WireGuard quickstart


ljm42

619 posts in this topic Last Reply

Recommended Posts

  • Replies 618
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

anyone found a solution to make wireguard automatic reconnect?

 

I dont understand why it doesnt do it on his own. Ever night somewhere is a disconnect (and yes, ive set keepalive to 600s)

 

Every morning i need to deactivate it on my mobile and then activate it again...?!

Edited by nuhll
Link to post
4 hours ago, nuhll said:

Every morning i need to deactivate it on my mobile and then activate it again...?!

Some mobiles go into standby mode to save energy, usually sometime during the night. This may interrupt communications.

Does your mobile phone have specific settings to save battery?

 

Link to post
24 minutes ago, ice pube said:

I am struggling with this as well, would appreciate any help! 

Below an example configuration

It is mandatory to define a local endpoint (main server) and a peer endpoint (backup server). These endpoints can be a URL or a (public) IP address of the server.

 

When the main server is behind a NAT router then port forwarding must be set on the router.

The same is true for a NAT router used at the backup server (peer) side.

 

image.thumb.png.7e6cb358099a0330601f8533ec8b8165.png

Link to post

I am having some strange things going on with my wireguard setup. I have it setup to allow my Cellphone to connect via the Wireguard VPN and that works fine, I can access the UnRaid WebUI on my phone. Yet when I try to use one of my desktops at work and have similar settings trying to access the UnRaid WebUI ends up in timeouts, or it takes a long time, then when I try to log in it timeouts. I had it working just fine with an OpenVPN Docker. It is one thing that is baffling  me. When I get home I am going to try to use my tablet connected to my Cellphones Hot Spot to see if I have the same difficulty

Edited by tcochran
Link to post
3 minutes ago, ijuarez said:

that happens quite often

Yeah, it sucks.  Don't know why my IT department just can't understand that while I'm at work I'm there just to get the paycheck and have far more important things to do than actually earn it 🤔

Link to post
On 12/19/2019 at 4:17 AM, bonienl said:

Maybe this drawing helps ...

Thanks. Been a bit hectic lately so I'm just now getting back to this. After looking at my main server and thinking about it for a minute, I realize it says "Tunnel wg0" and that all my connections are listed there, so I do get it now. In my head, each device gets its own privately encrypted connection and I thought that was the "tunnel" - I guess I applied the wrong term. It doesn't really matter if everything's working, so I'll live with my current level of knowledge. It's not important enough to me today to get any deeper.

 

think I may have it working correctly now! This is what's showing on my main server:

1834071793_2019-12-2017_58_17-NAS_Dashboard-Brave.png.f45ea78977a02f0be4812ac8b71b23ec.png

 

And this is what I have on Backup:

1140092190_2019-12-2017_59_03-Backup_VPNmanager-Brave.thumb.png.f8c10d6daeb261936092dcb782f39972.png

I added a second tunnel on the Backup server and imported the config file, enabled the tunnel and immediately had a connection on my main "HomeVPN" side. It does show my public IP address in the Local endpoint, not the DNS name - do I want to change that?

 

Also, I ended up adding the tunnel because when I first imported the config, it was "server to server" and that's not what I was after. I tried to delete the peer and import the new one, but it didn't seem to change the settings.

 

I added the new tunnel (actually, 2, obviously, though I'm not sure why), imported the config file and it seems to be working. I just took a look at the wg0 tunnel and it's got no settings in it at all. I may try deleting wg2 and importing the config file into wg0 to see if it'll work. It seems that it would be cleaner with just the one tunnel instead of one unused one and the 2nd functional one. Thoughts on that?

Link to post

Is there any reason to actively disconnect a laptop VPN connection back home to the server (for a remote to LAN connection)? I want to be able to have automatic backups running from a laptop to my server, and it seems that the easiest way to be to have the connection always active. 

 

If not, is there a "simple" way to activate the connection, say from a Win10 PowerShell script so I could automatically connect, launch the backup, then disconnect?

 

Or is this appropriate for a whole new thread somewhere...

Link to post

Sorry if this has been solved and I just didn't catch it.

 

Almost every one of my docker containers has a custom IP address. Has there been any solution to connecting to docker containers with a custom IP yet?

 

I disabled "Local server uses NAT:" and setup a static route in my router and it did absolutely nothing. I can access my unraids web UI just fine as well as other physical machines on my network. I just cant access most of my dockers.

 

Link to post

Is it the current expected behaviour that on the unraid dashboard that the client tunnel remains long after session has been disconnected? 

From a user perspective, I would expect this to either show only active tunnels, or show all tunnels but with a status of disconnected (or similar) when that is the case.

