WireGuard quickstart


ljm42

Recommended Posts

2 hours ago, tknx said:

So I am not getting a handshake and I just get a little bit of data transfer. Wireguard and UniFi settings here - would love to know what is wrong. My dynamic DNS works fine for other purposes.

65100540_ScreenShot2020-05-05at13_37_05.thumb.png.fdea112c06dd8d0032a191abb154d0e0.png

7722683_ScreenShot2020-05-05at13_37_14.thumb.png.fa231e223b984c8528cae60ced4e5102.png

650634679_ScreenShot2020-05-05at13_39_33.thumb.png.fe8b0733bc4acf2ee9412162eb3b5d63.png

 

1955756_ScreenShot2020-05-05at13_39_45.png.7eefbe495ecf000dc66f32cd6056fc0c.png

Is this your first attempt at a connection? You are jumping all the way into the deep end :)

 

Take it a step at a time and get a basic connection going before you start messing with a local DNS server. You need to isolate what is a WireGuard connection problem from a routing problem.

 

Speaking of routing, there is a typo in your static route. It should 10.253.0.0/24 not 10.0.253.0/24

 

I don't use IPV6. It may help to disable IPV6 initially just to rule out issues.

Link to comment

@ljm42 Thanks for the tips - I did have it working before but had to reset up everything.

 

So I turned off IPv6 and fixed that typo, and now I don't even get those bits. I noticed that it is randomizing the listen port on my phone every time i connect - is that supposed to happen? Or should that be 51820?

Link to comment
7 minutes ago, tknx said:

@ljm42 Thanks for the tips - I did have it working before but had to reset up everything.

 

So I turned off IPv6 and fixed that typo, and now I don't even get those bits. I noticed that it is randomizing the listen port on my phone every time i connect - is that supposed to happen? Or should that be 51820?

The listen port on the phone doesn't matter. 

 

I'd suggest dropping the DNS and change to "Remote access to LAN" and see if you can get that working. Basically, make it as simple as possible until you get a connection working, then start adding things in.

 

Be sure to read the general troubleshooting tips in the first two posts as well.

Link to comment
18 hours ago, tknx said:

I am not getting a handshake

I am experiencing exactly the same problem. It worked for a while, some time ago I changed something (unRAID update? Can't remember) and it never worked again. I have; deleted and set up from scratch, removed to the plug-in, reinstalled and configured, removed again and deleted the files from flash, set up from scratch following the guide and Spaceinvader One's video. Never handshakes, never can see the server when connecting from my phone's cellular connection. Set up as "Remote access to server".

 

One other odd thing is if I change the connection type to "Remote access to LAN" then it recommends the wrong IP range when setting up my peer, but sees the right range in the port forwarding comment. Highlighted in red, port forward to x.x.10.x, static router

image.thumb.png.9f2da26d6a97ba3d777e8c03a2b4a888.png

 

Any ideas what I can try next? Desired end state is to be able to access the locally running containers and ports, as well as dedicated IPs for local VMs and other machines on the LAN. 

 

Thanks.

Link to comment

This is just feedback for the guys.

 

I totally love the WG VPN. Best part is, that it runs independently on the status of the array. Befare that, I had VPN dockers, which required the array to be started. I just had a power outage and thus my Unraid rebooted and required to manually start the array. And I could do that thanks to WG.

 

The only issue I have is with windows client, which required rebooting and manual edits of the config to get it working. And the log is useless, is says, everything started, but it never got to handshake. Hopefully this will get resolved quickly by WG devs.

Link to comment

@ljm42 and others: A bit of a bug report here:

 

So recently I lost all network connectivity outside of the unraid web portal and some internal addressing on my Unraid server. I couldn't ping other websites from the server (either by name or IP address), etc. Often it would manage to get something slowly using IPv6, but couldn't get IPv4 to work.

 

Finally noticed that it was pinging from 10.253.0.1. Somehow Wireguard's network had taken over the servers network stack and was screwing everything up. Deactivating it seemed to fix all my networking issues. 

 

Logs in this thread: 

 

Link to comment
  • 2 weeks later...

Hi,

I have a wireguard remote tunneled access up and running and it works beautifully. However, how can I configure the wireguard client so that it would not use the tunnel for local addressed (192.168.1.0/24)? I thought that it would have been discussed already but I didn't find it. So, is there a way to exclude the local packets to be sent to the tunnel? The client is Windows10 computer.

Any help very much appreciated, thank you!

 

>>>

 

Found a solution (kind of) with more googling. Seems that it is a Wireguard Windows client issue.

https://williamjshipman.wordpress.com/2019/12/31/wireguard-vpn-on-windows/

 

Edited by ptr78
Solution found.
Link to comment
9 hours ago, ptr78 said:

Hi,

I have a wireguard remote tunneled access up and running and it works beautifully. However, how can I configure the wireguard client so that it would not use the tunnel for local addressed (192.168.1.0/24)? I thought that it would have been discussed already but I didn't find it. So, is there a way to exclude the local packets to be sent to the tunnel? The client is Windows10 computer.

Any help very much appreciated, thank you!

 

>>>

 

Found a solution (kind of) with more googling. Seems that it is a Wireguard Windows client issue.

https://williamjshipman.wordpress.com/2019/12/31/wireguard-vpn-on-windows/

 

I'd suggest taking a closer look at the options described in the first post of this thread.

 

The only option that would route all of of the client's traffic through the tunnel is the "remote tunneled access" option. If you choose one of the other options, such as "remote access to LAN" then it uses split-tunneling and only traffic destined for Unraid's network would go through the tunnel.

