WireGuard quickstart


ljm42

Recommended Posts

4 minutes ago, SpaceInvaderOne said:


 

.................but............lol   shouldn't you have asked that before setting it up ! 😉

 

Its probably 101% securer then RDP.. :D

 

But iw as too early, i can connect, but the internet traffic still goes over mobile, also i cant reach local adresses, ive read the whole post, i checked all things mentioned, will try later agian and report back.

 

Does WireGuard give an error on android if it cant connect? Bc it seems to work (that little key is in the "taskbar")

Edited by nuhll
  • Like 1
Link to comment
5 minutes ago, nuhll said:

But iw as too early, i can connect, but the internet traffic still goes over mobile, also i cant reach local adresses, ive read the whole post, i checked all things mentioned, will try later agian and report back.

Set the peer type to remote tunneled access rather than remote access to server. (but you must add the peer tunnel address)

  • Thanks 1
Link to comment
37 minutes ago, SpaceInvaderOne said:

Set the peer type to remote tunneled access rather than remote access to server. (but you must add the peer tunnel address)

Sorry what exactly is peer tunnel address? Is it unraid? Is it a free client ip for the mobile? 

 

edit: ive set it now to 10.253.0.10 - but i dont know what im doing :D

Edited by nuhll
  • Like 1
Link to comment
1 minute ago, RockDawg said:

I can get it working using my WAN IP without any problem but I can't seem to get it to work with my DDNS url.

R u sure your dns points to the correct IP? :D (and unraid also see the correct ip, try ping your dns via unraid terminal)

Edited by nuhll
  • Like 1
Link to comment

Turns out the problem was that I use CloudFlare for DDNS and they have proxy turned on by default.  The IP address that was showing in ping was their proxy for my my IP.  I disabled the proxy on that particular CNAME and WireGuard works fine now with my DDNS url.

 

Thanks for the ping suggestion nuhll!  

Edited by RockDawg
Link to comment

great work, I've been waiting for wireguard support for some time, as I am using a mobile router that has support for it baked in.

Three quick questions though:

  1. is it a good Idea to run the server natively on the host OS?
    I know that the support in the kernel is needed, but I'd rather have the work part moved to a Docker, for example
  2. adding to top 1, I'd also prefer to run the VPN traffic in a separate VLAN and let my router do its thing.
    How can I achive this on the host OS?
  3. somewhat into off-topic, but is there a wireguard server distro I can run separately and use the client side on unRAID only?

Thanks in Advance for your support!

 

geetz,

ford

Link to comment

well i was able to crash unraid 6.8 (not able to ping or access gui through my socks proxy at work)  i use the command line on another unraid server to try and ping the 6.8 one and it wont respond. here is what i did

I have Remote to Lan set up with two peers (iphone and a laptop with fedora 30 workstation) for allowed IP's it had the default for the tunnel 10.253.0.1 and my home LAN 10.0.0.0/24 I added my IoT VLAN subnet to the iPhone peer 10.0.107.0/24 and hit apply its crashed hard lol...im going to remotely power cycle it and hope it recovers if i can see diagnostics on the flash drive or can recreate it from home ill post diagnostics

I would also like to ask if there is a way to disable wireguard from auto starting up if my config is the problem and preventing my gui and IP from being pingable on my LAN

Edited by Can0nfan
asking for autostart assitance
Link to comment

yeah i think the auto start of wireguard with that config is breaking my unraid now, when i pop the power off via a smart plug and power it back up i get one ping then it dies any way to remove wireguard from the USB to reboot without it and set up wireguard from scratch?

Link to comment

i will try booting to safe mode when i get home to remove the wireguard plugin to reboot normally hopefully then ill re-install it.

 

@ljm42 is there anywhere in the USB boot drive the wireguard config file resides after its plugin is removed that i should remove so my system will start up normally?

Link to comment

ok a wee bit of a pain to fix....booted to safe mode and removed the plugin and its folder dynamix.wireguard and dynamix.wireguard.plg

 

and reboot and my server still wasnt pingable. i went to etc/ and saw a wireguard@ file that i removed. stil no fix.

 

ifconfig still showed my br0 and wg0 configs.  as soon as i typed "ip link delete wg0" i could ping the server again

 

so far everything is back up with new VPN setup and not pushing the IoT Vlan subnet to wireguard anymore

Link to comment

Hi, sorry was offline this afternoon and won't be on much tomorrow either.

 

4 hours ago, Can0nfan said:

is there anywhere in the USB boot drive the wireguard config file resides

Yes, the files are in /boot/config/wireguard/ . If you delete those files and reboot then you can start fresh. Sorry you had to go through all that.

 

6 hours ago, blackrabbit said:

I checked a wrong box when I was forwarding the port.. smh... all working. 

Glad you got it working!

 

So this is where the "undetectable to bad guys" part of wireguard is tough, it makes it super hard to troubleshoot. 

Link to comment
7 hours ago, Ford Prefect said:
  1. is it a good Idea to run the server natively on the host OS?
    I know that the support in the kernel is needed, but I'd rather have the work part moved to a Docker, for example
  2. adding to top 1, I'd also prefer to run the VPN traffic in a separate VLAN and let my router do its thing.
    How can I achive this on the host OS?
  3. somewhat into off-topic, but is there a wireguard server distro I can run separately and use the client side on unRAID only?

1. We wanted a solution that works *before* the array is started, that means not a docker or a VM.

2 & 3. I'd suggest running WireGuard on a raspberry pi. Then you can complicate your network as much as you want without affecting Unraid :) 

  • Like 1
Link to comment
7 hours ago, nuhll said:

Sorry what exactly is peer tunnel address?

Go to Settings -> VPN Manager and switch from basic to advanced mode and look at the settings for your server, you'll see a "local tunnel network pool". It will be something like 10.253.0.0/24.  All devices in this tunnel get their own unique tunnel address, from 10.253.0.1 to 10.253.0.253. Unraid manages this for you automatically, except for the bug that has been reported when using "remote tunneled access". Until that is fixed, you can pick any IP from 10.253.0.1 to 10.253.0.253, as long as it isn't already assigned to another client on this page.

Link to comment

Got this working perfectly on my android phone with remote tunneled access. One thing i noticed, by default wireguard doesn't use the routers dns. So if your using diversion on an asus router or a pihole then your dns settings will need to be added to the wireguard app. After that adblocking works perfectly.

 

Great work on this new feature :)

Edited by esoteradactyl
Link to comment

The WireGuard function has no knowledge at all about DNS settings of the peer(s). Consequently these are left out of the peer configuration, but can be manually added on the peer (phone, laptop, etc) once the configuration is loaded.

 

At the server side the DNS entries of the server itself are taken.

 

Link to comment
  • itimpi pinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.