WireGuard quickstart

[willieb]

Hi everyone. I have Wireguard all up and running and I have access to all of my internal resources. But is there a way that I can block my LAN completely from VPN users? I would like VPN users to only have access out to the internet so my child can log into the VPN to use Netflix while away at college and it will look like it is coming from my house. For security reasons, I would prefer that the VPN not be able to access anything internally, though. I have seen others ask a similar question, but I have not seen an answer. Thanks very much. 

[chris111486]

On 7/2/2023 at 11:36 AM, chris111486 said:

A few months ago i replaced my router.  I then also proceeded to update unpaid OS to its current version at that time.  I tried to use WireGuard after all this ands it wasn’t working.  I then got busy with home and work and wasn’t able to get back around to troubleshooting the issue.  Now i have been able to get back trying to troubleshoot the issue and this is where i stand.  Long story short i went back to a clean slate.  Remade my domain on DDNS deleted the original tunnel created when i had WireGuard working. Followed steps on page 1 and it’s not a complex network and to no avail still unable to connect to server from external means.  When i go to do my port forwarding on router it doesn’t seem like it works.  And even the tunnel screen shows that it still doesn’t see port forwarding connected via the server.  I also tried upnp connection and nothing worked while trying to connect that way either.  After each change made on the router i did perform a reboot since i wasn’t sure if it would need a reboot for change to take, because i know that was 1 of my issues the first time i tried setting it up in the beginning a few years back.  I go into the logs on both unraid server and router and don’t see the IP of server.  I also did a trace route to see if my ISP is using CGNAT.  And am not 100% sure if that may be my issue.  I have attached photos to see if maybe anybody else sees something i missed.  And I understand the photo of tunnel setup screen says forward port but that is already set in my routers port forwarding.  Any ideas are greatly appreciated. 

Bump

[Killabee44]

Hello everyone,

Is it possible to allow a peer access to a specific docker only? I didn't see a configuration for this so thought I'd ask. Thanks.

[Tarnished]

Assuming that I would just like to install a VPN on my family PC just for them to stream Plex (avoiding opening up port 32400). What would be the best option to choose from to avoid giving them acess to my whole network? I assume that it would be Remote access to server ?

[bradlyks]

On 10/11/2019 at 8:04 PM, kaiguy said:

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate it. 

 

Once I properly toggled that setting, my phone immediately connected. I can access my network devices by IP address, but didn't have any luck by local hostname. Not sure if its a config issue on my router (pfsense) or just how it is with Wireguard. No issue with that though when connecting via openvpn on pfsense.

 

This is a great method to get secure access to your server/network without much fuss, and am looking forward to seeing how the implementation progresses! I think it will help a lot of unRAID users!

Yes! I spent an hour trying to figure out what was wrong and then another 10 minutes after I read this comment before I even considered looking at those toggles at the top. 

[Greyberry]

Is it possible to make a vpn network without access to the server itself (webinterface, dockers, etc.)?

only the clients should see each other.

[BiLKiNiS]

did anyone try to configure udptunnel or udp2raw to use wireguard over TCP?

 

I'm having issue on some of the wifi network that I use and I think it's because they block UDP traffic

Edited September 7, 2023 by BiLKiNiS

[VeeTECH]

Hello,

 

I love this thing! thank you for making it easy to use for people like me ha

 

Just one question, maybe someone is in a similar situation.

 

I have WG setup on unraid  below is the config.

 

 

 

My phone connects just fine and I can access unraid gui (192.168.1.221), and ping hosts from my phone (192.168.4.3 when connected via WG) , 

 

I am also able to ping my phone from unraid ,

 

 

but when I'm trying to ping my phone from another computer on the network other than unraid , it says host unreachable

is there a way to be able to ping my phone from othe hosts on my local network ?

 

Thank you for your help !

 

 

 

[Bushibot]

On 12/20/2019 at 5:39 PM, relink said:

Sorry if this has been solved and I just didn't catch it.

 

Almost every one of my docker containers has a custom IP address. Has there been any solution to connecting to docker containers with a custom IP yet?

 

I disabled "Local server uses NAT:" and setup a static route in my router and it did absolutely nothing. I can access my unraids web UI just fine as well as other physical machines on my network. I just cant access most of my dockers.

 

Same issue here, did you find a solution? this is very frustrating.

[Houmi]

I recently got a hold of a VPS and set up Wireguard between my unraid server + VPS via "Remote Tunneled access" of built-in VPN Manager, however if I choose any Docker container to use the wg0 interface, I can't go to its WebUI. Is there anything else to be configured ? Do I have to set up a reverse proxy ?

 

I tested this by having the FireFox docker container use wg0 but it never starts for example. I can ping the Wireguard IPs from each location (Unraid <-> VPS) just fine... i.e. 10.10.92.0/32

 

Ultimately I'd like this setup to be used for Plex Remote Access as well as using wg0 for other docker containers.

[xreyuk]

I have recently set this up following the guide and have it working for 'Access to Server' just to remotely manage the server/access dockers.

 

One thing I wanted to check, when I am connected to the VPN on a remote network from my Phone, internet access still works via my phone, is this expected behaviour or should the tunnel be stopping all other access and only allowing access to the unraid server?

[Hellomynameisleo]

So I have my wireguard set up as NAT = yes, host access to custom network = no, so I can't use my vpn peer client to access any docker containers on custom network br0. I need to set host access to custom network to yes but then the wireguard peer won't have access to LAN devices without static routes set on router. My router doesn't have the setting for it, what are my options to make this work? would hosting wireguard on another LAN device instead work?

[ShangHangin]

Hello Community

 

I have been unsuccessful in getting WireGuard to work since my upgrade from 6.11.3->6.12.6, and I am in need of guidance.

