Jump to content
ljm42

WireGuard quickstart

483 posts in this topic Last Reply

Recommended Posts

On 4/1/2020 at 12:19 AM, ljm42 said:

From the first post:

 

There is no provision for this. A hacker can spoof an IP address pretty easily whereas private keys are theoretically impossible to hack or guess.

I understand that this will not replace certificates, but I want to have this level of control as an additional layer of not peace of mind.

 

This will NOT be on at all times, but only during times that I want to LAN game with someone further away.

 

If a hacker fakes the IP AND has the credentials whilst I am gaming with a friend then good on them, they deserve it....

 

Also I'm thinking of someone taking advantage of the open port and attacking the WG software behind it.

 

 

Regardless of that. Think of my use case as allowing someone access to your guest WiFi, trusting them that much and that you let them use your computer, but you don't want them poking around in your network. Not even by bad intentions, but stumbling upon something.

 

Is my desire to have a remote computer-to-computer ad-hoc connection that illegitimate?

 

I have read the first post, hence my question if there is a way to do it. Because it wasn't answered in the first post. The way I understood it there is a way to expose a container to the outside world through this, but then it's one port only if I understand this correctly.

 

Maybe I'm looking at the wrong approach, in that case I'd be glad to receive any further help. My idea is basically really just to have a self-hosted Hamachi-style ad-hoc connection for games. Low-latency, high reliability, free and open-source. Maybe a different software is the key?

 

I understand obscurity isn't a replacement for security or a means for it. It does help with peace of mind though in addition to traditionally secure mechanisms.

 

I feel the more I explain the more we will get lost in the details though...

 

Again, any pointers at how to approach my goal are super appreciated.

Share this post


Link to post
4 hours ago, Glassed Silver said:

Again, any pointers at how to approach my goal are super appreciated.

Your router should be able to restrict what external IP addresses are able to access the port forward.

 

In terms of controlling access to your network, turn on help for the "Local tunnel firewall". I just remembered that feature, haven't ever used it.

 

4 hours ago, Glassed Silver said:

Is my desire to have a remote computer-to-computer ad-hoc connection that illegitimate?

Hmm... if this is your use-case, you might consider installing WireGuard on those two computers and not involving Unraid at all.

Share this post


Link to post
On 4/2/2020 at 7:09 AM, adrie said:

I followed the quickstart en first made a connection to my android phone outside my network with 'Remote tunneled access' the connection was ok and i have internet , but the problem was that a connot reach my unraid server  webui trough my danamic dns '####.ddns.me'

What IP address does your ###.ddns.me resolve to? It needs to resolve to the internal ip address of your server

 

On 4/2/2020 at 7:09 AM, adrie said:

then i tried it on my desktop PC in my network

That won't work. Both sides of the connection need to be on different networks with different IP addresses. 

 

 

Based on everything you said I can't tell if you successfully made a connection or not.

Share this post


Link to post
5 hours ago, ljm42 said:

What IP address does your ###.ddns.me resolve to? It needs to resolve to the internal ip address of your server

I have an account at no-ip.com where i made a hostname and it resolves to my ip at home, i have a draytek router from my provider, there i port forwarded 51820 to my servers ip adres (also in my router i made the dynamic dns setup)

5 hours ago, ljm42 said:

 

That won't work. Both sides of the connection need to be on different networks with different IP addresses. 

Sorry, verry stupid of me 😅

5 hours ago, ljm42 said:

 

 

Based on everything you said I can't tell if you successfully made a connection or not.

On my phone outside the network i have a connection with 'remote tunneled access', i have internet but i can't reach my server

On my server i see the activity and the handshake.

Share this post


Link to post

Is there currently a way to do a unraid server - unraid server connection via the VPN Manager plugin? I would like to sync my server via a vpn to another location.

I manged to get a vpn connection via a Windows VM and the unraid server but i cant figure out how to connect to an vpn via the VPN Manager plugin.

