WireGuard quickstart


Recommended Posts

Hi,

 

I'm trying to set up WireGuard to UDP/53.

 

From the logs I can see this:

wireguard: wg0: Could not create IPv4 socket
A link change request failed with some changes committed already. Interface wg0 may have been left with an inconsistent configuration, please check.

 

I checked what's listening on port 53 and dnsmasq seems listening on TCP/53 and have a record on UDP but not listening as I can see:

sudo lsof -i -P -n | grep :53
avahi-dae  9673  avahi   14u  IPv4    29488      0t0  UDP *:5353
avahi-dae  9673  avahi   15u  IPv6    29489      0t0  UDP *:5353
dnsmasq   26708 nobody    5u  IPv4    76177      0t0  UDP 192.168.122.1:53
dnsmasq   26708 nobody    6u  IPv4    76178      0t0  TCP 192.168.122.1:53 (LISTEN)

(The 192.168.122.0 is not my network I do not know what is this for.)

 

Is dnsmasq port prevents WireGuard to bind?

 

No docker or VM listening on UDP/53.

 

Any idea?

 

Thanks,

Mark

Edited by MasterMark
Link to comment

Hi, first of all, awesome work on Unraid and implementing WireGuard within it!

 

I am able to connect remotely (with LTE/4G or separate Wi-Fi) without issues. I can access my UnRaid server and some Docker containers (in `host` mode).

I am however stuck on making `Remote access to LAN` or `Remote tunneled access` work. When I am connected with my phone (or a test PC connected on another Wi-Fi network) I can't access any of the LAN devices. With `Remote tunneled access` I can't reach any website.

I updated the config on my phone every time I made changes on Unraid.

 

I did a `ping -t 1 192.168.0.1` on my phone using ADB to see what's wrong and emulate the `traceroute` command. This is the IP of my router (home LAN) that I can normally ping from any device connected to the LAN. The UnRaid server is at 192.168.0.13. I configured the WireGuard server to use the range `10.42.0.0/24` for peers. I see that the ping returns `10.42.0.1` which is the IP of the WireGuard server. It seems correct up to that point.

Then I run `ping -t 2 192.168.0.1`. Here all packets are lost. I cannot go any further than the WireGuard server. Probably explaining why `Remote access to LAN` or `Remote tunneled access` don't work. 

 

I have `Local server uses NAT` (WireGuard), `Enable bridging` and `Enable bounding` (Network settings) all set to `Yes`.

 

Does someone know where this could come from?

Link to comment
On 1/14/2020 at 12:08 PM, bonienl said:

If all is pingable then routing-wise everything is in place.

I suspect something on a higher level is blocking the communication, hence my firewall hint.

Okay I feel pretty stupid now. Checking the key values I can see I never managed to generate a prehared key. Once I did that it all started working.

 

I tried with NAT off and it worked for a few secods then stopped even though I have a static route in place. With Nat on it just works so I'll just stick with that as I haveno dockers with custom IPs running anyway.

Link to comment
6 hours ago, bonienl said:

Your phone must be in a different local network as 192.168.0..0/24, is that the case?

When I did this test, the phone was connected to 4G/LTE (so different network entirely) with the WireGuard VPN turned ON – I could access the UnRaid server using both IPs: 192.168.0.13 for LAN or via WireGuard's subnet at 10.42.0.1 (I believe phone is at 10.42.0.7).
All physical devices are on 192.168.0.0/24 subnet since I have only one router (Ethernet/Wi-Fi) for the entire house.
The UnRaid server is at 192.168.0.13 on this LAN (Ethernet / eth0). I am trying to remotely access using the WireGuard VPN, devices on this subnet.

Link to comment
11 hours ago, bonienl said:

Why are you trying to use port 53?

This conflicts with the DNS service

I'm trying to bypass firewalls.

I am not hosting DNS service on Unraid neither on my router (to the WAN side). It should not conflicts with anything.

 

How wireguard bind to a port? Can I set to bind to specific ip-address:port?

Or can I disable somehow the dnsmasq service?

Link to comment
13 minutes ago, bonienl said:

You are saying your Unraid server is behind a firewall out of your control?

 

No.

 

I want to bypass firewall on the client side. Like when you connect a public wifi, and their firewall only allow specific ports. Like only 53/udp, 80/tcp and 443/tcp,

 

It is a common strategy for VPN to put the service on these ports to bypass this "fool" firewalls without DPI.

 

I got the idea from aptalca:

Quote

"I'm now using wireguard over 53 udp and openvpn over 80 tcp"

 

Edited by MasterMark
Link to comment
24 minutes ago, bonienl said:

You can do port translation on your router.

The external port is 53 (to which your client is talking), the internal port is "default" 51820 (used by WG).

 

Hmm, well this should work.

Thanks, I am going to try this.

 

edit: Unless it will broke the QR-code and file, because this will contain the original port. :(

Edited by MasterMark
Link to comment

Hi,

I decided to go with a fresh start to see what could be the issue. 

I disabled bounding in the network settings since I don't have a use for it, removed the Dynamix WireGuard plugin, removed the WireGuard config folder on the USB and set up everything from scratch.

After configuring my phone, everything worked as expected (Tunneled and/or LAN)! 😀
I setup WireGuard as part to the RC of 6.8. That probably messed things up somewhere 🤔
With Unraid 6.8.1 and a fresh version of the Dynamix WireGuard plugin (2020.01.17a), it solved the issues I were having. Maybe that will help someone in the future.

