WireGuard quickstart


ljm42

Recommended Posts

10 minutes ago, ljm42 said:

Your screenshot shows each of those tunnels are still in "basic" mode.

You are absolutely correct.  I did not realize that advanced mode for each tunnel needed to be turned on.  My oversight completely.  Thank you very much for pointing out my error.  This effectively solved the issue.  

Edited by danktankk
Link to comment

Do you have any insights as to why UNRAID is hanging when I close a tunnel in the second half of my issue with wireguard?  I hope it is as easy as the first solution.

 

Untitled.png.9123cee02ff9e8eccb9a24a4a871946c.png

 

this is still open days later after closing the connection.

Edited by danktankk
Link to comment
1 minute ago, danktankk said:

Do you have any insights as to why UNRAID is hanging when I close a tunnel in the second half of my issue with wireguard?  I hope it is as easy as the first solution.

Hmm... I don't see anything about Unraid hanging in your other post?

Link to comment
8 minutes ago, ljm42 said:

Hmm... I don't see anything about Unraid hanging in your other post?

Another strange issue I am having is when I disconnect wireguard VPN, the unraid interface doesnt seem to get the memo:

 

[image didnt copy over, but its in my original post

 

In the picture above i test connected for about 20 seconds.  After disconnect, it just keeps adding connected time.  What made me notice this issue was that I had not logged into my unraid server for about 4 days (small vacation), and there was 4 days of wireguard uptime when I hadnt been connected but for a few minutes and then shut it off.  Any advice would be appreciated on these 2 small issues.  Thanks in advance!

 

this is from the original post i made a few posts up....

Edited by danktankk
Link to comment
13 minutes ago, danktankk said:

Another strange issue I am having is when I disconnect wireguard VPN, the unraid interface doesnt seem to get the memo:

 

 

In the picture above i test connected for about 20 seconds.  After disconnect, it just keeps adding connected time.  What made me notice this issue was that I had not logged into my unraid server for about 4 days (small vacation), and there was 4 days of wireguard uptime when I hadnt been connected but for a few minutes and then shut it off.  Any advice would be appreciated on these 2 small issues.  Thanks in advance!

21 minutes ago, danktankk said:

Do you have any insights as to why UNRAID is hanging when I close a tunnel in the second half of my issue with wireguard?  I hope it is as easy as the first solution.

OK typically when people say "hang" they mean their system doesn't respond when they to access it. That doesn't sound like the issue here.

 

If you refresh the page what happens? Does the uptime continue to increase?

 

SSH to the server and type "wg show". What does it say the uptime is?

 

 

p.s. it is late here, I will try to respond again in the morning

 

Edited by ljm42
Link to comment
1 hour ago, danktankk said:

After disconnect, it just keeps adding connected time

As long as you keep the WG tunnel in active state on the Unraid server, it is not really disconnected.

This is also the reason why the time is incremented, because it will tell exactly when the last exchange has occurred.

  • Thanks 1
Link to comment

I can't get UPnP working.

 

UPnP Set to on in router.

Set to Yes in "Management Access" and "VPN Manager".

In VPN Manager on Local Endpoint line i get "UPnP: tunnel is inactive"

 

I even tried installing Merlin on My ASUS RT AC 68U router but still same result.

 

Any solution to this?

ASUS UPnP tunnel is inactive Redmarked.png

Link to comment
7 hours ago, Alexander said:

In VPN Manager on Local Endpoint line i get "UPnP: tunnel is inactive"

It doesn't look like you've started the tunnel, try changing the "inactive" slider to "active"

 

If you haven't had a chance to read it, the first post of this thread contains step-by-step instructions

Link to comment

I've tried setting this up for a couple of hours now and I can't for the life of me get it to work so help would be greatly appreciate.
I running a UDM router, the ports open but since I didn't get that to work I enabled uPnP. DNS is working. 
Setup tested with a P30 Pro, Wireguard android app, added connection with the use of QR-code. Running 4G connection.
This is what the setup in unRAID looks like;
 

 

unraid1.png

Edited by Davegtl
Link to comment
18 hours ago, Davegtl said:

I've tried setting this up for a couple of hours now and I can't for the life of me get it to work

Troubleshooting WireGuard is tough because it either works or it doesn't, and when it fails it fails quietly so there aren't any hints as to what the problem is.

 

I don't see anything obviously wrong, best I can do is recommend that you go through the troubleshooting steps in the second post.

Link to comment

Hey there,

 

im using Wireguard as a always-on vpn on my phone now since a couple of months. Worked as a charme!

I used the quick-start manual for setting it up.

 

At least, without any changing I'm getting into troubles as I cannot reach any devices on my local network.

I can access the internet though this connection, but not my local devices as pihole etc.

 

For the client side "Peer type of access: Remote tunneled access" is the right one or?

 

grafik.thumb.png.be7cb6223406718b8609f828163f17d9.png

Link to comment

I am really struggling with this one and must have read though this entire thread 3 times now.

