WireGuard quickstart


ljm42

Recommended Posts

I'm super new to all of this so please excuse if I dont use proper terminology and my lack of understanding.

 

Currently I have Wireguard setup like the top left image in this picture, where I use the app to create a connection allowing me to remote in to my Unraid server. However, I would like to setup Wireguard in a different way, but have no idea how to go about it and am hoping you guys may can tell me what it will take.....

 

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

 

My server motherboard (Asus x99 Deluxe II ) has two lan ports, so can I just change the cabling around to get my router behind the server? Currently it goes from cable modem to wifi router (which has lan ports) and the router feeds everything including wired to the server. Can I just go from cable modem to the server then out the other lan to the wifi router? That should effectly put everything  behind the server correct?  Would that be necessary? Really my server is the most important piece in the network and moving it in front of the router seems like it removes a layer of protection (but maybe not).  Also I'm not sure how it would work with issuing IP addresses and such since the router has been doing all that kind of work and the server would be in front of it.  Anyway, then I thought I would get a VPN that provides secure internet to ALL of the entire network, not just my server.

 

I just dont understand all this well enough to know if this would work, if its needed to change the cabling around, what kind of issues I may run into, how difficult it will be to setup and manage.....I cant have anything that is flakey and having issues because I go out of town a lot and no one else will understand any of it. Once setup it just needs to fade in the background and work.

 

 

 

wireguard-help.png.453a3c3e8373a35d11debf9ba1bf7e7a.png

Edited by SPOautos
Link to comment
4 hours ago, SPOautos said:

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

Link to comment
1 hour ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

I am just looking to be able to access the NAS when I am not home, but also dont want it to stop all my web browsing to have this benefit

 

Link to comment
38 minutes ago, Marcjwebb said:

I am not using and dont plan to use an extern VPN service. I just want a secure way for my unraid to be accessible remotely. 

just seems odd that I can only do that if I sacrifice all other web related things

Keep working on it. There is no need for a VPN service. I can access my whole network with WireGuard through Unraid.

Link to comment
8 hours ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

 

Thanks for this info....I dont know much about routers and networking. Since reading your post I've looked closer at what all my router can do and it has router capabilities. It appears that I can set it up to remote into it and also tie it to a VPN for internet access. Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

 

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?  It looks like it lets me generate a certificate and then the router has a link to the OpenVPN website where I can go download the client app to the remote computer, put in the certificate info, and it reads like it will connect up. Does that sound correct?  

 

I suppose maybe I should start a new thread as my questions to you are getting too far off topic from the thread now that I've discovered all of this isnt relative to the wireguard in Unraid

Link to comment
2 hours ago, SPOautos said:

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?

Correct, VPN access to your house does not require a 3rd party service. You can set it up either on your router or on Unraid.

 

2 hours ago, SPOautos said:

Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

I'm not really sure, you'd want to investigate in the threads for those containers

 

These are two very different things, I'd recommend working on one at a time.

Link to comment

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

Link to comment

OK, I have been reading posts for 2 hours now and dont see where or what i messed up. 

 

I have DDNS setup with a new url just for wireguard. i use pihole and did input my pihole LAN IP in the config. I have tested on my phone(cell network) and my laptop(on cell hotspot-cell network)

 

both seem to connect fine, but nothing loads (public sites nor LAN sites). I notice in the client log(both on windows/laptop and android app) that its sending the handshake attempt multiple times. i see on the unraid dashbaord that there is no handshake. I can post screen shots as needed and would love to use this instead of openVPN. 

 

Any help or guidance is greatly appreciated. 

Screenshot 2020-09-13 181732.jpg

  • Like 1
Link to comment

Hello All,

 

So I recently made the move over from OpenVPN to WireGuard. I've got it setup so when im off LAN I can securely tunnel into my UnRAID server. I can access the likes of SabNZB, Radarr and Sonarr however when I access my UnRAID server once VPN'd in I get "cannot open the page because the server cannot be found" when using safari on my mobile. I also get a error when trying to access Plex server I get "Plex is Not reachable"

 

I'm struggling to understand what this could be. I have PiHole running on a Pi on my LAN. I've updated the "Peer DNS Server" in Wireguard settings but still having no luck..

Link to comment
  • 2 weeks later...

I was using Unraid with Wireguard just fine, until I moved the Unraid into site A where no public IP available (behind ISP NAT). Asking ISP to fix it is not gonna be a solution.