1.  I have been using ZeroTier for remote access into my server and docker UI and access to my network.  Don't really want to give that up.

2.  My goal is to have system VPN tunneling access for updates (I am behind the Chinese firewall and cannot get at Github for plugins w/o VPN.  Dockers are OK).

3.  I also want to have select docker containers (Sonar, etc) running over VPN (not Plex as my experience is that the remote access for playback does not like a double NAT). 

 

I have read through the guides, tried a number of different things, and the configuration below satisfies my goal of using ZeroTier (with complete access to server, dockers, file system) and Plex, but cannot get Wireguard working (No handshakes)

 

 

Note:  Need to reinstitute zt0 listening at any docker stop and start, even though is shows in “listening” in many cases.

 

 

(Host access to custom networks breaks Zerotier as does using anything other than a HOST network setting in the Docker)

 

 

 

I have enabled UPnP both on the system and on my gateway router:

 

 

 

This is the VPN configuration:

 

Peer endpoint "ping" is working.

 

and clicking in the eyeball in with the "advanced" settings highlighted, I get this information:

 

WireGuard Configuration

Local server configuration

[Interface]

# Device_Steady Snake

PrivateKey=xxxx=

Address=10.66.39.132

PostUp=logger -t wireguard 'Tunnel WireGuard-wg3 started';/usr/local/emhttp/webGui/scripts/update_services

PostDown=logger -t wireguard 'Tunnel WireGuard-wg3 stopped';/usr/local/emhttp/webGui/scripts/update_services

PostUp=ip -4 route flush table 203

PostUp=ip -4 route add default via 10.66.39.132 dev wg3 table 203

PostUp=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203

PostDown=ip -4 route flush table 203

PostDown=ip -4 route add unreachable default table 203

PostDown=ip -4 route add 192.168.11.0/24 via 192.168.11.1 dev br0 table 203

 

[Peer]

#Tokyo 202_1

PublicKey=yyyy=

Endpoint=146.70.201.2:51820

AllowedIPs=0.0.0.0/0

 

Any guidance appreciated.  

 

Thank you in advance.

 

Edited January 28 by ShangHangin

[Mathew R.]

Hi All,

I apologize in advance if this might have been mentioned before, but after doing several google searches with varying search terms and finding some existing reports, none of the troubleshooting steps I came across resolved the issue I am experiencing.

 

Unraid Version: 6.12.6

 

Some background,

My WireGuard Client (Peer) was not working (connection would be established but I would have no network or internet access - configuration in WireGuard on Unraid is set to Remote Tunneled Access) and so in trying to troubleshoot, I tried deleting the Peer from the VPN Manager Settings in Unraid (among other things). Upon re-creating the Peer in Unraid, I am no longer able to download the Peer Configuration. The eye icon is greyed out.

 

In reading some of the other reports on this issue, there are some instances where WireGuard wasn't deleting the old Peer Configurations from the Flash Drive Config Folder and this was causing some issues. For my situation, the Peer Folder on the Flash Drive is empty even though the VPN Manager in Unraid shows I have a Peer setup.

I also tried deleting the Tunnel and peer while monitoring the Config Folder and see the Tunnel configuration gets deleted (there is no Peer data to delete so that folder stays empty), and when I create a new Tunnel, I see those configuration files generated in the Config Folder as well.

 

I'm left scratching my head trying to figure out what's going.

 

Any help is greatly appreciated!

 

Unraid Version: 6.12.6

 

UPDATE: Resolved

It appears the issue manifests if the Peer Name field is left empty. This seems like it is a bug since the default configuration settings indicate the Name Field is Optional.

 

Gonna leave this post in case anyone else encounters the issue too so they can try what worked for me to see if it helps them.

Edited February 11 by Mathew R.

[walterg74]

Hi All,

 

New to this, and looking to (finally) replace the OpenVPN docker I had running for quite a while, just in case...

 

I am looking at the guide, and I see on one hand it says:

 

"You must be running Unraid 6.8-6.9 with the Dynamix WireGuard plugin from Community Apps or Unraid 6.10+ (which has the plugin built in)."

 

But then when it starts with the instructions for the UnRAID side, it says:

 

"On Unraid 6.8, go to Settings -> VPN Manager"

 

What about on other versions??

 

[LSL1337]

Hi guys!

I can't seem to get remote tunneled access to work.

I can connect from outside the network, so my router portforwarding works, but I can only reach LAN IPs.

I have 2 users configured. One is remote access to LAN, the other is remote tunneled access.

Both work the same way. I can reach only LAN IP-s, nothing works for normal sites in the browser.

I have few dockers running, no VMs.

I think I have 2 dockers, which have different IP addresses then the unraid machine, not sure if this is non standard setup, and breaks the default routing or something with wireguard.

 

thanks!

[stefan.tomko]

I am using "LAN to LAN access" and am routing local networks and peer networks on respective routers. Everything works between the networks. However,  when i originate connections from unraid itself to remote side, it would always use wg0 IP of unraid server and not eth0 IP. This is causing me some headaches on the remote end. Can I somehow force unraid to use eth0 IP (or br0 in this case) and just use wg0 for tunnelled communication?

[Driverpatrol]

good morning everyone, I'm trying to configure Wireguard to connect externally but to no avail.
can someone help me?
I put my configuration.
Thank you

 

[chris111486]

16 hours ago, Driverpatrol said:

good morning everyone, I'm trying to configure Wireguard to connect externally but to no avail.
can someone help me?
I put my configuration.
Thank you

 

Make sure that if you have a modem

from your ISP that you enable bridge mode. I had an issue a while back where I replaced my router. And my wireguard worked for all of about 2 weeks.  Well come to find out my ISP pushed out an update to their network which in turn reverted modem back to default settings. So I needed to go back in to enable bridge mode and it worked like a charm.