WireGuard quickstart


ljm42

707 posts in this topic Last Reply

Recommended Posts

2 hours ago, charlescc1000 said:

I'm having issues with getting the handshake to successfully occur.

 

I have WG setup on my Unraid server using the public IP. (I will use DDNS later, but I'm trying to reduce variables to solve this problem.)

I am running an EdgeRouter and setup a port forward to my unraid server.  I've ensured bridging is enabled on eth0.

 

I have configured a peer as "Remote Access to LAN" and tested this config using the QR code method on my iPhone.  I can't get my iPhone to handshake with Unraid.  I have Local server uses NAT set to Yes for now.  Will setup the static route later once I can get the basic stuff working.

 

Here is an screenshot of my configuration:

 

I read through this whole thread and saw some people had the same issue as me and tried the different solutions that worked for them, but none worked for me.  Any thoughts on what I can do to identify the issue? Thanks!

 

wg-config-screenshot.png

At a guess I would say check your port forwarding is correct as I have exactly the same setting as your screenshot and works fine.

Link to post
  • Replies 706
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

I'm having issues with getting the handshake to successfully occur.

 

I have WG setup on my Unraid server using the public IP. (I will use DDNS later, but I'm trying to reduce variables to solve this problem.)

I am running an EdgeRouter and setup a port forward to my unraid server.  I've ensured bridging is enabled on eth0.

 

I have configured a peer as "Remote Access to LAN" and tested this config using the QR code method on my iPhone.  I can't get my iPhone to handshake with Unraid.  I have Local server uses NAT set to Yes for now.  Will setup the static route later once I can get the basic stuff working.

 

Here is an screenshot of my configuration:

 

I read through this whole thread and saw some people had the same issue as me and tried the different solutions that worked for them, but none worked for me.  Any thoughts on what I can do to identify the issue? Thanks!

 

wg-config-screenshot.thumb.png.0e61e8410e83a720c61266a81875c092.png

I had the same issue using the QR code on Android. I downloaded the config instead and imported it directly in the app. That solved it for me. Now it is working as expected.

 

As a side note. I had to change the filename of the conf file. Otherwise the app told me it can't import it8fda3430e07cc8c4462325db3acc9472.jpg&key=7c697c0466b12698ab9cb1dff142fbeddc3ceb7ec1348506599c7d0ada47f866

 

The shown QR code is just an example without function for reference.

 

Gesendet von meinem MI 8 mit Tapatalk

 

 

 

Link to post

I'm still getting weirdness connecting to my dockers.  From certain external IPs they can't connect at all to any of my docker services unless i disable the vpn connection.  Other external Ips are working fine so i am not sure how this would get messed up?

Link to post
10 minutes ago, RAINMAN said:

I'm still getting weirdness connecting to my dockers.  From certain external IPs they can't connect at all to any of my docker services unless i disable the vpn connection.  Other external Ips are working fine so i am not sure how this would get messed up?

Do you know what IP subnet the dockers and problem sites are on?    I have encountered routing issues where the remote subnet and the LAN end are on the same subnet.   Not sure if this is an inherent problem or I just do not know how to set up things correctly, but just in case I have moved my home LAN to not be on 192.168.0.x or 192.168.1.x ranges as these are commonly used elsewhere.

Link to post
11 minutes ago, itimpi said:

Do you know what IP subnet the dockers and problem sites are on?    I have encountered routing issues where the remote subnet and the LAN end are on the same subnet.   Not sure if this is an inherent problem or I just do not know how to set up things correctly, but just in case I have moved my home LAN to not be on 192.168.0.x or 192.168.1.x ranges as these are commonly used elsewhere.

The wireguard subnet is 10.9.0.x

Local Lan is 192.168.254.x

Remote IP example that doesn't work is 69.17.172.210

Remote IP example that does work is 140.238.153.159

Docker subnet 172.17.0.1? 

Edited by RAINMAN
Link to post
2 hours ago, jonathanm said:

What LAN addresses are you assigned on those remote WAN's?

