WireGuard quickstart


ljm42

693 posts in this topic Last Reply

Recommended Posts

I spoke to LJM42 about this a bit in my other thread but I figured i'd post in the proper thread for help as it still isn't working correctly...

 

I have server to server setup for doing backup and sync activities between two remote unraid servers. My problem lies in that for some strange reason I can only ever start the tunnel from one side of the connection despite my setup being identical (from what I can tell).

 

I've already tried completely deleting the tunnel on both ends and re-creating them.

 

VOID and NODE are both WG1 on their respective servers and have all the properly defined endpoints (see screenshots below).

 

VOID2NODE.thumb.jpg.b7f529a6b4bb63aaadbcf736823974db.jpgNODE2VOID.thumb.jpg.9ccefbd1232fe96171f77a0cb99ac149.jpg

 

VOID sits behind a PFSENSE box with a 2 port UDP range (51820-51821) forwarded for my two tunnels. I can always start the tunnel (WG1) from VOID.

 

NODE sits behind a Zyxel USG110 with the same 2 port UDP range forwarded. I can never start the tunnel (WG1) from NODE.

Once I send a ping from VOID to NODE, then and only then can NODE start talking to VOID.

 

In pfsense when I am attempting to ping from NODE to VOID I am seeing blocked connections in the firewall originating from NODEs endpoint IP/port and coming to VOID but NOT on my forwarded ports so they are getting denied.

 

I assume this is why I can't start the tunnel from the other side but why is it not respecting the set port? Do I just not understand how the ping function works? 

failed_pings.thumb.png.37c31a50c16b6197a81a6ec8fc4705c2.png

 

Edited by weirdcrap
Link to post
  • Replies 692
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

Oh bummer, I thought we got that working.

 

3 hours ago, weirdcrap said:

Do I just not understand how the ping function works? 

The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it.

 

So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense.

Link to post
1 hour ago, ljm42 said:

Oh bummer, I thought we got that working.

 

The ping function on NODE just calls "ping 10.253.1.2". Traffic to that IP triggers WireGuard on NODE to try and open a tunnel to VOID. Once the tunnel is open then the ping command travels over it.

 

So pfsense isn't blocking the ping, it is blocking the incoming WireGuard request from NODE. The fact that you can see the traffic being blocked means DDNS is correct at least. I would say there is an issue with the port forward on pfsense.

Yeah I thought so as well, I guess i didn't wait long enough for the tunnel to close.

 

I don't get why WireGuard isn't using the ports I defined in the interface to communicate with the endpoints? My port forwards are for 51820 and 51821, but for whatever reason its trying to hit random ports like 49997, 26608, 10757, etc.

 

It feels like I'm missing something really obvious that I've blatantly misconfigured, but I can't figure out what it is.

 

Source is on the left, which is me on NODE trying to ping VOID.

 

Destination is on the right which appears to be NODE trying random ports that the firewall is blocking because those aren't my forwarded ports.

 

1657337184_ScreenShot2021-02-08at2_04_27PM.thumb.jpg.a7a517248339d06199c22f8065d28097.jpg

 

34874264_ScreenShot2021-02-08at1_57.22PMcopy.thumb.png.34c24bd69baaea2cb1c46de8afcb8fd1.png

Edited by weirdcrap
Link to post
On 9/12/2020 at 9:25 AM, deusxanime said:

I noticed a possible bug/issue with WireGuard on unRAID. I have a docker container that runs on a custom network and I needed it to talk to a container on bridge so I went into docker settings and enabled "Host access to custom networks". After doing so (and all the required stop/start/reboot), the containers could talk on the network and I thought all was well.

 

Later that week I tried to use my WG VPN tunnel access (LAN access and tunnel through server to my home internet WAN) on my laptop and phone, which I'd used previously and worked great then, since I was on an untrusted Wifi network. After connecting, I was able to access LAN resources on the unRAID server, but could not get the WG client systems to go out to the internet when I had WG turned on on them. I thought back to what had changed and all I could think of was the setting above. So today, since I had to restart unRAID to add a disk, I disabled that setting to test it out and after restarting I tried WG tunnel access and lo and behold it is working again! I can get to LAN resources as well as out to the WAN/internet while connected to WG on the clients.

 

So it seems like something with enabling the "Host access to custom networks" setting breaks WG's ability to allow VPN clients to tunnel through it and use the WAN while connected.

 

Unfortunately I'm also experiencing this issue. Is there any possible fix for this? 

Link to post

I am still perplexed by why WireGuard is not using the port specified in its config to hit my home server:

1185568348_ScreenShot2021-02-11at9_06.34AMcopy.thumb.jpg.b292162e9bdab467f3f35ba4735d12e1.jpg

 

Why the random ports instead of the defined port that I have a forward for?

1463995049_ScreenShot2021-02-11at10_08_30AM.thumb.jpg.4e2ad92a32b9b41b76a9efb42224be23.jpg

image.png.5fb0e550918ae6c23fa614384880315a.png

Edited by weirdcrap
words are hard
Link to post

Just to clarify - this pfsense screen is on VOID's network right?