 

Here is what I have so far:

  • Local server uses NAT: No
  • Local endpoint: my external IP : 51820
  • Peer type of access: Remote tunneled access
  • All local tunnel/peer settings are defaults
  • My docker config is set to allow host access to custom networks
  • The docker IPv4 custom network I have uses the same subnet
  • I forwarded port 51820 to my unraid server internal IP
  • I added a static route in my router:
    • Destination IP: 10.253.0.0
    • IP Subnet Mask: 255.255.255.0
    • Gateway IP: unraid internal ip address
    • Metric: 2 (No idea what this is for and Netgear's help is not helpful - supposedly this is supposed to be the number of routers on the network?)

Now, when I try to ping 10.253.0.1 with the command line it works:

 

PING 10.253.0.1 (10.253.0.1): 56 data bytes
64 bytes from 10.253.0.1: icmp_seq=0 ttl=64 time=1.303 ms
64 bytes from 10.253.0.1: icmp_seq=1 ttl=64 time=2.949 ms
64 bytes from 10.253.0.1: icmp_seq=2 ttl=64 time=2.096 ms
64 bytes from 10.253.0.1: icmp_seq=3 ttl=64 time=2.886 ms
64 bytes from 10.253.0.1: icmp_seq=4 ttl=64 time=3.213 ms
64 bytes from 10.253.0.1: icmp_seq=5 ttl=64 time=2.095 ms

When I try to ping 10.253.0.2 I get "Destination Host Unreachable" errors but I can also see that the errors show that the Redirect Host is going to my unraid server IP.

 

I tried connecting with both my iPhone and the macOS WireGuard app and both show the 5 second timeout handshake error.

 

Anyone have any suggestions? I feel like I have to be missing something obvious.

 

EDIT: I completely forgot about my piece of hot garbage AT&T Pace gateway for my fiber connection. Since AT&T's firmware update broke DMZ+ mode a year ago (still not fixed) I had most ports opened to my Netgear router... but the range ended at 50999 since AT&T has a few service ports reserved above that. I changed my Wiregaurd port to something in range of what I forwarded and it worked without a hitch.

 

However, how do I access both my LAN and the internet at the same time on the VPN? Do I need to select a different "peer type of access"?

 

EDIT2: 

- Remote tunneled access = LAN access + no interwebs on device I'm using to VPN in

- Remote access to LAN = LAN access + interwebs

Edited by johnsanc
Link to comment
On 6/8/2020 at 7:24 PM, johnsanc said:

I completely forgot about my piece of hot garbage AT&T Pace gateway for my fiber connection.

Glad you got it working, that is not something I would have thought of :) 

 

On 6/8/2020 at 7:24 PM, johnsanc said:

- Remote tunneled access = LAN access + no interwebs on device I'm using to VPN in

- Remote access to LAN = LAN access + interwebs

 

"Remote tunneled access" pushes all of your client's traffic through the tunnel, including DNS requests. I'd guess you are having DNS resolution issues, see the "About DNS" section of the first post.

 

"Remote access to LAN" uses split tunneling, where only traffic destined for Unraid and its LAN go through the tunnel. All other traffic uses the client's default network stack.

Link to comment
On 6/7/2020 at 1:49 AM, Toobie said:

I cannot reach any devices on my local network.

I can access the internet though this connection, but not my local devices as pihole etc.

Are you trying to access the LAN devices by name or IP? You haven't specified a Peer DNS server, so you will need to access the devices by IP address. See the "About DNS" section of the first post.

Link to comment

I tried adding my router IP and 8.8.8.8 to the Peer DNS Server and it did not allow me to access anything aside from my LAN when using "Remote Tunneled Access".  Any idea what the issue could be?

 

EDIT:

Apparently if I use NAT then I can access the internet using Remote Tunneled Access. Is there a way to make that work without the NAT setting set to "Yes" ?

Edited by johnsanc
Link to comment
On 6/10/2020 at 7:39 PM, johnsanc said:

I tried adding my router IP and 8.8.8.8 to the Peer DNS Server and it did not allow me to access anything aside from my LAN when using "Remote Tunneled Access".  Any idea what the issue could be?

 

EDIT:

Apparently if I use NAT then I can access the internet using Remote Tunneled Access. Is there a way to make that work without the NAT setting set to "Yes" ?

Sorry, I can't think of anything.  The static route you added on the router should have allowed the tunnel to work with NAT disabled.

Link to comment
On 6/11/2020 at 2:20 AM, ljm42 said:

Are you trying to access the LAN devices by name or IP? You haven't specified a Peer DNS server, so you will need to access the devices by IP address. See the "About DNS" section of the first post.

Im using ip all the time, my internal dns server is a pihole server.

Link to comment
5 hours ago, Toobie said:

Im using ip all the time, my internal dns server is a pihole server.

