WireGuard quickstart


Recommended Posts

On 3/24/2020 at 12:36 AM, bonienl said:

The firewall function on the WG tunnel can only deny/permit access to devices other than Unraid itself.

 

That makes complete sense. Not sure why I didn't realize that would be the case.

 

Although I think with some extra IPTables rules you can probably block it from accessing the actual Unraid UI instance and just let it access the WG interface.

 

Essentially no WG interface -> Unraid internal communications, no?

Link to comment

Hello, this might be really stupid question. But i can't to setup Server to Server access. Do i need to run wireguard client docker on one unraid and second just wireguard server with peer added as server to server?

 

What i tried was both unraids with this plugin with both unraids created server to server peers and both peers configs share same details.

Link to comment
5 minutes ago, Korshakov said:

Hello, this might be really stupid question. But i can't to setup Server to Server access. Do i need to run wireguard client docker on one unraid and second just wireguard server with peer added as server to server?

 

What i tried was both unraids with this plugin with both unraids created server to server peers and both peers configs share same details.

 Sorry, don't mind me. I didnt see this BIG icon on the top right corner called import tunnel. *FACEPAL*

Link to comment

I have configure wireguard like this, I pretend to acces my whole LAN from the Peer.

192.168.1.0/24 Is my LAN

imagen.thumb.png.64d98adae9213f5a2bb5122b4db84556.png

In Sophos XG I have configure a FW rule to accept incoming connections from WAN to my public IP in UDP 51820

imagen.thumb.png.335ea6012b7346ad1ba14a1e1e33f6ad.png

 

Then a NAT rule to redirect the incoming connections to that port to UNRAID where wireguard is

imagen.thumb.png.1841a6824b54f36a5c8ec5937d8ddd39.png

 

So I connecto to wireguard server, and I can reach Unraid Server from my phone but that is all, I can not ping my phone ip 192.168.1.231 from any device in my network, windows pc, etc, or I can't reach with my phone to any other IP.

 

Regarding Local server uses NAT, if I enable it does it mean that I won't be able to access to any docker with custom IP from my phone?

 

I would appreciate some help or recommendations to setting up wireguard. I guess it would be cleaner to create the server in another network, disable "local server uses NAT" and then configure the static routing in the firewall.

Link to comment
8 hours ago, L0rdRaiden said:

192.168.1.0/24 Is my LAN

Then you have misconfigured the "Local tunnel address" in your WireGuard config. You should start over, and leave the local tunnel address at the default.  The tunnel is not part of your LAN and cannot share the same IP range.

Link to comment
On 3/26/2020 at 11:23 AM, dweb said:

I want to replace my Raspi Wireguard Cient with my Unraid Machine.

To me it looks like Unraid can only be a server, but is it also possible to make it a client?

The short answer is yes.  The longer answer is that from a WireGuard perspective there isn't really a difference between a server and a client, everything is a "peer". We tend to use the server/client terminology here because we are comfortable with it.

Link to comment
On 3/12/2020 at 9:10 AM, sittingmongoose said:

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

 

Any help would be greatly appreciated.  

 

It is unlikely that the any kind of network auto-discovery will work across the tunnel. Try connecting to the remote devices via IP address instead.

Link to comment
On 3/12/2020 at 4:28 AM, phrozen087 said:

Small followup to my last post. It seems that with the Remote Access to LAN setting I am not actually able to access anything on the LAN. I checked that bridging is enabled and I can ping the server on both 10.253.0.1 and 192.168.85.111, but I can't seem to ping any other devices on the network. I downgraded back to 6.8.2 hoping that might help, but it doesn't seem like it changed anything.

When you say you "can't seem to ping any other devices on the network", do you mean other physical devices or do you mean VMs running on Unraid?

 

I have no trouble accessing my router or a raspberry pi on the network. But I am not able to access VMs running on Unraid. Haven't figured out why yet.

Link to comment
On 3/10/2020 at 8:39 PM, Ustrombase said:

Got this installed it was super easy! However, I can't reach my unRAID box. I think that it is becuase I have https cert and it resolves to <servername>.local, and when I am on my phone connected to wireguard the DNS can't resolve / find what the address should be? Just me saying smart things trying to sound smart lol.

