my plex server again? Cheers, Chris Quote Link to comment
Aerodb Posted May 15, 2021 Share Posted May 15, 2021 I followed your guide and got it up and running. My question is regarding the relationship of a tunnel to a peer and how this should be configured rather than what can be done. With one tunnel, should I only have one peer? or should I set multiple peers for one tunnel assuming the subnet access level should be the same for all peers? I am intending to use this for two use cases. 1- remote server management from 2 or 3 devices. my guess is one tunnel, 2-3 peers with the needed subnet configured. 2- privatizing mobile device traffic back to the server internet connection. this would be likely a lesser subnet range to strictly hairpin traffic back out to the web from the server internet connection (mobile device->server->web). I'm also guessing this would be a second tunnel for these peers? Any guidance or clarity around this concept is greatly appreciated. Quote Link to comment
bonienl Posted May 16, 2021 Share Posted May 16, 2021 A single tunnel can support multiple connections (peers). Each peer wiil have the same access rights, e.g. "Remote connection to LAN". If you want different peers to have different access rights, you could set up multiple tunnels, each with a different connection type and let peers connect to one or the other. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.