 

I have another site B with dynamic IP available. I am planning to buy a Rasberry Pi and install PiVPN (Wireguard) on it for Site B. The problem is, I am not sure how to configure properly in order to handshake a tunnel between 2 sites. My ultimate goal is to access my Unraid in site A by this route: Internet -> DDNS of site B->Site B's router (normal home router)->B's Wireguard (Rasberry Pi)->Tunnel-> Site A Wireguard (On Unraid) -> Unraid application/rest of the network. From my understanding, the handshake should be starting from Site A. So site A should have a WG client connecting to WG B in order to establish a tunnnel, and let packets from site A route into the tunnel.

 

May anyone please point me to the right direction of how to config a tunnel on the Unraid? It would be great to have a detailed explanation on how to setup on both unraid and rasberry pi.

 

The use of rasberry pi is not a must ( I haven't buy it yet). It is just the cheapest solution I can think of. Anyone can propose alternatives, thanks!

Edited by PzrrL
Link to comment

I am having a problem and hopefully someone can help me. I managed to get Wireguard to work just fine. But due to a really bad power outage and my UPS loosing power thus my server loosing power, it doesn't work anymore. I have tried everything that I can think of. Since I was just starting everything, I haven't done much to my server. With that being said, I even went so far to formatting the bootable thumb drive and trying again. But nothing that I do works any more. 

 

List of things that I have done (trying to do it in order):

 

Different configuration on server and peers.

Uninstalling/reinstalling the plugin and the programs on the peers.

Checked DDNS settings to make sure they were still pointing to my IP Address.

Checked my router settings to make sure that there was still port forwarding enabled.

Temporarily created a container with the same port settings in the port forwarding settings to see if I can access it through the web. I could.

Instead of using the domain name I used just the IP address.

Formatting the unRAID thumb drive and clearing everything.

Trying different configurations again.

 

None of these things have worked. Am I missing anything?

Link to comment

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

Link to comment
  • 2 weeks later...

I've found a neat problem. I have Wireguard up and running, super stable for weeks now. Logging onto the Unraid web interface allows me to add, remove, and modify peers as expected. However... If I do this while logged in remotely (via the Wireguard VPN), the "Active/Inactive" toggle gets switched off and doesn't auto-start again. Luckily I had a VNC server running on another computer from a previous project, so I connected to that over SSH and was able to flip the toggle switch from inside my LAN.

 

Tried recreating it several times, and the problem persists. Happens when I hit the "Apply" button in the web interface. From another computer on the same LAN/Subnet/etc as my Unraid server, it stays active. From a remote computer connected to the VPN, Wireguard inactivates.

 

More info: Not running any reverse proxies, Wireguard's "Autostart" toggle switch is on (and persists), remote clients connect with "Remote Tunnelled Access"

 

Anybody else seen this behaviour? Any ideas?

Link to comment

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

Link to comment
6 hours ago, Mattyfaz said:

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

  

On 10/2/2020 at 3:44 AM, mishmash- said:

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

 

The Cloudflare proxy is designed for http traffic, it does not know how to proxy other traffic such as WireGuard. You have to disable the Cloudflare proxy for WireGuard to function.

  • Thanks 1
Link to comment
On 9/12/2020 at 2:25 AM, deusxanime said:

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

 

I am having this exact same issue.  Prior to enabling "Host access to custom networks" Wireguard worked perfect for over a year.  Since i have made this change it it no longer works.

  • Like 1
Link to comment
On 12/19/2019 at 5:57 PM, nuhll said:

anyone found a solution to make wireguard automatic reconnect?

 

I dont understand why it doesnt do it on his own. Ever night somewhere is a disconnect (and yes, ive set keepalive to 600s)

 

Every morning i need to deactivate it on my mobile and then activate it again...?!

"when a peer is behind NAT or a firewall, it might wish to be able to receive incoming packets even when it is not sending any packets. Because NAT and stateful firewalls keep track of "connections", if a peer behind NAT or a firewall wishes to receive incoming packets, he must keep the NAT/firewall mapping valid, by periodically sending keepalive packets. This is called persistent keepalives. When this option is enabled, a keepalive packet is sent to the server endpoint once every interval seconds. A sensible interval that works with a wide variety of firewalls is 25 seconds. Setting it to 0 turns the feature off, which is the default, since most users will not need this, and it makes WireGuard slightly more chatty. This feature may be specified by adding the PersistentKeepalive = field to a peer in the configuration file, or setting persistent-keepalive at the command line. If you don't need this feature, don't enable it. But if you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent, this option will keep the "connection" open in the eyes of NAT."