Does anyone have any thoughts on this? locally i can use the ip and it automatically switches to https using the hostname.local, this is why i am thinking that this is what is happening, i am on VPN as I have tested connecting to my home assistant instance and it works.

Yeah sounds like you've pegged the issue. Using SSL without proper DNS is a bit of a hack, and it won't work unless you can find a way to make your phone resolve the <servername>.local name that you have setup.

 

Your best bet would be to use Unraid's built-in LetsEncrypt client to provide https, as this gives you a DDNS name that will resolve from your phone.

Link to comment
On 2/28/2020 at 11:03 PM, Ryonez said:

Is it only possible to have one active tunnel at a time?

Unraid supports multiple tunnels being active at the same time.

 

 

On 2/28/2020 at 11:03 PM, Ryonez said:

I've been trying to set up a second one to create a game network. I have another one, an admin network that has docker access that's working fine. But this second one I can get the client and server to handshake. Any idea what the issue might be?

The second tunnel is completely separate, so you have to setup another port forward, make sure there are no IP conflicts, make sure you actually start the tunnel(!) basically all of the same troubleshooting steps mentioned in the first two posts.

 

Link to comment
19 hours ago, ljm42 said:

Then you have misconfigured the "Local tunnel address" in your WireGuard config. You should start over, and leave the local tunnel address at the default.  The tunnel is not part of your LAN and cannot share the same IP range.

I have set the tunnel address as default, but once connected I can only see unraid server.

Do I need to create a rule in the firewall to provide connectivity beween my LAN and 10.253.0.0?

Shouldn't I see my LAN once connected without adding any additional rule? is there any step by step example of someone with a Remote access to LAN connection?

Link to comment
1 hour ago, L0rdRaiden said:

is there any step by step example of someone with a Remote access to LAN connection?

That is exactly the scenario that this quickstart guide walks through :)

 

1 hour ago, L0rdRaiden said:

Do I need to create a rule in the firewall to provide connectivity beween my LAN and 10.253.0.0?

Depending on your network, you may need to add a static route to handle that. See the "Complex Networks" section of the guide. To make this easier, the WireGuard plugin now includes "remarks" that tell you what IP range to setup the static route for. You may need to switch to advanced mode to see it.

 

1 hour ago, L0rdRaiden said:

once connected I can only see unraid server.

How are you trying to connect to the other devices? You won't be able to connect by name, only by IP address.

Link to comment
1 hour ago, ljm42 said:

That is exactly the scenario that this quickstart guide walks through :)

 

Depending on your network, you may need to add a static route to handle that. See the "Complex Networks" section of the guide. To make this easier, the WireGuard plugin now includes "remarks" that tell you what IP range to setup the static route for. You may need to switch to advanced mode to see it.

 

How are you trying to connect to the other devices? You won't be able to connect by name, only by IP address.

 

I guess I must be doing something wrong in my firewall

I have added a route

imagen.thumb.png.d40960a2ea0f3f165010d5c2faa34abc.png

 

I have enabled the host access to custom networks

imagen.thumb.png.5bbcd2323e2c4dcc0f646767d64b1fc4.png

 

Still, from phone I only see the unraid machine, I can't see any other web service I have in the dockers using their IP's

 

imagen.thumb.png.e2874c85ed052d51bcf4da853c55c331.png

Edited by L0rdRaiden
Link to comment
5 minutes ago, L0rdRaiden said:

Still, from phone I only see the unraid machine, I can't see any other web service I have in the dockers using their IP's

Can you access any other devices on your network? Ones that are not in any way hosted on your Unraid server? I'm guessing you should be able to.

 

As I mentioned in my reply to phrozen087 yesterday, I have no trouble accessing my router or a raspberry pi through the tunnel. But I am not able to access VMs running on Unraid. Haven't figured out why yet.

 

I am able to access Unraid Dockers, but my setup is simpler and I don't have any Dockers on their own IP. Because of this, I have "Local server uses NAT" set to Yes.

Link to comment
11 hours ago, ljm42 said:

Can you access any other devices on your network? Ones that are not in any way hosted on your Unraid server? I'm guessing you should be able to.

 

As I mentioned in my reply to phrozen087 yesterday, I have no trouble accessing my router or a raspberry pi through the tunnel. But I am not able to access VMs running on Unraid. Haven't figured out why yet.

