Jump to content
ljm42

WireGuard quickstart

542 posts in this topic Last Reply

Recommended Posts

13 hours ago, unRaide said:

Hi, got this setup in a matter of minutes following the guide posted and connecting to my server works great!!

 

Problem is that i cant access anything else on the web from the peer (iphone 11 pro on ios 13.)

 

I tried both "Remote tunneled access" and "Remote access to Lan" access types with the same issue on both.

 

Any ideas?

 

Thx

 

Did you define the DNS? I had a similar issue that was resolved after I defined the DNS.

Share this post


Link to post

For all those having problems and everything seems to be well configured. I figured out a dumb solution, I was hitting my head with the table (figuratively speaking) at the moment I got it working.

 

Disable data saving on your android phone or iphone.

Invite me a coffee

 

I've been 2 hours trying different ports, different settings, removing tunnels, creating them again, reinstalling wireguard. All was fine... it was the damn phone. I hate this feeling.

Share this post


Link to post
On 12/20/2019 at 4:47 PM, trurl said:

Possibly your work network won't allow it.

According to our IT person it should allow the VPN to connect.  I even tested it by taking my tablet in and doing a USB-C to Ethernet Connection and it should our domain and allowed my tablet to access my Server UnRaid UI. He thinks it may be something with the a certificate.

Share this post


Link to post
On 1/7/2020 at 2:36 AM, Ruato said:

 

Did you define the DNS? I had a similar issue that was resolved after I defined the DNS.

Hi Ruato, thanks for replying. Updating the “Peer DNS Server” setting worked!
 

However, I’m currently using pihole on 192.168.1.2 but setting the dns to that didn’t seem to work. I had to use a public dns like quad9. Does anyone know if it’s possible to route peer traffic through pihole?

Share this post


Link to post

I apologize if this has already been covered but im having issues accessing unraids web gui while connected through wireguard but am able to access various dockers and other devices on my network.  Even the controlIR app works.  Im so lost im not even sure how to further describe this issue.  Any help would be greatly appreciated. 

Share this post


Link to post
4 minutes ago, ArtVandelay said:

im having issues accessing unraids web gui while connected through wireguard

Are you trying to access by IP address or by server name? 

Share this post


Link to post
26 minutes ago, trurl said:

Are you trying to access by IP address or by server name? 

ive tried both and it quickly redirects to a long address ie:  3838438r834839r576289f8f7s39g0s8acbfdb.unraid.net (which it usually does on my local network) but i immediately get a ERR_NAME_NOT_RESOLVED error. 

 

Just to clarify.  I can still access the web gui on my local network while a wireguard device is connected.  Just not on the wireguard connected device itself.

Edited by ArtVandelay

Share this post


Link to post

I'm having a bit of networking trouble with this.  

 

I'm running in remote tunneled access from a phone and a PC.  They are outside of my LAN.  I can ping and connect to all LAN devices, including the unraid GUI.

I have NAT off on the wireguard setup.  I've also tried it with NAT on, it doesn't work.

I have the static route set as instructed in the GUI.

I use Unifi network gear.

 

I am running the @SpaceInvaderOne Shinobi CCTV docker, which works great while on the LAN.  My unraid machine has two NICs.  eth0 is for traffic other than the CCTV, eth1 is on a separate network VLAN and is in bridge mode, br1.  ShinobiCCTV on that VLAN is accessible from my main network.  Firewall rules keep the cameras from reaching the internet, and the cameras can't start communications outside of their network.  That whole IP range is isolated.

 

When on the wireguard connection, I have the DNS server set to my network gateway and the internet addresses are accessible.  

 

ShinobiCCTV has its own IP address 1 lower than my unraid server, I'm using the standard port 8080.  Looking in my network admin software I can see unique mac addresses for shinobiCCTV docker and Unraid on that VLAN.

 

I SSH into my gateway and the output of "show ip route" is

"S>* 10.253.0.0/24 [1/0] via 10.69.1.20, eth1"

which seems correct, yes?

 

****

As a second point.... dividing my network was based on the concept of security paranoia with IP cameras and other IOT devices.  If there is a better way to do this please let me know.