Link to comment

Tried this and it worked on first try :) Easier to setup than OpenVPN.
I guess only things you access on the LAN side is tunneled, not everything on the client?

This will come in handy when Im setting up a remote server someday :D

edit: Found out how to pipe everything from client through the tunnel :)

Edited by isvein
Link to comment

had this set up and working just fine, then issues started.

 

I have my main server set up with the port-forwarded at my router. I can reach it from my phone, my kids can reach it from their laptops (in other states) - everything is good there.

 

However, my backup server does seem to be able to reach it, but the GUI locks up on the backup server when I activate WG on it. There's a rather long saga of my attempts to resolve this at this thread: https://forums.unraid.net/topic/86607-webgui-not-responding/

 

Long story short, I rebuilt the USB stick on my backup server. I added plugins 1 by 1, enabling and configuring as I went. When I got to WG, I installed the plug in, then imported the .conf file. As soon as I click the "Inactive/Active" slider to activate the tunnel, the WebGUI hangs and never comes back. I had full access to the shares, and could telnet in, but now, I can't even do that. I have to go to the attached console and powerdown from there. When it reboots, it comes up with WG disabled and I have full access to the WebGUI. I can repeat this at will, though I don't really want to...

 

Here's a screen shot of the config on my main server showing how it's set up

image.thumb.png.49b206613d149e648e2223d4e3266a13.png

 

And this is what it looks like on the Backup server

image.thumb.png.8ba93460563bfce92dcc98acd3a1cd30.png

 

The diagnostics dated 2020.01.26 are fresh from the backup server today.

backup-diagnostics-20200126-1332.zip

 

The diagnostics dated 2020.01.22 are from the backup server via the command line after I had enabled WG and the WebGUI hung.

backup-diagnostics-20200122-1850.zip

 

As I said, this had been working. I don't know what I've done differently now to make it not work, or if this was the initial cause of my WebGUI hangs a month ago.

 

UPDATE for clarity: My goal is to have the backup server off-site and have it connect to the main server. I don't want LAN-to-LAN access, and I don't want the main server initiating the connection to the backup server. I'm not 100% certain that I'll have access to the remote location's router to punch a hole through for WG to pass through, thus, I want to initiate the connection from there. At the moment, the two servers are sitting side-by-side at my house, both on the same network (192.168.1.x).

 

Edited by FreeMan
Link to comment
On 1/19/2020 at 9:17 AM, NOLA_DireWolff said:

 

This may be the solution to my problem?  If so - is there a CLI implementation or a work around?  I am unable to access my CCTV streams remotely due to this.  Thank you.

 

*** SOLVED - 6.8.2 Fixed this problem.  My dockers are able to be reached over WG.  No change to any of my settings necessary other than upgrade to 6.8.2.  Thank you!  ***

Link to comment

Here's a neat trick
I wanted a shared folder unique to each of my Wireguard clients. You know - somewhere people can drop their own files, without it being publicly visible to everyone else with access to the server. Samba is pretty flexible, so I decided to take a whack at it. I created a new share, "Personal" and set export to no in the Shares tab. Then I added this entry to smb-extra.conf in the samba settings tab:


[Personal Folder]
access based share enum = yes
allow hosts = 10.253.0.
root preexec = /bin/bash -c '[[ -d "/mnt/user/Personal/%I" ]] || mkdir -m 0777 "/mnt/user/Personal/%I" && chown nobody:users "/mnt/user/Personal/%I"'
browseable = yes
writable = yes
hide unreadable = yes
path = /mnt/user/Personal/%I



What does this do? Have a line by line breakdown:
Name - how it shows up in the file explorer.
access based share enum - Only show this if the user has permission to view it.
allow hosts = 10.253.0. - allow any client with an IP matching 10.253.0.* to view this share
root preexec - execute this code before showing the root of the folder. This can be expanded substantially. Currently it just makes a new folder for the IP of the client if one doesn't already exist. You could enforce quotas here by making a new image if one doesn't exist, and then mounting said image or any other number of crazy things.

The rest is pretty standard aside from the path also using the variable "%I"

Also note that you can use this same trick outside of wireguard and clients, with pxe boot clients to have individual write shares.
Link to comment

I’m having a similar issue to Pico above, but deleting everything and starting fresh didn’t help.

 

I created a peer with “remote tunneled access” and set it up on my phone. When I use my mobile network I can connect to the VPN and access things on my local network without issue, but I can’t access anything outside the network. I’ve trying playing with all the settings but I can’t seem to connect to pages on the internet. Is anyone else having this issue that might have potential solutions?

Link to comment

I've been messing with this for a little bit, and I THINK I've got the hang of it.  I'd just like a little hand-holding on one specific thing.  I've got a iOS device from work and it's 'locked' down by the company.  They monitor everything on this, inbound and outbound.  The only VPN that I've been able to install is Wireguard.  So I've successfully created a Remote Tunneled Access via the Wireguard / Unraid settings for the iOS device.  That is what I need for the company to NOT see any data, correct?  Will I still be able to access the unRaid GUI / Local LAN using that or is this strictly for 'masking' data to and from the internet? 

Also, I'm running a PiHole docker container at 192.168.86.103.  I put that in the DNS Servers on the iOS device and I have no connectivity.  If I take it out and put a generic 8.8.8.8 I can browse the Internet albeit with Ads though.  What am I doing wrong wit that?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.