Link to comment
16 hours ago, Jeffarese said:

Is there any way to router only specific docker containers through Wireguard while keeping the rest of the traffic normal?

It is possible in theory but we haven't figured it out yet. This is the thread you are looking for:

 

Link to comment
On 5/6/2020 at 8:04 AM, klogg said:

One other odd thing is if I change the connection type to "Remote access to LAN" then it recommends the wrong IP range when setting up my peer, but sees the right range in the port forwarding comment. Highlighted in red, port forward to x.x.10.x, static router

Perhaps you inadvertently changed your network settings? Post a screenshot of what you see on Settings -> Network

Link to comment
On 5/19/2020 at 11:31 PM, ljm42 said:

Perhaps you inadvertently changed your network settings? Post a screenshot of what you see on Settings -> Network

@ljm42, thanks for replying. Just this morning I had a chance to dig back in and figure it out. I don't know why it broke, but this is how I fixed it (for posterity, in case others have a similar problem).

 

1) I found this post referencing how to delete wg0 from the network config.

Quote

ifconfig still showed my br0 and wg0 configs.  [Typing this in the terminal removed the unwanted old interface.]


ip link delete wg0

 

2) This following post from yourself identified the right config files to purge. I did this.

Quote

The files are in /boot/config/wireguard/ . If you delete those files and reboot then you can start fresh.

3) reboot.

4) Follow the guide on the unRAID blog.

5) Add a DNS entry, because any non-local URLs failed to load.

 

Boom, back in business! Appreciate the reply, and all your efforts throughout this thread, it got me where I was going.

/klogg

Link to comment

Ok I was absolutely ripping my hair out the last few days. I had a Wireguard tunnel setup that was working last week, and it stopped unexpectedly. We had a power outage Sunday night and I've been haphazardly banging away at this whenever I get some time ever since, the UPS worked and Unraid shut down gracefully. The rest of the network stayed up on the UPS and was still running when the power came back on so my PFSense router/firewall never rebooted.

 

With Wireguard tunneled to the Unraid server I was able to access local network resources if I connected to them by IP address but anything accessed with a domain name was broken. My DNS requests to the local DNS Resolver were being refused and I couldn't figure out why because there was NOTHING about refused requests in the router logs and everything on the local LAN was still working including remote access through OpenVPN to the router directly. If I set the Peer DNS to something on the greater internet I could tunnel access internet things by domain but local stuff was broken still. I've been absolutely pulling my hair out ever since and I FINALLY figured it out. It doesn't make sense to me why it was working before then it broke when nothing in any relevant configuration should have changed (last update/restart for PFSense was several weeks ago. It's been rebooted since then because things were borked but an update/restart shouldn't have been the cause). Here's my solution if anyone else stumbles on this with the Googler :: in PFSENSE->Services->DNS Resolver->Access Lists create an new ALLOW access list for your Wireguard IPeer Endpoint IP block (192.168.8.0/24 for me, yours likely still the default 10.253.0.0/24). I previously had no access lists defined and everything was working. I don't get it but I just happy to finally be able to access LAN resources by name again and use my local DNS server when tunneled in.

 

Just sharing some knowledge if anyone else is ever being driven crazy by this.

Edited by ClintonRH
Link to comment

I seem to have accidentally added some extra tunnels in the wireguard config and do not have a way to delete them that I can see.  

 

WG0 is deletedable as shown below but is not the issue:

 

Untitled.png.9956632b6644edc1513f371f52cc2d46.png

 

There is no delete button for the other two tunnels that were created accidentally that I want to remove:

Untitled.thumb.png.8fccaca055af264060c832616e82b33c.png

 

I have looked in network settings and WG1 and WG2 are not there to delete either.  

 

**Another strange issue I am having is when I disconnect wireguard VPN, the unraid interface doesnt seem to get the memo:

Untitled.png.dab01f65cbe131a05eaf7c75fcb7c2be.png

 

 

In the picture above i test connected for about 20 seconds.  After disconnect, it just keeps adding connected time.  What made me notice this issue was that I had not logged into my unraid server for about 4 days (small vacation), and there was 4 days of wireguard uptime when I hadnt been connected but for a few minutes and then shut it off.  Any advice would be appreciated on these 2 small issues.  Thanks in advance!

Edited by danktankk
Link to comment
On 5/28/2020 at 1:20 PM, danktankk said:

I seem to have accidentally added some extra tunnels in the wireguard config and do not have a way to delete them that I can see.

Have you tried deleting the wgX.conf file from the /config/wireguard folder on the flash drive?

  • Like 1
Link to comment
On 5/28/2020 at 12:20 PM, danktankk said:

There is no delete button for the other two tunnels that were created accidentally that I want to remove:

Move the slider from "basic" to "advanced", that will enable the "delete tunnel" button.

Link to comment
5 minutes ago, ljm42 said:

Move the slider from "basic" to "advanced", that will enable the "delete tunnel" button.

This does not happen in my case as shown by the pictures submitted above in my original post.  The delete option is indeed there for WG0, but not for the other two that i would like to remove.  Thank you for the reply.

Link to comment
1 minute ago, danktankk said:

This does not happen in my case as shown by the pictures submitted above in my original post.  The delete option is indeed there for WG0, but not for the other two that i would like to remove.  Thank you for the reply.

Your screenshot shows each of those tunnels are still in "basic" mode.

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.