 

image.thumb.png.73c79d8674cf9b0eceb2bb28c937f2d9.png

 

I'm not sure what to do here.  I've searched a lot, but I don't know the next step to fix this.  Thank you.

Share this post


Link to post

I am struggling with this. I am trying to get a tunnel so all of my traffic goes through Wireguard. I am connecting okay and can access my unRaid server and other servers on the main LAN just fine. I can't access any internet sites though. It feels like a DNS issue but I think I have it all setup as I should.

 

uNRAID IP: 192.168.44.10

Router/DNS : 192.168.44.254

 

Wireguard config:-

 

811704180_Screenshot2020-01-13at14_05_04.thumb.png.c0c2cc17015057190d12ba7d25ad445c.png

 

Router static route:-

1308094446_Screenshot2020-01-13at14_05_35.thumb.png.60a5788a2440813fc80aab55e36aa2c7.png

 

 

Share this post


Link to post

Thanks for this guide, it's working well for me.  I can access my containers on my separate VLAN (192.168.5.0/24) when connected via WireGuard.  My unRAID server is 192.168.1.50.

 

In my client configuration I get:

 

AllowedIPs=10.253.0.1/32, 192.168.1.0/24

 

For everything to work on the client I need to explicitly add 192.168.5.0/24 to the list (e.g when setting up my phone, I had to do this on the phone itself).

 

What is a valid config entry in unRAID to have other subnets populate?  I tried adding 192.168.5.0 and 192.168.5.0/24 to the 'Peer allowed IPs' setting but that seems to make no difference.

Share this post


Link to post
6 hours ago, planetwilson said:

It feels like a DNS issue but I think I have it all setup as I should

Can you ping the DNS IP address 192.168.44.254 ?

Otherwise try DNS 8.8.8.8

Share this post


Link to post
1 hour ago, PsyVision said:

What is a valid config entry in unRAID to have other subnets populate?

There is NO such entry. The allowed IPs for the peer are automatically generated based on the interfaces/networks present on the server.

 

Three possible approaches:

1. Configure an IP address + subnet on the VLAN interface for the server. This will add an entry to the peer config

2. Use "Remote tunneled access". This sets a default route (=all subnets) on the peer

3. Manually add the entry at the peer side. What you are doing right now

Share this post


Link to post
51 minutes ago, bonienl said:

There is NO such entry. The allowed IPs for the peer are automatically generated based on the interfaces/networks present on the server.

 

Three possible approaches:

1. Configure an IP address + subnet on the VLAN interface for the server. This will add an entry to the peer config

2. Use "Remote tunneled access". This sets a default route (=all subnets) on the peer

3. Manually add the entry at the peer side. What you are doing right now

Thanks @bonienl!

Share this post


Link to post
9 hours ago, bonienl said:

Can you ping the DNS IP address 192.168.44.254 ?

Otherwise try DNS 8.8.8.8

 

I can ping the unraid box and I can ping the router/DNS address. I have tried setting 8.8.8.8 on the client and that doesn't work either.

Share this post


Link to post

Is the remote peer a Windows machine?

Could be a firewall issue, try to disable temporary and see if that makes a difference.

Share this post


Link to post
18 minutes ago, bonienl said:

Is the remote peer a Windows machine?

Could be a firewall issue, try to disable temporary and see if that makes a difference.

 

No I am experiencing the same issue on a Mac and on an iPhone as well. Are there any route settings I need to set within unRaid as well or just on my router?

Share this post


Link to post

If all is pingable then routing-wise everything is in place.

I suspect something on a higher level is blocking the communication, hence my firewall hint.

Share this post


Link to post

After two days of trying the unraid implementation of wireguard, here is my summary of what works and what doesn't work:

 

1. Simple connection (if you dont have any vlan or vlan interfaces on unraid) between unraid sever and windows client works in "Lan mode" and "Tunnel mode"

 

2. Even when routed properly on router, if your docker is on a separate subnet (ie vlan), you will still be blocked, however, VM on a different vlan can be reached

 

3. Windows client currently only supports one connection/interface at a time, there is a workaround to add more interface but is not elegant.