 

And where you blacked out out the source and destination IPs - the "Source" column is NODE's public WAN IP and the "Destination" column is VOID's public WAN IP?

 

10 hours ago, weirdcrap said:

Why the random ports instead of the defined port that I have a forward for?

 

If my assumption above are correct then I'm afraid I'm stumped

Link to post
6 hours ago, ljm42 said:

Just to clarify - this pfsense screen is on VOID's network right?

 

And where you blacked out out the source and destination IPs - the "Source" column is NODE's public WAN IP and the "Destination" column is VOID's public WAN IP?

 

 

If my assumption above are correct then I'm afraid I'm stumped

You are correct on all counts. I have no clue what to make of it, I've recreated the tunnel and peer numerous times...


Could this be some sort of weird networking or router tech?  My only thoughts would be to turn on allowed connection logging and comparing the "good" connections to the "bad" connections.

Link to post
On 2/1/2021 at 9:34 AM, ljm42 said:

 

WireGuard is designed to fail silently, so an open port detector will not be able to tell that the port is open.

 

Based on what you have written I would just say to be sure you forwarded a UDP port, not a TCP port. Other than that all I can suggest is to re-read the first two posts for ideas and think about all of the places that the data needs to pass through (see my reply to timmyx a few posts back)

I have tried to set it up numerous times.  I have tried UPnP and manually setting the firewall ports.  I have ensured that it is UDP and not TCP.  I am really at a loss here.

Link to post
  • 3 weeks later...

Hi all,

 

thanks for this great plugin. I have WireGuard set up with the peer being "remote access to server". This works well, but I need some help with my configuration.

 

What I want to do:

I want to connect all my devices to the NAS using the same IP address, regardless of whether I'm on my local network or not and regardless of whether WireGuard is on (when on local network).

 

Current problem:

My unRAID is on 192.169.1.116 (local network). The standard "local tunnel address" was somewhere in the 10.xx.xx.xx range. This created the following problem: I have my NAS connected via samba under 192.169.1.116 (local address). Once I leave the house and I turn on WireGuard, that address cannot be used anymore and I need to add another server using the 10.xx.xx.xx address instead of the 192.169.1.116. That's of course not what I want.

 

So I changed the "local tunnel address" to 192.168.1.116 (and the tunnel to 192.168.1.1/24) which allows me to connect via WireGuard using the "local IP" BUT once I'm back on my local network and WireGuard is still activated, I cannot access the NAS. This makes sense, but I don't know what the solution could be.

 

Question:

Can anyone help me with my setup? I want to connect to the NAS using the same IP, regardless of whether I'm on my local network or not (and for when I'm at home, regardless of whether WireGuard is running).

 

Help is much appreciated, thanks so much!

 

All the best,

Benedikt

Edited by benediktleb
Link to post
6 hours ago, benediktleb said:

So I changed the "local tunnel address" to 192.168.1.116

You'll need to revert that. Think of this as a tunnel *between* the local and remote networks. It is a unique network of its own, not part of either the local or remote.

 

6 hours ago, benediktleb said:

I have WireGuard set up with the peer being "remote access to server".

If you want to use the LAN's network address, switch to "remote access to LAN"

Link to post
38 minutes ago, ljm42 said:

You'll need to revert that. Think of this as a tunnel *between* the local and remote networks. It is a unique network of its own, not part of either the local or remote.

 

If you want to use the LAN's network address, switch to "remote access to LAN"

Works like a charm. Could have thought of that myself, too, what a simple answer. Thanks so much!

Link to post
On 2/1/2021 at 2:23 PM, ljm42 said:

That screenshot shows that WireGuard is active, so it did start up after the reboot.

 

Unfortunately, WireGuard fails silently so there are few clues as to where the problem lies.

 

The second post in this thread gives some specific things to look for but it may help to think about all the places the connection must pass through:

  • The client itself (WireGuard config, network config, DNS, local firewall, power savings mode)
  • The client's local LAN and router config (unless this is a mobile device on a data connection)
  • The client's Internet connection/ISP
  • The Internet between the client and server
  • The server's Internet connection/ISP
  • The server's local LAN and router config
  • The server itself (WireGuard config, network config)

Since this was working before, consider whether anything changed at any of those places.

If nothing clicks, try setting up a new WireGuard config

So thanks for your reply

 

I did some further testing and it seems something is broken when there's a reset: router (IP changes, although I set duckdns for wireguard) or server

 

autostart:on is set on unraid

 

remote connections/handshakes work flawlessly upon first setup (delete tunnel, set up a new one -- done this dozen times lol)

 

when there's a reset tho, everything goes south :(

 

I might need to revert to vpn since I cant trust my unraid with WG at this point -- and I can't know why!!!! :( 

Link to post
On 3/4/2021 at 1:41 PM, ljm42 said:

 

Do you use the "local tunnel firewall"? There is a fix in Unraid 6.9.0 that should resolve a problem with the local tunnel firewall on reboot, see: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/18/?tab=comments#comment-944303  

 

Hey! Thanks for the response.