Change the slider from Basic to Advanced, then on the "Local server users NAT" line there is a comment telling you what static route needs to be setup in your router.  There are more details in the "Complex Networks" portion of the first post of this thread. This can help whether you have "Use NAT" set to yes or no, particularly if the "devices" are you are trying to reach are hosted on Unraid.

Link to comment
  • 2 weeks later...

Is Wireguard supposed to just stop the tunnel and leave it stopped when adding a new peer or making any changes at all really?

 

I setup wireguard remote access to LAN for my phone and PC no problem super easy as advertised.

 

I'm connected over wireguard managing unraid and I go to add a peer, hit apply and the unraid webui stops working because the tunnel has been stopped:

 

Jun 25 09:41:05 Node wireguard: Tunnel WireGuard-wg0 stopped

Jun 25 09:43:20 Node webGUI: Successful login user root from xxx.xxx.xxx.xxx

Jun 25 09:43:24 Node wireguard: Tunnel WireGuard-wg0 started

 

Thankfully I have other remote access methods to this server so I was able to go in and restart the tunnel but I don't see how this could be by design...shouldn't it be able to gracefully roll the connection?

 

I'll make a new thread if this is unexpected behavior where troubleshooting can be done.

 

EDIT: just got kicked again just trying to change the connection type for a peer that isn't even in use currently. It just stopped the tunnel and left it off...

 

EDIT2: it sounds like depending on how peers are added active session interruption could be avoided: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html#COMMANDS:~:text=syncconf

 

EDIT3: I am just so utterly lost on how to make my main server talk to my backup server directly over wireguard. I currently have SSH and rsync running a monthly backup of my data, I would like to stop leaving SSH open to the net but I can't get server to server or remote access to server to work to save my life.

 

I followed your "rough instructions" of setup server to server on one and import on the other but now i have a second tunnel I don't really want. Do I have to have a second tunnel for this to work? Can I not just add the server as a peer to my existing tunnel with my phone and home PC?

 

I got server to server working, still not sure if a second port forward and tunnel was required or not but at least the Chinese will stop spamming my logs with SSH brute force attempts (Key based auth only so it is more aesthetic than a real security concern).

Edited by weirdcrap
Link to comment
On 6/25/2020 at 7:56 AM, weirdcrap said:

I'm connected over wireguard managing unraid and I go to add a peer, hit apply and the unraid webui stops working because the tunnel has been stopped:

I'm looking into this. To clarify, what browser on what device are you using when you do this?

 

From my testing, it appears to be a browser issue. When I use press the Apply button using Chrome on Android, the tunnel stops but does not start back up. If I use Chrome on Windows it works fine. In either case, it does not matter whether I am connected via WireGuard or direct via wifi.

 

Can you confirm that you see the same?

Link to comment
On 6/28/2020 at 5:54 PM, ljm42 said:

I'm looking into this. To clarify, what browser on what device are you using when you do this?

 

From my testing, it appears to be a browser issue. When I use press the Apply button using Chrome on Android, the tunnel stops but does not start back up. If I use Chrome on Windows it works fine. In either case, it does not matter whether I am connected via WireGuard or direct via wifi.

 

Can you confirm that you see the same?

For me it is somewhat different.

 

it is 100% reproducible with Chrome (currently version # 83.0.4103.116 (64-bit)) on Windows 10 v1909, the tunnel goes down and stays down.

I just tried with Chrome on my Android (Pixel 3A XL w/ Android 10) over LTE and it also brought down the tunnel and did not restart it. 

 

The first set of stop/start is me on Windows 10 adding a test peer then logging in locally and re-enabling the tunnel.

The second set was me logging in via my android and removing said peer, which also brought down the tunnel.

image.png.e9e8a529e53bde44d54c5d1660802286.png

 

Connected directly to the web interface via the LAN (not a VPN) I can make changes to the tunnel settings in Chrome on Windows 10 and the tunnel rolls without issue. The tunnel only stops and stays down when I'm managing Wireguard over a Wireguard connection.

 

EDIT: Also happens in latest Firefox on Windows.

 

EDIT2: I tried to manage wireguard over wireguard again this time using RDP  Windows to Windows machine that I then use to access the unraid webui. Management over the RDP connection tunneled through WireGuard successfully brought the tunnel down and back up. 


So my problem seems to be any direct attempt to manage the wireguard server over a wireguard connection results in the tunnel going down and staying down. If I connect to another machine on the LAN over wireguard and use that machine to manage the wireguard server then it seems to go down and come back up gracefully.

 

 

Edited by weirdcrap
did more testing
Link to comment
On 10/12/2019 at 4:15 AM, ljm42 said:
  • In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:
    • Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)
    • Gateway: <IP address of your Unraid system>

My operator router does not allow adding ip route, so I can't do this config to get access to all my equipements

If I add the static route in my dockers containers it works, but it's not persistent to update or reboot

Is there a way add route as parameter in docker? I didn't find it. Or is there another solution I could apply?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.