 

I am able to access Unraid Dockers, but my setup is simpler and I don't have any Dockers on their own IP. Because of this, I have "Local server uses NAT" set to Yes.

No, I have scanned the entire 192.168.1.0/24 (ping) and I only see unraid server while I had several devices connected in the same network that has nothing to do with unraid dockers and VMs

Do I have to create a firewall rule to provice visibility beween 192.168.1.0/24 and 10.253.0.0/24?

Link to comment
On 3/5/2020 at 2:14 AM, Ryonez said:

Pi-hole is fine to use as the DNS server for wireguard, though there's some tweaks you need to do if you're hosting pi-hole on the same unRaid server as wireguard.

Is there any way you can elaborate? 

 

I have a pihole container that works fine locally, but connecting to my server via Wireguard VPN allows ads. I'd appreciate nudge in the right direction to fix this. 

Link to comment

Forgive me that I am not reading 17 pages, but maybe someone knows how to do this:

 

I would love to setup a connection from one client to a specific machine in my network, but in a way that all ports are accessible.

 

My goal is to setup a Hamachi-like connection where two machines can play LAN-only multiplayer games together. So that means an unknown number of ports will need to pass through to ONE machine only. I do NOT want to give access to my entire network and most importantly not to my server and thereby all of its containers accessible on the same IP, etc...

 

Any ideas or am I going to end up using another solution?

 

Also would love to know if there is a way to whitelist connections, so whilst I know that keys should always be treated with confidentiality it'd be nice to know that unexpected IPs won't even make it to the authentication process.

My setup would be monitored and not remote. I'd always be able to manually whitelist a new IP I expect to connect.

Link to comment
2 hours ago, Glassed Silver said:

Forgive me that I am not reading 17 pages, but maybe someone knows how to do this:

 

I would love to setup a connection from one client to a specific machine in my network, but in a way that all ports are accessible.

 

My goal is to setup a Hamachi-like connection where two machines can play LAN-only multiplayer games together. So that means an unknown number of ports will need to pass through to ONE machine only. I do NOT want to give access to my entire network and most importantly not to my server and thereby all of its containers accessible on the same IP, etc...

From the first post:

Quote

Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise.  Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network. 

 

2 hours ago, Glassed Silver said:

Also would love to know if there is a way to whitelist connections, so whilst I know that keys should always be treated with confidentiality it'd be nice to know that unexpected IPs won't even make it to the authentication process.

There is no provision for this. A hacker can spoof an IP address pretty easily whereas private keys are theoretically impossible to hack or guess.

Link to comment
12 hours ago, L0rdRaiden said:

No, I have scanned the entire 192.168.1.0/24 (ping) and I only see unraid server while I had several devices connected in the same network that has nothing to do with unraid dockers and VMs

Did you re-download the latest client config after making any changes via the Unraid interface?

 

What are the "Allowed IPs" shown on your client?

Link to comment

hello sorry for the bad english, i'm trying 😅

 

I followed the quickstart en first made a connection to my android phone outside my network with 'Remote tunneled access' the connection was ok and i have internet , but the problem was that a connot reach my unraid server  webui trough my danamic dns '####.ddns.me' (ERR_CONNECTION_TIMED_OUT)

 

then i tried it on my desktop PC in my network, also with 'Remote tunneled acces' nothing worked no internet at all, then i used the 'Peer DNS server' option with the adress 8.8.8.8. Then i have internet but i also  cannot reach my unraid server webui trough my danamic dns '####.ddns.me'

Also i cannot reach my SHARES, only internet is working

 

Then i tried 'Remote access to server' and 'Remote access to Lan' 

Both phone and computer (Without 8.8.8.8) has internet but no acces to Shares and the unraid server webui

 

and the strange thing is when i want to go to my router it sais 'internet is blokked'

 

i don't know what i am doing wrong, maby someone can help me?

Link to comment
On 4/1/2020 at 12:25 AM, ljm42 said:

Did you re-download the latest client config after making any changes via the Unraid interface?

 

What are the "Allowed IPs" shown on your client?

yes,

and allowed IP's are 10.253.0.1/32   10.10.10.0/24   192.168.1.0/24

I have added 10.253.0.0/24 just in case and it doesn't work either.

Edited by L0rdRaiden
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.