WireGuard quickstart


Recommended Posts

7 hours ago, remati said:

It appears it is happening on both my unraid servers on Version: 6.8.3

Do you have anything installed to customize your GUI?

 

WireGuard supports multi-language, which is not available in Unraid 6.8, though it should display all text correctly.

 

Just made a quick test, this is a bug. Will correct it.

Edited by bonienl
Link to comment

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

 

Link to comment
1 hour ago, jameson_uk said:

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/

Link to comment
2 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

 

That fully depends on the device where you are installing WireGuard.

When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.

 

Link to comment
3 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.

Link to comment
 
That fully depends on the device where you are installing WireGuard.
When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.
 
You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.
This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?
Link to comment
3 hours ago, jameson_uk said:

This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?

 

On my Android (OnePlus 7 Pro), before unlocking the phone I can pull down from the top to access certain apps like the flashlight. VPN is in that list, but when I click it, I am immediately prompted to unlock the phone. It sounds like a security hole in your phone if it puts VPN in the same authentication-free category as the fliashlight!

 

I believe there are other Android clients out there, but rather than recommend anything I haven't used I'll just suggest you try Google :)  Also, nothing says you have to switch to WireGuard, if you are happy with OpenVPN you can continue to use it.

Link to comment
  • 2 weeks later...

I have tried a bit of skimming of this thread as well as searching - but is anyone able to answer a quick question regarding wireguard functionality.

Currently I have OpenVpn setup via docker container. This works great until you need to spin down the array. Will setting up wireguard, since it is a plugin and not a docker based solution, allow me to spin up and down the array while still maintaining vpn access?

Link to comment
1 hour ago, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

Best guess based on what you have written... make sure you are trying to access the server by IP address and not by shortname.  i.e. make an SMB connection to \\ipaddress not to \\tower

 

Link to comment

Hi All, I'm new to unRAID and really am loving it.  Currently I only have my media setup but am working through new functionality.

 

I'm confused with WireGuard though.  I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Thanks!

Link to comment
On 5/3/2021 at 7:43 AM, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

14 hours ago, Claudio C said:

I tried also with IP but nothing.

 

This is my configuration

 

image.png.e27f363872637ad7ceae1b5d768a1fb9.png

 

image.thumb.png.cf1648c13b9c0dd9acd58b65ac6ae47c.png

 

You have "Use NAT" = No, there should be a remark telling you to setup a static route in your router, have you done that?  There are more details in the "complex networks" portion of the first post.  Until you work through that nothing on the LAN (including accessing the server by its LAN IP) will work.

 

FYI, you can also access the server by its tunnel IP. So SMB to \\10.253.0.1 should work regardless of the "Use NAT" setting or whether you have a static route setup.

Link to comment
Quote

Hi All, I'm new to unRAID and really am loving it. 

Welcome!

 

1 hour ago, RuggedRaider said:

I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

nice!

 

1 hour ago, RuggedRaider said:

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

 

 

1 hour ago, RuggedRaider said:

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Yes you can have two VPN profiles/peers defined on your phone. Use "Remote access to LAN" when you trust the network you are on and just want to route the remote LAN traffic over WireGuard.  use "Remote Tunneled Access" when you are someplace with "risky" wifi and you want all your traffic going over WireGuard.

  • Like 1
Link to comment
1 hour ago, ljm42 said:

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

Okay, that helps. For some reason I thought the remote access to LAN would rid me of the need for microsoft RDP. Makes sense now that I think about it.

 

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

Thank you!

Link to comment
10 minutes ago, RuggedRaider said:

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

You should create a new peer config for each device. That will allow all of the devices to connect at the same time, and in the event that one device is lost or stolen, you only have to delete that one config from the server and the rest of the devices will continue to work.

  • Like 1
Link to comment

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

Link to comment
On 5/12/2021 at 6:02 AM, Gdtech said:

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

 

Please ensure you are on version the latest version of the plugin (currently 2021.05.10a). No point in troubleshooting older versions :) 

 

As a test, I just created a tunnel with 20 peers no problem. I wouldn't expect there to be a limit, pretty sure it just increments a counter.

 

I'd guess it is putting the cursor in a field that has a problem. If that doesn't seem to be the case, try switching from basic to advanced mode, perhaps the field with the problem is not visible in basic mode.

 

Still not working? We'll need to see a screenshot. You'll want to blank out any sensitive parts (keys, public ip addresses, endpoints)

  • Like 1
Link to comment

Good afternoon,

 

 Currently searching for an option to my issue and hope wireguard might be the solution.

 

My only internet option currently is Starlink and due to CGNat I will not be able to access my plex server remotely.

 

Can this be used to allow external access to my plex server again?

 

Cheers,

 

Chris

Link to comment

I followed your guide and got it up and running. My question is regarding the relationship of a tunnel to a peer and how this should be configured rather than what can be done. 

 

With one tunnel, should I only have one peer? or should I set multiple peers for one tunnel assuming the subnet access level should be the same for all peers?

 

I am intending to use this for two use cases. 

    1- remote server management from 2 or 3 devices. my guess is one tunnel, 2-3 peers with the needed subnet configured. 

    2- privatizing mobile device traffic back to the server internet connection. this would be likely a lesser subnet range to strictly hairpin traffic back out to the web from the server internet connection (mobile device->server->web). I'm also guessing this would be a second tunnel for these peers?

 

Any guidance or clarity around this concept is greatly appreciated. 

Link to comment

A single tunnel can support multiple connections (peers). Each peer wiil have the same access rights, e.g. "Remote connection to LAN".

 

If you want different peers to have different access rights, you could set up multiple tunnels, each with a different connection type and let peers connect to one or the other.

 

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.