 

Mine is set like this (I think it's default - not exactly sure I changed anything here)

image.thumb.png.4e46de476bf4e512ffbd741d702cd4b5.png

 

I haven't updated to 6.9, should it work if I add the script in the /boot/config/go ?

Fingers crossed!

 

Link to post

So I just set up WireGuard and used Remote Tunneled Access instead of Remote Access to LAN as my Peer Type of Access. I added the DNS.WATCH DNS Server to the Peer DNS Server option and I'm able to browse the internet, but I'm not able to access my Unraid server.

 

Am I right to assume that Remote Tunneled Access does NOT allow you to access your Unraid server? Does that mean I should create another Peer that has Remote Access to LAN to access Unraid?

Edited by N¿¿B
Added some more information.
Link to post

Hi, so tbh I am really lost about Wireguard. I've spent a day (more actually) on that trying different methods:

  • remote access to server
  • remote access to LAN
  • remote tunnelled access

I did setup my port forwarding correctly on port 51820 (internal and external) to my server (192.168.1.7) as UDP.

In Unraid my network interface (eth0 and eth1) have bridging enabled
I've tried with and without my dynDNS (duckdns) as a local endpoint
I also noticed that the local tunnel network pool is using /24 for subnet where my Wireguard client (my phone) was using /32. So I've tried /32 server & client side and also /24 server & client side.

I've tried with and without preshared key
I've tried with and without peer DNS server. And for the different DNS servers address used: 1.1.1.1 / 8.8.8.8 / 192.168.1.254 (my router)

 

As on client side, I did make sure that I was able to access my Unraid web interface and different services around (different ports) from my local network connected via WiFi.

As soon as I turn off WiFi and enable Wireguard I am not able to have a handshake nor I can access anything.

I've tried my local network local tunnel network on my phone none of them worked.

 

Here is more or less what I've used in my Wireguard settings

image.thumb.png.28669089df1ae5453dbe5f6f89b33426.png

 

I did disable battery saving abilities on my phone, background data & unrestricted data usage.

 

Someone would be able to help me ?

Thanks in advance

Link to post
On 3/11/2021 at 1:21 AM, N¿¿B said:

So I just set up WireGuard and used Remote Tunneled Access instead of Remote Access to LAN as my Peer Type of Access. I added the DNS.WATCH DNS Server to the Peer DNS Server option and I'm able to browse the internet, but I'm not able to access my Unraid server.

 

Am I right to assume that Remote Tunneled Access does NOT allow you to access your Unraid server? Does that mean I should create another Peer that has Remote Access to LAN to access Unraid?

 

With Remote Tunneled Access you should be able to reach your Unraid server.  If that isn't working, go ahead and try Remote Access to LAN

Link to post
1 hour ago, Wanty said:

I also noticed that the local tunnel network pool is using /24 for subnet where my Wireguard client (my phone) was using /32. So I've tried /32 server & client side and also /24 server & client side.

 

/32 is for a single ip address, /24 is for a network with 255.255.255.0 subnet mask. The plugin should give correct values here.

 

 

The things you have tried look great.

 

It is possible your ISP is blocking the UDP port you are trying to use, perhaps try a different one?

 

I would also try a different client. Somewhere in this thread I remember one person who couldn't get their phone to work but a laptop connected fine.

Link to post
On 3/7/2021 at 8:38 AM, timmyx said:

Hey! Thanks for the response.

 

Mine is set like this (I think it's default - not exactly sure I changed anything here)

image.thumb.png.4e46de476bf4e512ffbd741d702cd4b5.png

 

I haven't updated to 6.9, should it work if I add the script in the /boot/config/go ?

Fingers crossed!

 

 

Hmm that particular fix is for people using the local tunnel firewall. You can try running the commands directly, if it helps then add it to your go script (I wouldn't want you to complicate your go script unnecessarily, it will make like difficult for you in the future)

Link to post
On 3/13/2021 at 6:58 PM, ljm42 said:

 

/32 is for a single ip address, /24 is for a network with 255.255.255.0 subnet mask. The plugin should give correct values here.

 

 

The things you have tried look great.

 

It is possible your ISP is blocking the UDP port you are trying to use, perhaps try a different one?

 

I would also try a different client. Somewhere in this thread I remember one person who couldn't get their phone to work but a laptop connected fine.

So I've tried on different ports and with other clients (on my tablet, my desktop and another phone) and none of them worked.

In the logs from my desktop it says "Handshake did not complete after 5 seconds, retrying..."

Link to post
4 minutes ago, danktankk said:

Will do.  I heard that PFsense 2.5 I think? was having an issue with wiregaurd.  Ill update mine as well.  Thank you.

 

Yeah the pfSense-sponsored WireGuard implementation for FreeBSD had some issues. Does not affect Unraid.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.