 

Source:https://www.wireguard.com/quickstart/

 

This is exactly my situation, my peer is not having a public IP due to ISP restriction. How do I configure persistant-keepalive in my Unraid Wireguard Peer setting?

Link to comment
On 10/19/2020 at 2:29 PM, chalk said:

 

I am having this exact same issue.  Prior to enabling "Host access to custom networks" Wireguard worked perfect for over a year.  Since i have made this change it it no longer works.

How can we raise a bug report for this issue?

Link to comment

Any idea why "Remote access to LAN" doesn't handshake with my device but if I keep everything the same but change the peer type of access to "remote tunneled access" it seems to work perfectly? I understand the difference between the two options but im confused as to why one of them works but the other doesn't if I've configured everything correctly. From reading the thread it seems like "Remote access to LAN is the more simple way to set everything up as well.

Link to comment

Hey @ljm42 I think the peer configs for "Server hub and spoke access" and "LAN hub and spoke access" might be incorrect:

- "Server hub and spoke access" is currently setup exactly like "Remote access to server", it doesn't really allow peers on the same tunnel to talk to each others

- "LAN hub and spoke access" does allow you to connect to other peers on the same tunnel (which is correct), but it does't allow peers to access your entire LAN (only the unraid server itself)

 

With my limited knowledge in networking, I think this might be because of how the "AllowedIPs" was set in the peer config file

- "Server hub and spoke access" gives you something like "AllowedIPs=10.253.0.1/32" which I think should be "AllowedIPs=10.253.0.0/24"

- "LAN hub and spoke access" gives you "AllowedIPs=10.253.0.0/24, 192.168.1.100/32" which I think should be "AllowedIPs=10.253.0.0/24, 192.168.1.0/24"

 

I'm using Unraid 6.8.3, this was the result of my testing for those 2 types (on things that I could access and things that I couldn't), but my understanding about networking and wireguard might be totally wrong

  • Like 1
Link to comment
On 11/8/2020 at 5:04 PM, malkaviancz said:

Hey @ljm42 I think the peer configs for "Server hub and spoke access" and "LAN hub and spoke access" might be incorrect:

- "Server hub and spoke access" is currently setup exactly like "Remote access to server", it doesn't really allow peers on the same tunnel to talk to each others

- "LAN hub and spoke access" does allow you to connect to other peers on the same tunnel (which is correct), but it does't allow peers to access your entire LAN (only the unraid server itself)

 

With my limited knowledge in networking, I think this might be because of how the "AllowedIPs" was set in the peer config file

- "Server hub and spoke access" gives you something like "AllowedIPs=10.253.0.1/32" which I think should be "AllowedIPs=10.253.0.0/24"

- "LAN hub and spoke access" gives you "AllowedIPs=10.253.0.0/24, 192.168.1.100/32" which I think should be "AllowedIPs=10.253.0.0/24, 192.168.1.0/24"

 

I'm using Unraid 6.8.3, this was the result of my testing for those 2 types (on things that I could access and things that I couldn't), but my understanding about networking and wireguard might be totally wrong

Just fighting the same problem, eventhough, I have tried to fix the AllowedIPs myself, it still does not work. Perhaps there need to be additional configuration done to Unraid such as enabling ip forwarding... Also IP forwarding seems a bit broken in my unraid 6.8.3
had to do quick fix
 

sysctl -w net.ipv4.ip_forward=1

but this is not persistent

Edited by Maor
Link to comment
On 11/12/2020 at 10:26 PM, Maor said:

Just fighting the same problem, eventhough, I have tried to fix the AllowedIPs myself, it still does not work. Perhaps there need to be additional configuration done to Unraid such as enabling ip forwarding... Also IP forwarding seems a bit broken in my unraid 6.8.3
had to do quick fix
 


sysctl -w net.ipv4.ip_forward=1

but this is not persistent

What you need is to keep the connection alive for any peer behind a NAT or firewall for them to be able to communicate with each other.

Try setting the "Persistent keepalive" field of peer to 25 seconds (something < 2 mins), this is almost mandatory for a server hub or lan hub setup in my opinion.

You can read more about it here

Do let me know if it works at all;)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.