Those IPs are not connecting to wireguard.  They are only connecting to the nginx docker via my external IP.  The one is a 192.168.0.x network the other i dont know since its not mine but i doubt their internal network address would be relevant when they connect via my external public IP.  The only reference to wireguard in this is that when its enabled they cant hit my dockers, when its disabled they can hit them fine.  Its like a routing issue where the reply to the request is going out over the VPN instead of directly back, if that makes sense.

Link to post
3 hours ago, darkreeper said:

That is the case for all VPN variants

Gesendet von meinem MI 8 mit Tapatalk
 

unraid is the peer as I mentioned before.

 

The remote VPN server has:

ens3: 10.0.0.5

lo: 127.0.0.1

tun0: 10.8.0.1

wg0: 10.9.0.1

 

Local unraid uses:

br0: 192.168.254.3

docker0: 172.17.0.1

eth0: some ipv6 address?

lo: 127.0.0.1

bunch of vethxxxx: ipv6

wg0 10.9.0.6

 

No overlaps except the wg interfaces on both which is proper.

 

Note, I am not using wireguard to connect from outside in.  I am using it to route unraid traffic out over vpn.

Edited by RAINMAN
Link to post
unraid is the peer as I mentioned before.
 
The remote VPN server has:
ens3: 10.0.0.5
lo: 127.0.0.1
tun0: 10.8.0.1
wg0: 10.9.0.1
 
Local unraid uses:
br0: 192.168.254.3
docker0: 172.17.0.1
eth0: some ipv6 address?
lo: 127.0.0.1
bunch of vethxxxx: ipv6
wg0 10.9.0.6
 
No overlaps except the wg interfaces on both which is proper.
 
Note, I am not using wireguard to connect from outside in.  I am using it to route unraid traffic out over vpn.
Just to be sure. You want to connect your unraid server to a VPN server somewhere in the world?

Gesendet von meinem MI 8 mit Tapatalk

Link to post
1 hour ago, darkreeper said:

And this is some kind of VPN provider and no private person?

Gesendet von meinem MI 8 mit Tapatalk
 

It is a private VPN.  I have 4 different VPS servers that I use for VPN.  All have the same issue if I use a different one.  Then again, they are all setup more or less the same but no other clients connecting to them have issues.

Link to post
It is a private VPN.  I have 4 different VPS servers that I use for VPN.  All have the same issue if I use a different one.  Then again, they are all setup more or less the same but no other clients connecting to them have issues.
If you connect your pc via VPN with your VPS it is working and with the unraid (same network) it doesn't?

Gesendet von meinem MI 8 mit Tapatalk

Link to post
1 minute ago, darkreeper said:

If you connect your pc via VPN with your VPS it is working and with the unraid (same network) it doesn't?

Gesendet von meinem MI 8 mit Tapatalk
 

Yes. My desktop is always connected and my phone also is mostly connected.

Link to post
7 minutes ago, bonienl said:

All remote peers need a correct setting for "AllowedIPs" to reach the Unraid server and/or containers over the tunnel.

 

There are no remote peers accessing unraid or dockers via vpn.

 

Remote peers are accessing Dockers directly via external IP/port.

Edited by RAINMAN
Link to post

Then it looks like you have a routing issue.

When Unraid is configured for VPN access, it will have a default route 0.0.0.0/0 pointing to the WG tunnel.

Any containers with a host or bridge network will then not remotely accessible via your external IP/port

Link to post
7 minutes ago, RAINMAN said:

So basically if I have a VPN on unraid I can't use any Dockers from outside my network?  Any way to correct the routing?

A VPN connection in essence means your system is only reachable over its VPN connection. Any other path is considered 'route leaking' and usually not what you want (security breach).

 

9 minutes ago, RAINMAN said:

But then why do some remote ips work still but others not?

You mean certain containers are still reachable?

This is expected when these containers run on a custom (macvlan) network.

Link to post

Hi, got this setup in a matter of minutes following the guide posted and connecting to my server works great!!

 

Problem is that i cant access anything else on the web from the peer (iphone 11 pro on ios 13.)

 

I tried both "Remote tunneled access" and "Remote access to Lan" access types with the same issue on both.

 

Any ideas?

 

Thx

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.