WireGuard quickstart


ljm42

Recommended Posts

I am trying to configure Wireguard on my unRAID server (v6.8.3) for "remote tunneled access".  When I connect to my tunnel using the Wireguard Android app (v1.0.20200927) from my OnePlus 7 Pro (OxygenOS 10.0.9), I can access the unRAID web GUI (and docker containers) by IP only (no name resolution) but I cannot access any other devices on my network.

 

Tunnel settings:
    Local tunnel network pool: 10.253.0.0/24
    Local tunnel address: 10.253.0.1
    Local endpoint: vpn.mydomain.com:51820
    Local server uses NAT: Yes

 

Peer settings:
    Peer type of access: Remote tunneled access
    Peer tunnel address: 10.253.0.2
    Peer allowed IPs: 10.253.0.2
    Peer DNS server: 192.168.1.1

 

I forwarded port 51820/UDP to 192.168.1.5 (my unRAID server IP) on my pfSense router (IP: 192.168.1.1), which also acts as my DNS server.

 

I have my domain hosted with Cloudflare and have configured the vpn.mydomain.com subdomain to point to my public IP address with proxy disabled.

 

I would like to be able to access all my network devices through this Wireguard tunnel.  What am I doing wrong?

Link to comment
20 hours ago, r0zzy5 said:

I am trying to configure Wireguard on my unRAID server (v6.8.3) for "remote tunneled access".  When I connect to my tunnel using the Wireguard Android app (v1.0.20200927) from my OnePlus 7 Pro (OxygenOS 10.0.9), I can access the unRAID web GUI (and docker containers) by IP only (no name resolution) but I cannot access any other devices on my network.

 

Tunnel settings:
    Local tunnel network pool: 10.253.0.0/24
    Local tunnel address: 10.253.0.1
    Local endpoint: vpn.mydomain.com:51820
    Local server uses NAT: Yes

 

Peer settings:
    Peer type of access: Remote tunneled access
    Peer tunnel address: 10.253.0.2
    Peer allowed IPs: 10.253.0.2
    Peer DNS server: 192.168.1.1

 

I forwarded port 51820/UDP to 192.168.1.5 (my unRAID server IP) on my pfSense router (IP: 192.168.1.1), which also acts as my DNS server.

 

I have my domain hosted with Cloudflare and have configured the vpn.mydomain.com subdomain to point to my public IP address with proxy disabled.

 

I would like to be able to access all my network devices through this Wireguard tunnel.  What am I doing wrong?

Turns out I had "host access to custom networks" enabled in my docker settings. I don't think I actually need this, so I disabled it and now everything seems to be working correctly. I can access all my machines over Wireguard and the local DNS resolution from pfSense is also working over Wireguard.

Link to comment
16 hours ago, r0zzy5 said:

Turns out I had "host access to custom networks" enabled in my docker settings. I don't think I actually need this, so I disabled it and now everything seems to be working correctly. I can access all my machines over Wireguard and the local DNS resolution from pfSense is also working over Wireguard.

Glad you were able to figure it out. Myself and some others have run into similar problems with that setting enabled. Has anyone acknowledged it even yet?

Link to comment
7 hours ago, Turnspit said:

Using "Server to Server acces, is it also possible to reach the WIreguard Client from the network behind the Wireguard Server, having set up a corresponding static route in the router of the LAN?

See this guide for setting up LAN to LAN access:

 

 

Link to comment

Hi ljm, thanks for your response! 🙂

The thing is that I don't want to connect the whole two LANs with one another.

Baically the Home Unraid server just needs to reach my Remote Unraid server for daily backups, but I also want my Home LAN to reach the "Remote Unraid" server for config and monitoring and stuff, without the Remote LAN having access to my home LAN.

 

At the moment I'm using two Windows 10 Server connected via OpenVPN for this task, and this works exactly is I wish. No need to open any ports at the remote location, and no access of any device at the remote location to my LAN. Sadly, the OpenVPN Clients on Unraid are a huge pain and none of them connect correctly, which is why I thought Wireguard might be my solution here.

 

From what I can see, the closest config for my needs would be "Remote access to LAN", where my Remote Unraid server would be able to see my Home Unraid server as well as my Home LAN. Would just setting up a static route in my home router to the Wireguard network be the solution, or does Wireguard block the routing from other networks into the VPN network in this configuration?

Edited by Turnspit
Link to comment
  • 3 weeks later...

Hello everyone, I've been trying to setup the wireguard for two days now and I'm still struggling with the "Complex Networks" part.