 

Other than also being stuck in the custom docker IP access dilemma for one of my applications, this implementation is superb :)

Edited by tjb_altf4
Link to post

Hi all, 

 

please sing out if this is the wrong thread and/or more info is needed to troubleshoot.

 

I am following along @ljm42 's writeup (thank you @ljm42).

I've come across what I think is an error in page validation logic when attempting to configure a tunnel via UNRAID->Settings->VPN Manager.

 

I have my own domain where the top level is  .management

When attempting to enter the domain name I get an error (looks like a javascript validation error - including it here in case someone else is searching for the same error message)

 

The error message (chrome) is:

"Please match the format requested."

"IP Adress or FQDN"

 

The error message (safari) is:

"Match the requested format."

 

From what I can tell, page is expecting that the top level domain (TLD) will be 8 characters or less.

Some (not very scientific) examples / tests:

fred.management - ERROR

management.fred - Saves FINE

fred.fredfred - Saves FINE

fred.fredfredf - ERROR (note one additional character in the TLD)

 

I've tried clearing my browser cache in case I had some js validation file/library cached.

Not really sure who to address this to as I don't know who is the author of the Wireguard VPNManager page.

 

 

Link to post
1 hour ago, Ding Dong Del said:

Hi all, 

 

please sing out if this is the wrong thread and/or more info is needed to troubleshoot.

 

I am following along @ljm42 's writeup (thank you @ljm42).

I've come across what I think is an error in page validation logic when attempting to configure a tunnel via UNRAID->Settings->VPN Manager.

 

I have my own domain where the top level is  .management

When attempting to enter the domain name I get an error (looks like a javascript validation error - including it here in case someone else is searching for the same error message)

 

The error message (chrome) is:

"Please match the format requested."

"IP Adress or FQDN"

 

The error message (safari) is:

"Match the requested format."

 

From what I can tell, page is expecting that the top level domain (TLD) will be 8 characters or less.

Some (not very scientific) examples / tests:

fred.management - ERROR

management.fred - Saves FINE

fred.fredfred - Saves FINE

fred.fredfredf - ERROR (note one additional character in the TLD)

 

I've tried clearing my browser cache in case I had some js validation file/library cached.

Not really sure who to address this to as I don't know who is the author of the Wireguard VPNManager page.

 

 

Your report will get noticed here :)

 

FYI:  As long as you have installed it via Community Applications you can easily get to the support thread for any particular plugin by going to the Plugins tab and then clicking on the Support option listed for each plugin. Alternatively find WireGuard on the Apps tab and click the support icon shown for it there to get to the same point.

Link to post
38 minutes ago, itimpi said:

Your report will get noticed here :)

Sure, but better to report issues in the relevant topic 

 

Anyway, I made an update which validates FQDN input against all the top level domains (TLD) defined by IANA as of December 21, 2019.

 

Go to plugins and update the Dynamix Wireguard plugin.

 

Link to post
1 hour ago, itimpi said:

Your report will get noticed here :)

 

FYI:  As long as you have installed it via Community Applications you can easily get to the support thread for any particular plugin by going to the Plugins tab and then clicking on the Support option listed for each plugin. Alternatively find WireGuard on the Apps tab and click the support icon shown for it there to get to the same point.

Thanks for the heads up @itimpi :)

Link to post
45 minutes ago, bonienl said:

Sure, but better to report issues in the relevant topic 

 

Anyway, I made an update which validates FQDN input against all the top level domains (TLD) defined by IANA as of December 21, 2019.

 

Go to plugins and update the Dynamix Wireguard plugin.

 

 

Awesome @bonienl, worked a treat, thank you!

And a general thank you for the great work you and community / limetech do - really awesome product!

Link to post

I've not been able to get Wireguard to work on my setup.  I've followed all the troubleshooting steps in this thread including port forwarding, making sure the tunnel is active in the UI etc.  I used the default port of 51820.  I've tried setting the local endpoint using my WAN IP or my DuckDNS URL. I've also tried manually entering in my router address as the peer DNS server. 

 

Here's what I'm seeing :

 

- Wireguard app shows "connected" 

- Wireguard app log shows handshake not completing in 5 seconds and keeps re-trying without success

- Wireguard web UI / Unraid dashboard shows that handshake was never received

- Tried to ping my peer tunnel address via web UI and it fails

 

Not sure if these are a factor : 

 

- iOS 13.3.1

- T-Mobile 39.5.1

 

In the Wireguard app screenshot below, the listen port is not 51820 and this seems to change to a different number every time I start a new session. 

 

Can anyone help ?  

 

IMG_8256.png

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.