Share this post


Link to post
12 hours ago, adrie said:

On my phone outside the network i have a connection with 'remote tunneled access', i have internet but i can't reach my server

On my server i see the activity and the handshake.

OK that sounds like the tunnel is up.

 

How exactly are you trying to reach your server? Earlier you mentioned this:

Quote

the problem was that a connot reach my unraid server  webui trough my danamic dns '####.ddns.me'

which would be a problem. The DDNS you use for WireGuard is NOT the url you want to use to reach the webgui.

 

Try this:

   http://<internal server ip>

(note: http not https) If you have SSL setup, that will redirect to the SSL host. If you are using Unraid's Let's Encrypt SSL that will work fine, if you are doing something else then you have to deal with making that DNS name work through the tunnel. 

Share this post


Link to post
3 hours ago, slize said:

Is there currently a way to do a unraid server - unraid server connection via the VPN Manager plugin? I would like to sync my server via a vpn to another location.

I manged to get a vpn connection via a Windows VM and the unraid server but i cant figure out how to connect to an vpn via the VPN Manager plugin.

Yes. Rough instructions: setup WireGuard on one server using the "Server to Server access" option, then download the config file and on the other server choose "Import Tunnel"

 

For extra credit you can go all the way and connect the LANs on both side:

https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

 

Share this post


Link to post
9 hours ago, ljm42 said:

Try this:

   http://<internal server ip>

(note: http not https) If you have SSL setup, that will redirect to the SSL host. If you are using Unraid's Let's Encrypt SSL that will work fine, if you are doing something else then you have to deal with making that DNS name work through the tunnel. 

Oke yes sorry also stupid of me 😅, it works now.

 

On my phone everything works, i can reach the wegui and my shares.

I have connected my laptop trough a hotspot of my phone (4g) to test the laptop outside my network, i have internet, i can reach unraid 😀 only my shares i cannot see or acces, maby something with the firewall on the laptop?

Share this post


Link to post
Posted (edited)
9 hours ago, adrie said:

 

 

On my phone everything works, i can reach the wegui and my shares.

I have connected my laptop trough a hotspot of my phone (4g) to test the laptop outside my network, i have internet, i can reach unraid 😀 only my shares i cannot see or acces, maby something with the firewall on the laptop?

Great! glad it is working

 

How are you accessing the shares? There will not be name resolution through the tunnel for something like \\tower, you need to use \\<internal server ip>

Edited by ljm42

Share this post


Link to post
On 4/5/2020 at 12:04 AM, ljm42 said:

Yes. Rough instructions: setup WireGuard on one server using the "Server to Server access" option, then download the config file and on the other server choose "Import Tunnel"

 

For extra credit you can go all the way and connect the LANs on both side:

https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

 

Thank you very much for the fast reply! Its working perfectly now.

Share this post


Link to post
15 hours ago, ljm42 said:

Great! glad it is working

 

How are you accessing the shares? There will not be name resolution through the tunnel for something like \\tower, you need to use \\<internal server ip>

Thank you verry much everything is working 100% now  😀

Share this post


Link to post

Hello

I´ve installed wireguard as "vpn tunneled access" The problem is that i cant make any of my torret-clients to seed. Even though i made a portforward.

Any one who has done this with success ??

 

regards

Share this post


Link to post
Posted (edited)

Hi folks,

 

First off, great plugin.  I was able to set this up with minimal headaches.

 

However, I have one issue that I'm hoping to get some help with.

 

My Unraid server has two NICs.  Both in bridge mode:

 

eth0: 192.168.88.0/24

eth1: 192.168.104.0/24

 

I run all of my containers off eth1.

 

For Wireguard, everything works and I'm able to resolve and route to containers, my local router (192.168.88.1) and to containers on the bridge network.

 

However, I'm unable to access any of my devices on the LAN (such as Pihole on 192.168.88.2) from my client.

 

I have my client set up with "Remote Tunnel Access" since I want everything to route through my local net.

 

I'm thinking there is an issue with having both NICs in bridge mode.  When I run a traceroute on my client, it works for everything but the LAN devices, and hangs after hopping to 10.253.0.1.