When I use NAT option enabled and "Remote access to LAN", everything works as expected. I can reach physical devices on the local network without any issues (and can't reach docker containers on br0).
image.png.5ea067ba1eb077b991c4104d276bde1e.png

When I set NAT option to 'No' and define static routing on my router, things do not go that well:
image.png.f907c9cb5c0b482b8d162ee73ef396ea.png

image.png.fd57a168778d93875433ec7a84a14566.png

 

With this routing I can access server and router through the VPN, but any other physical device is not accessible. When this entry is disabled I can access only the server.


And as for now I have the "Host access to custom networks" option disabled.

Am I missing something? Maybe I do not understand something and it should work that way :D 

Link to comment

I successfully set this up but I have a couple questions:

 

1) Is there a way to access file shares from an android phone? 

 

2) How do I view the shares on unRAID from Windows when connected over wireguard? I can navigate to different Containers, unRAID WebUI, etc from my Windows laptop using the IP addresses but no network devices show up in the "Networks" window. So how do I view the shares on unRAID from windows when connected over wireguard?

 

 

Edited by adminmat
Link to comment
8 hours ago, adminmat said:

How do I view the shares on unRAID from Windows when connected over wireguard? 

You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer:

image.png.581e8e8a500b94bfe0e00f8c23146e06.png

Or map network drive for easier access:

image.png.0014833c9cdecd2ffffaef31206c4395.png

  • Like 2
Link to comment
10 hours ago, MoWer said:

You should be able to use unRAID server ip and share name directly. E.g. you can type \\<unRAID IP>\<Share name> in the windows explorer:

image.png.581e8e8a500b94bfe0e00f8c23146e06.png

Or map network drive for easier access:

image.png.0014833c9cdecd2ffffaef31206c4395.png

Yep, This helped me. Thanks. 

I'm now able to connect to the shares remotely and move files. I can ping everything on the network remotely except strangely for one Windows 10 PC. It's set up to allow for Echo Request - ICMPv4-In. So I can't figure out why. I can ping that PC from other devices on the same Local network. Just not through Wireguard and my phone's hotspot. 

Link to comment
  • 2 weeks later...

Hi I have been routing some of my dockers via a custom wireguard network .

I got the idea from nickb.dev and Reddit

 

The way I have it starting up is via the go file.

I did install resolvconf from slackware.pkgs.org. You can also just use the --dns= flag on the docker containers.

ip link add dev vpnac-us19 type wireguard
wg setconf vpnac-us19 /etc/wireguard/vpnac-us19.conf
ip address add 10.11.2.55 dev vpnac-us19
ip link set up dev vpnac-us19
printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x  
sysctl -w net.ipv4.conf.all.rp_filter=2
ip rule add from 172.18.0.0/16 table 200 
ip route add default via 10.11.2.55 metric 2 table 200 
ip rule add table main suppress_prefixlength 0
ip route add blackhole default metric 3 table 200
ip link set mtu 1420 up dev vpnac-us19

Everything seems to work I can access the web ui of the containers.

If I manually bring down the link with

ip link del dev vpnac-us19

the containers get null routed via.

ip route add blackhole default metric 3 table 200

 

I have been playing with a script from reddit. If I run it manually it works.. however it does not seem to insert the dns into the /etc/resolv.conf file?.  If I run the command manually it works.

printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x 

I tried getting the script to run via the go file and the userscripts but for some reason it would not work?.

 

Here is the script I have been using.

#!/bin/bash
# Script to create a split tunnel wireguard interface that will only tunnel a specific
# Docker network through wireguard. All other traffic will not be vpn'ed. The script will
# create a boot configuration so the interface comes back online after reboots.
# It also creates the routes so that WebGUIs are still accessible from the LAN and the
# vpn'ed containers can still reach other docker containers.
# Usage wireguard <up|down|status>

## Set variables
# Name of the docker network to route through wireguard
# This network will be created if it does not exist using 10.30.0.0/16
DOCKER_NET_NAME="vpn-docker"
# Name of wireguard interface to create
DEV_NAME="vpnac-us19"
##########################################################################################
# Nothing to edit below this line

tecreset=$(tput sgr0)
COL="12G"

set_ok () { echo -e  -n "\\033[0G[ \E[0;32m  OK  $tecreset ] "; }
set_failed () { echo -e  -n "\\033[0G[ \E[0;31mFAILED$tecreset ] "; }
echo_and_run () { echo -n -e "\\033[$COL$*" ; "$@" > /dev/null 2>&1; }

while_check () {
RETVAL=$?
while [ $RETVAL -ne 0 ]; do
        set_failed; echo_and_run $1
        echo $2
        RETVAL=$?
done
set_ok; echo -e "\\033[$COL$CMD"
}

if_check () {
CMD=$1
echo_and_run $1
CHECK=$2
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
        set_failed; echo
        exit 1
fi
set_ok; echo
}

vpn_check () {
VPNIP=`docker run -ti --rm --net=$DOCKER_NET_NAME appropriate/curl https://api.ipify.org`
IP=`curl --silent https://api.ipify.org`
if [[ $VPNIP == *"Could not resolve host"*  ]]; then
	set_ok; echo "Not Connected to Endpoint: Blackhole active"
elif [[ $VPNIP == $ENDPOINT_IP ]]; then
	set_ok; echo "Connected to $ENDPOINT_IP"
elif [[ $VPNIP == $IP ]]; then
	set_failed; echo "Not Connected to Endpoint: Blackhole NOT active!"
fi
}

