Jump to content
ljm42

WireGuard quickstart

593 posts in this topic Last Reply

Recommended Posts

I'm super new to all of this so please excuse if I dont use proper terminology and my lack of understanding.

 

Currently I have Wireguard setup like the top left image in this picture, where I use the app to create a connection allowing me to remote in to my Unraid server. However, I would like to setup Wireguard in a different way, but have no idea how to go about it and am hoping you guys may can tell me what it will take.....

 

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

 

My server motherboard (Asus x99 Deluxe II ) has two lan ports, so can I just change the cabling around to get my router behind the server? Currently it goes from cable modem to wifi router (which has lan ports) and the router feeds everything including wired to the server. Can I just go from cable modem to the server then out the other lan to the wifi router? That should effectly put everything  behind the server correct?  Would that be necessary? Really my server is the most important piece in the network and moving it in front of the router seems like it removes a layer of protection (but maybe not).  Also I'm not sure how it would work with issuing IP addresses and such since the router has been doing all that kind of work and the server would be in front of it.  Anyway, then I thought I would get a VPN that provides secure internet to ALL of the entire network, not just my server.

 

I just dont understand all this well enough to know if this would work, if its needed to change the cabling around, what kind of issues I may run into, how difficult it will be to setup and manage.....I cant have anything that is flakey and having issues because I go out of town a lot and no one else will understand any of it. Once setup it just needs to fade in the background and work.

 

 

 

wireguard-help.png.453a3c3e8373a35d11debf9ba1bf7e7a.png

Edited by SPOautos

Share this post


Link to post
4 hours ago, SPOautos said:

I want to have all of my internet traffic from all devices going through a VPN like the bottom left picture. I also want to be able to remote in but see ALL of my network instead of just the server....like the top right image.

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

Share this post


Link to post
1 hour ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

I am just looking to be able to access the NAS when I am not home, but also dont want it to stop all my web browsing to have this benefit

 

Share this post


Link to post

I am not using and dont plan to use an extern VPN service. I just want a secure way for my unraid to be accessible remotely. 

just seems odd that I can only do that if I sacrifice all other web related things

Share this post


Link to post
38 minutes ago, Marcjwebb said:

I am not using and dont plan to use an extern VPN service. I just want a secure way for my unraid to be accessible remotely. 

just seems odd that I can only do that if I sacrifice all other web related things

Keep working on it. There is no need for a VPN service. I can access my whole network with WireGuard through Unraid.

Share this post


Link to post
8 hours ago, ljm42 said:

If you want your entire network to route through a commercial VPN you should look at upgrading your router to support that.

 

If you would like to route your Unraid traffic through a VPN provider see this post:
 

 

If you would like to have remote access to your LAN while you are out of the house then follow the first few posts in this thread.

 

Note that some people are having difficulty getting access to their entire LAN, although it works for most. I'd recommend reading the last few pages of this thread.

 

Thanks for this info....I dont know much about routers and networking. Since reading your post I've looked closer at what all my router can do and it has router capabilities. It appears that I can set it up to remote into it and also tie it to a VPN for internet access. Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

 

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?  It looks like it lets me generate a certificate and then the router has a link to the OpenVPN website where I can go download the client app to the remote computer, put in the certificate info, and it reads like it will connect up. Does that sound correct?  

 

I suppose maybe I should start a new thread as my questions to you are getting too far off topic from the thread now that I've discovered all of this isnt relative to the wireguard in Unraid

Share this post


Link to post
2 hours ago, SPOautos said:

In terms of VPN access to the network it almost seems like I can just set it up on the router and dont even need a 3rd party service.....would that be correct?

Correct, VPN access to your house does not require a 3rd party service. You can set it up either on your router or on Unraid.

 

2 hours ago, SPOautos said:

Would a VPN service like Mullvad be good since it offers Open VPN as well as Wireguard? That would make it compatible with some of the containers/apps that need to go out into the internet such as Sonarr and SAB correct?  

I'm not really sure, you'd want to investigate in the threads for those containers

 

These are two very different things, I'd recommend working on one at a time.

Share this post


Link to post

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

Share this post


Link to post

OK, I have been reading posts for 2 hours now and dont see where or what i messed up. 

 

I have DDNS setup with a new url just for wireguard. i use pihole and did input my pihole LAN IP in the config. I have tested on my phone(cell network) and my laptop(on cell hotspot-cell network)

 

both seem to connect fine, but nothing loads (public sites nor LAN sites). I notice in the client log(both on windows/laptop and android app) that its sending the handshake attempt multiple times. i see on the unraid dashbaord that there is no handshake. I can post screen shots as needed and would love to use this instead of openVPN. 

 

Any help or guidance is greatly appreciated. 

Screenshot 2020-09-13 181732.jpg

Share this post


Link to post

Hello All,

 

So I recently made the move over from OpenVPN to WireGuard. I've got it setup so when im off LAN I can securely tunnel into my UnRAID server. I can access the likes of SabNZB, Radarr and Sonarr however when I access my UnRAID server once VPN'd in I get "cannot open the page because the server cannot be found" when using safari on my mobile. I also get a error when trying to access Plex server I get "Plex is Not reachable"

 

I'm struggling to understand what this could be. I have PiHole running on a Pi on my LAN. I've updated the "Peer DNS Server" in Wireguard settings but still having no luck..