 

I've attached a screenshot of my route table in Unraid and the traceroute from my client device (Android)

 

Capture.PNG

Screenshot_20200411-092226.png

 

Edit:  I figured this out.  For Allowed IPs on the client side, you should include 0.0.0.0/0, ::0/0 (for IPV6) to make sure Android works and routes all traffic through the tunnel.

Edited by genius384

Share this post


Link to post

How does one set this up along with the pihole docker and leverage it while on mobile and away from home?

 

I can connect through Wireguard to my home connection without issue; I block ads while on my home network without issue. 

Share this post


Link to post
Posted (edited)
On 3/29/2020 at 6:59 PM, ljm42 said:

Yeah sounds like you've pegged the issue. Using SSL without proper DNS is a bit of a hack, and it won't work unless you can find a way to make your phone resolve the <servername>.local name that you have setup.

 

Your best bet would be to use Unraid's built-in LetsEncrypt client to provide https, as this gives you a DDNS name that will resolve from your phone.

How do i accomplish this? I can't find this built in letsencrypt client.

 

EDIT: ok i got it working, i did the provisioning and had to disable dns rebinding for unraid.net and got this all working on. I can't use the <hostname>.local anymore but now it redirects my ip automatically. Thank you!

Edited by Ustrombase

Share this post


Link to post
2 hours ago, Ustrombase said:

How do i accomplish this? I can't find this built in letsencrypt client.

 

EDIT: ok i got it working, i did the provisioning and had to disable dns rebinding for unraid.net and got this all working on. I can't use the <hostname>.local anymore but now it redirects my ip automatically. Thank you!

perfect!

Share this post


Link to post
On 4/11/2020 at 6:23 AM, genius384 said:

Edit:  I figured this out.  For Allowed IPs on the client side, you should include 0.0.0.0/0, ::0/0 (for IPV6) to make sure Android works and routes all traffic through the tunnel.

This should have happened when you set the client to "Remote Tunnel Access". Would you please re-download the client config file and see what value it has there?

Share this post


Link to post

Hello, I am having trouble setting up wireguard. I have follow the guide in the blog but I can not connect to it. Furthermore doing a port scan on the unraid server shows that the port corresponding to wireguard is closed. If i run in terminal "wg show" it shows that wireguard is listening. I dont know what more to do to troubleshoot it.

 

I have attached images for wireguard settings, network settings, port scan and the terminal output.

 

I hope someone can help me, thanks!

wg.PNG

network settings.PNG

terminal.PNG

port.png

Share this post


Link to post
5 hours ago, jorge16 said:

Hello, I am having trouble setting up wireguard. I have follow the guide in the blog but I can not connect to it. Furthermore doing a port scan on the unraid server shows that the port corresponding to wireguard is closed. If i run in terminal "wg show" it shows that wireguard is listening. I dont know what more to do to troubleshoot it.

The blog post is very high level. Read the first two posts here for more detail. But to answer your specific questions:

 

As mentioned in the "Troubleshooting WireGuard" section, WireGuard fails silently and cannot be detected by a port scanner.

 

If you are trying to connect to it from your own network, that won't work. You need to connect from a remote network that has a different IP range of the network Unraid is on.

 

If it isn't working remotely, then there is likely an issue with the port forward through your router.

 

In general WireGuard connections are very tough to troubleshoot, they either work or they don't.  Read the whole troubleshooting section for more ideas.

Share this post


Link to post
On 10/12/2019 at 1:15 PM, ljm42 said:

Complex Networks (updated Feb 20, 2020)

 

The instructions above should work out of the box for simple networks. With "Use NAT" defaulted to Yes, all network traffic on Unraid uses Unraid's IP, and that works fine if you have a simple setup.