# check module is installed
MOD_CHECK=`lsmod | grep wire`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
        set_failed; echo -e "WireGuard Module Not Installed."
        exit 1
fi
set_ok; echo -e "\\033[$COL WireGuard Module Installed"

# check for conf file
if [ ! -f "/etc/wireguard/$DEV_NAME.conf" ]; then
	set_failed; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf"
	exit 1
fi
set_ok; echo -e "\\033[$COL/etc/wireguard/$DEV_NAME.conf"

# check for wireguard module


# Get IP addresses and subnets needed
DOCKER_NET=`docker network inspect $DOCKER_NET_NAME | grep Subnet | awk '{print $2}' | sed 's/[",]//g'`
INTERFACE_IP=`grep Address /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d/ -f1`
ENDPOINT_IP=`grep Endpoint /etc/wireguard/$DEV_NAME.conf | awk '{print $3}' | cut -d: -f1`
#FILE="/mnt/user/temppc/$DEV_NAME"

up (){
# add wireguard interface
CMD="ip link add $DEV_NAME type wireguard"
CHECK=`ip addr | grep $DEV_NAME`
if_check "$CMD" "$CHECK"

# set wireguard conf
CMD="wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf"
CHECK=`wg showconf $DEV_NAME 2>/dev/null`
if_check "$CMD" "$CHECK"

# assign ip to wireguard interface
CMD="ip addr add $INTERFACE_IP dev $DEV_NAME"
CHECK=`ip addr | grep $INTERFACE_IP`
if_check "$CMD" "$CHECK"

# set sysctl
CMD="sysctl -w net.ipv4.conf.all.rp_filter=2"
set_ok; echo $CMD

# set mtu for wireguard interface
CMD="ip link set mtu 1420 up dev $DEV_NAME"
set_ok; echo_and_run $CMD

# bring wireguard interface up
CMD="ip link set up dev $DEV_NAME"
CHECK=`ip addr | grep $DEV_NAME | grep UP`
if_check "$CMD" "$CHECK"

# create docker network
CMD="docker network create $DOCKER_NET_NAME --subnet 10.30.0.0/16 -o "com.docker.network.driver.mtu"="1420""
CHECK=`docker network inspect $DOCKER_NET_NAME > /dev/null 2>&1`
while_check "$CMD" "$CHECK"

# add table 200
CMD="ip rule add from $DOCKER_NET table 200"
CHECK=`ip rule show | grep -w "lookup 200"`
while_check "$CMD" "$CHECK"

# add blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# add default route for table 200
CMD="ip route add default via $INTERFACE_IP metric 2 table 200"
CHECK=`ip route show table 200 | grep -w $INTERFACE_IP`
while_check "$CMD" "$CHECK"

# add local lan route
CMD="ip rule add table main suppress_prefixlength 0"
CHECK=`ip rule show | grep -w "suppress_prefixlength"`
while_check "$CMD" "$CHECK"

# add dns
CMD="printf 'nameserver %s\n' 10.11.0.1 | resolvconf -a tun.vpnac-us19 -m 0 -x"
set_ok; echo $CMD

# check vpn ip
vpn_check
}

down (){
# del wireguard interface
CMD="ip link del $DEV_NAME"
CHECK=`ip addr | grep $DEV_NAME`
if_check "$CMD" "$CHECK"

# check table 200
CMD="ip rule add from $DOCKER_NET table 200"
CHECK=`ip rule show | grep -w "lookup 200"`
while_check "$CMD" "$CHECK"

# check blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# check to make sure blackhole is active
vpn_check
}

status(){
# check blackhole
CMD="ip route add blackhole default metric 3 table 200"
CHECK=`ip route show table 200 | grep -w "blackhole"`
while_check "$CMD" "$CHECK"

# check to make sure blackhole is active
vpn_check
}


command="$1"
shift

case "$command" in
    up) up "$@" ;;
    down) down "$@" ;;
    create) create "$@" ;;
    status) status "$@" ;;
    *) echo "Usage: $0 up|down|status" >&2; exit 1 ;;
esac

Does anyone know a better way to have it run?