Share this post


Link to post

I was using Unraid with Wireguard just fine, until I moved the Unraid into site A where no public IP available (behind ISP NAT). Asking ISP to fix it is not gonna be a solution.

 

I have another site B with dynamic IP available. I am planning to buy a Rasberry Pi and install PiVPN (Wireguard) on it for Site B. The problem is, I am not sure how to configure properly in order to handshake a tunnel between 2 sites. My ultimate goal is to access my Unraid in site A by this route: Internet -> DDNS of site B->Site B's router (normal home router)->B's Wireguard (Rasberry Pi)->Tunnel-> Site A Wireguard (On Unraid) -> Unraid application/rest of the network. From my understanding, the handshake should be starting from Site A. So site A should have a WG client connecting to WG B in order to establish a tunnnel, and let packets from site A route into the tunnel.

 

May anyone please point me to the right direction of how to config a tunnel on the Unraid? It would be great to have a detailed explanation on how to setup on both unraid and rasberry pi.

 

The use of rasberry pi is not a must ( I haven't buy it yet). It is just the cheapest solution I can think of. Anyone can propose alternatives, thanks!

Edited by PzrrL

Share this post


Link to post

I am having a problem and hopefully someone can help me. I managed to get Wireguard to work just fine. But due to a really bad power outage and my UPS loosing power thus my server loosing power, it doesn't work anymore. I have tried everything that I can think of. Since I was just starting everything, I haven't done much to my server. With that being said, I even went so far to formatting the bootable thumb drive and trying again. But nothing that I do works any more. 

 

List of things that I have done (trying to do it in order):

 

Different configuration on server and peers.

Uninstalling/reinstalling the plugin and the programs on the peers.

Checked DDNS settings to make sure they were still pointing to my IP Address.

Checked my router settings to make sure that there was still port forwarding enabled.

Temporarily created a container with the same port settings in the port forwarding settings to see if I can access it through the web. I could.

Instead of using the domain name I used just the IP address.

Formatting the unRAID thumb drive and clearing everything.

Trying different configurations again.

 

None of these things have worked. Am I missing anything?

Share this post


Link to post

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

Share this post


Link to post

I've found a neat problem. I have Wireguard up and running, super stable for weeks now. Logging onto the Unraid web interface allows me to add, remove, and modify peers as expected. However... If I do this while logged in remotely (via the Wireguard VPN), the "Active/Inactive" toggle gets switched off and doesn't auto-start again. Luckily I had a VNC server running on another computer from a previous project, so I connected to that over SSH and was able to flip the toggle switch from inside my LAN.

 

Tried recreating it several times, and the problem persists. Happens when I hit the "Apply" button in the web interface. From another computer on the same LAN/Subnet/etc as my Unraid server, it stays active. From a remote computer connected to the VPN, Wireguard inactivates.

 

More info: Not running any reverse proxies, Wireguard's "Autostart" toggle switch is on (and persists), remote clients connect with "Remote Tunnelled Access"

 

Anybody else seen this behaviour? Any ideas?

Share this post


Link to post

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

Share this post


Link to post
6 hours ago, Mattyfaz said:

Anybody have a solve for the following issue:

  • Domain name abc.com hosted in Cloudflare and dynamic dns updated automatically by the Cloudflare docker (Cloudflare Proxy = Enabled)
  • CNAME wg points to abc.com (Cloudflare Proxy = Enabled)
  • Anything coming in via abc.com goes through NGINX Proxy Manager docker and goes to the relevant application there (relevant for other domains)

Wireguard doesn't seem to work if I add Cloudflare Proxy = Enabled to the wg CNAME, however if I don't then it exposes the ip of the domain name (abc.com) which I'd rather keep proxied.

 

All my other services use a CNAME pointing to abc.com and proxied that works fine. But no luck with Wireguard.

  

On 10/2/2020 at 3:44 AM, mishmash- said:

I found some replies here with users using cloudflare domains - and they are unproxied. Is this less secure than other methods? I guess the only thing happening is exposing your public IP via a sub domain. Are there other methods to get wireguard to work with a cloudflare proxy or otherwise? Apologies for my ignorance, I'm not super well versed in the world of networking.

 

The Cloudflare proxy is designed for http traffic, it does not know how to proxy other traffic such as WireGuard. You have to disable the Cloudflare proxy for WireGuard to function.

Share this post


Link to post
On 9/12/2020 at 2:25 AM, deusxanime said:

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

 

I am having this exact same issue.  Prior to enabling "Host access to custom networks" Wireguard worked perfect for over a year.  Since i have made this change it it no longer works.

Share this post


Link to post

wireguard is much faster than openvpn i think, the problem i face now is how to setup a static gateway for those remote access users? i hv no idea at all.  anyone can help?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.