However, if you have Dockers with custom IPs or VMs with strict networking requirements, things may not work right (I know, kind of vague, but feel free to read the two WireGuard threads for examples)

 

To resolve:

  • In the WireGuard config, set "Use NAT" to No
  • In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:
    • Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)
    • Gateway: <IP address of your Unraid system>
  • On the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
    https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801

 

On 10/12/2019 at 1:15 PM, ljm42 said:

About DNS

 

The 2019.10.20 release of the Dynamix Wireguard plugin includes a "Peer DNS Server" option (thanks @bonienl!)

 

If you are having trouble with DNS resolution on the WireGuard client, return to the VPN Manager page in Unraid and switch from Basic to Advanced mode, add the IP address of your desired DNS server into the "Peer DNS Server" field, then install the updated config file on the client. You may want to use the IP address of the router on the LAN you are connecting to, or you could use a globally available IP like 8.8.8.8

 

This is required for "Remote tunneled access" mode, if the client's original DNS server is no longer accessible after all traffic is routed through the tunnel.

 

If you are using any of the split tunneling modes, adding a DNS server may provide name resolution on the remote network, although you will lose name resolution on the client's local network in the process. The simplest solution is to add a hosts file on the client that provides name resolution for both networks.

Thanks for posting these excellent pieces of information @ljm42 and thanks for the plugin @bonienl

 

I had previously tried to setup Wireguard to replace my OpenVPN setup (running in a seperate Ubuntu VM) and I had issues with both the local dns not resolving and also not being able to access containers that had their own IP's. I think I might have even asked on a different post earlier in the week if anything had been done in this space.

 

Doh.

 

I had missed that the post had been updated. I noticed it this morning and it took me all of 10 mins afterwards to follow the guide and get Wireguard working with my custom IPs on my dockers and local DNS name resolution. I have now retired the Ubuntu VM and have a fully functional Wireguard VPN. Excellent.

Share this post


Link to post

Is is possible to set up "LAN hub & spoke access" but without the Server-access?

So that the clients only can communicate over the server acting as a router, but they don't have access to any server-related stuff like web-ui?

Share this post


Link to post
Posted (edited)

I repost my question in the correct thread:

 

Edited by ryperx

Share this post


Link to post
On 12/14/2019 at 10:57 AM, bonienl said:

Switch to "advanced view" and set "Local server uses NAT" = "Yes".

(If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel)

Thanks for this!
I had everything working except remote access to internet via VPN and this was the piece I was missing.  

Share this post


Link to post
On 4/24/2020 at 2:12 PM, Greyberry said:

Is is possible to set up "LAN hub & spoke access" but without the Server-access?

So that the clients only can communicate over the server acting as a router, but they don't have access to any server-related stuff like web-ui?

I would just have the clients connect to each other directly, no need for Unraid in the middle

Share this post


Link to post
Posted (edited)

Hi,

 

I tried to setup wireguard for the first time yesterday, I went for a 'next, next, finish' setup, did only change 'type of access' to 'Remote Tunneled Access' as mentioned in the blogpost about WireGuard.
I did a portforward in my Ubiquiti USG.
Both my phone and win10 client could connect, but ONLY to the serer itself, I could not access Internet or any other things on my LAN.
I deleted my peers, created new ones with the type of access:  Remote access to LAN
Now I could ONLY access things on my LAN, not the Unraid server itself or Internet.

 

I figured that something had to be wrong, so I uninstalled the plugin and then installed it again.
Created the tunnel, the peers, but this time NONE of my peers can connect to Unraid. It doesn't matter what connection type I use, when activating the client, Unraid says that no clients are connected.
Checking my router I get a lot of hits on the portforward rule.

 

I have a 'basic' network setup, i do have 4 nics to spread out some load of VMs and dockers, but I don't use VLAN.

Eth0 is in bridge mode.

USG dhcp is set on 192.168.1.0/24 and unraid wireguard is on default, I believe 10.253.0.0.

 

So I need some help to set this up.

When a peer connects home, I want to be able to connect to everything on the LAN, use my Adguard (like a pihole but nicer gui) as DNS and be able to connect to internet.

What should I do?

Edited by lusitopp
spell checking

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.