 

Not being able to reach docker on a different subnet was the deal breaker for me, so I stopped using unraid for wireguard.

When wireguard is installed on a VM it works perfectly, you can reach everything including docker on a vlan.

 

Edit: turns out it was vlan/docker setting issue, see below

Edited by hdlineage

Share this post


Link to post
27 minutes ago, hdlineage said:

2. Even when routed properly on router, if your docker is on a separate subnet (ie vlan), you will still be blocked, however, VM on a different vlan can be reached

I have no such issues.  I have several docker containers on a VLAN (.3.x subnet with unRAID server and host/bridge containers on a .1.x subnet).  All docker container WebUIs on the VLAN are aaccessible via Wireguard.  The problem initially preventing access to them via WireGuard turned out to be a misconfiguration in the VLAN in unRAID.

Share this post


Link to post
1 hour ago, Hoopster said:

I have no such issues.  I have several docker containers on a VLAN (.3.x subnet with unRAID server and host/bridge containers on a .1.x subnet).  All docker container WebUIs on the VLAN are aaccessible via Wireguard.  The problem initially preventing access to them via WireGuard turned out to be a misconfiguration in the VLAN in unRAID.

Can you share your setup including how you configured the unraid VLAN?

 

My unraid has two interfaces:

br0 with subnet 192.168.1.0/24      (unraid host ip: 192.168.1.10)   gateway(router) 192.168.1.1

br0.100 (vlan) with subnet 192.168.100.0/24 (unraid host ip: 192.168.100.10) gateway(router) 192.168.100.1

 

My VM and docker uses br0.100 with subnet 192.168.100.0/24

 

I configured wireguard to use the subnet 192.168.150.0/24

 

My router is configured with static route to all the subnets listed above.

 

Whenever I'm connected via unraid wireguard I can access everything except docker (I can connect to VM on the same subnet)

When routing Wireguard traffic back to unraid I could only use 192.168.100.10 but not 192.168.1.10 (this is weird since I could access unraid GUI through both IP which means the two interfaces were working normally, maybe wireguard pick one interface to listen on?)

 

With this setup I could not access docker on the 192.168.100.0/24, but was able to access VM on the same subnet.

However, when i connect to wireguard installed on the VM, there is no problem at all.

Edited by hdlineage

Share this post


Link to post
5 minutes ago, hdlineage said:

Can you share your setup including how you configured the unraid VLAN?

I did a write-up of my unRAID and router configuration to get this working as I initially had the same problem (no access to docker containers on the VLAN).  Additionally, I wanted WireGuard connected clients to go through Pihole just as they do on my LAN.

 

The write-up can be found here.

Share this post


Link to post
36 minutes ago, Hoopster said:

I did a write-up of my unRAID and router configuration to get this working as I initially had the same problem (no access to docker containers on the VLAN).  Additionally, I wanted WireGuard connected clients to go through Pihole just as they do on my LAN.

 

The write-up can be found here.

Thanks for your help.

We have very similar config except I have the unraid on the vlan as well.

Turns out it was the two interfaces that's causing trouble.

Somehow if unraid has an interface that is on the same subnet/vlan as docker, you can't access docker no matter what.

 

For me it doesn't really matter where unraid is, but I do wonder if there is a way to for unraid to be on the same subnet as docker.

Share this post


Link to post
1 hour ago, hdlineage said:

but I do wonder if there is a way to for unraid to be on the same subnet as docker.

In version 6.8.1 a new setting is introduced "Host access to custom networks" which allows Unraid to communicate with docker containers on the same (macvlan) network.

 

Unfortunately 6.8.1 is missing a update which causes the new setting not to function yet, this will be corrected in 6.8.2.

 

Share this post


Link to post
On 1/16/2020 at 2:26 AM, bonienl said:

In version 6.8.1 a new setting is introduced "Host access to custom networks" which allows Unraid to communicate with docker containers on the same (macvlan) network.

 

Unfortunately 6.8.1 is missing a update which causes the new setting not to function yet, this will be corrected in 6.8.2.

 

 

This may be the solution to my problem?  If so - is there a CLI implementation or a work around?  I am unable to access my CCTV streams remotely due to this.  Thank you.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.