 

 

 

Link to comment

I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck.  I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.)  I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice.

temp.jpg

Link to comment
19 minutes ago, wmcneil said:

I'm trying to set up WireGuard on my unRAID server, with the most basic access to get things debugged, and I am stuck.  I am using a "Remote Access to Server" peer definition (screen shot of unRAID GUI settings attached.)  I am using my Android phone as the peer connection (with wifi disabled), and used the QR capture method to create the tunnel configuration on the phone. When I attempt to connect to the local numberic IP of the unRAID server GUI on the phone, the browser is unable to connect. I have double and triple checked that the router is port forwarding to the correct local IP of the unRAID server, using UDP, and the port (51820) in the settings. Don't know what else to try, thanks in advance for any advice.

temp.jpg

When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip:

 

( In the WireGuard config, set "Use NAT" to No

In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:

Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)

Gateway: <IP address of your Unraid system>

On the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801

 

This is the only way I could get it to work. Maybe it was my router specifically causing the issue. 

 

I'm also using Remote Access to Lan which works as you are hoping. 

 

And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. 

Link to comment
21 hours ago, adminmat said:

When I set mine up I forwarded a port in my router to the wireguard port. I set "Local server uses NAT:" to No and followed this troubleshooting tip:

 

( In the WireGuard config, set "Use NAT" to No

In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:

Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0)

Gateway: <IP address of your Unraid system>

On the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801

 

This is the only way I could get it to work. Maybe it was my router specifically causing the issue. 

 

I'm also using Remote Access to Lan which works as you are hoping. 

 

And if you make any changes to configurations on the server or wireguard settings then you have to delete the peer from your client (android phone) and set up again in the client by scanning the QR code again. 

Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method.  Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.  I am out of things to try. I am going to have to give openVPN a try.  Thanks again for posting the method that is working for you. 

Link to comment
4 hours ago, wmcneil said:

Thank you for the info. I tried disabling NAT, adding a static route as you suggest, and creating a new peer for my phone using the QR code method.  Neither "Remote access to server" nor "remote access to LAN" is working, and all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.  I am out of things to try. I am going to have to give openVPN a try.  Thanks again for posting the method that is working for you. 

 Maybe try a different phone? Or another remote client? 

Link to comment
  • 3 weeks later...

I had WG working flawlessly until I had to do a server reboot and apparently it's now broken, no idea why

 

I can't get a handshake anymore, but I haven't changed anything on the router/tower, I have my ip updated thru duckdns

 

any clues? 😟

Link to comment
On 1/29/2021 at 8:51 PM, timmyx said:

I had WG working flawlessly until I had to do a server reboot and apparently it's now broken, no idea why

 

I can't get a handshake anymore, but I haven't changed anything on the router/tower, I have my ip updated thru duckdns

 

any clues? 😟

When you reboot the Wireguard gets switched to Inactive. 

Link to comment
1 hour ago, timmyx said:

Thanks, but I thought the autostart:on option would make it automatic?

 

image.png.f15d1db7d3d48fcc6f5252cf4238f19c.png

That screenshot shows that WireGuard is active, so it did start up after the reboot.

 

Unfortunately, WireGuard fails silently so there are few clues as to where the problem lies.

 

The second post in this thread gives some specific things to look for but it may help to think about all the places the connection must pass through:

  • The client itself (WireGuard config, network config, DNS, local firewall, power savings mode)
  • The client's local LAN and router config (unless this is a mobile device on a data connection)
  • The client's Internet connection/ISP
  • The Internet between the client and server
  • The server's Internet connection/ISP
  • The server's local LAN and router config
  • The server itself (WireGuard config, network config)

Since this was working before, consider whether anything changed at any of those places.

If nothing clicks, try setting up a new WireGuard config

  • Like 1
Link to comment
On 1/11/2021 at 5:35 AM, wmcneil said:

all I am trying to do is bring up the unRAID GUI using the local IP address of the unRAID server.

What happens when you try accessing the webgui via IP address on the normal LAN? Does it redirect to another URL that requires name resolution? If so, the same thing will happen over WireGuard, so that final DNS url needs to resolve over the WireGuard connection too.

Link to comment
On 1/30/2021 at 11:08 PM, xupal said:

I am having trouble getting a handshake.  when I go to https://www.canyouseeme.org/ and forward 80 to 8080 on my router, I can see port 8080 is open.  when I forward 51820 to 51820 it does not seem to open.  Is this my router or my ISP preventing me from doing this?

 

WireGuard is designed to fail silently, so an open port detector will not be able to tell that the port is open.

 

Based on what you have written I would just say to be sure you forwarded a UDP port, not a TCP port. Other than that all I can suggest is to re-read the first two posts for ideas and think about all of the places that the data needs to pass through (see my reply to timmyx a few posts back)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.