WireGuard quickstart


ljm42

Recommended Posts

I've tried searching but can't find anything relevant. Has anyone gotten Wireguard to work on unraid using untangle as a router? Yes, I know untangle has it as an app, but I'm not interested in paying 250 a year for the functionality. If I use pfsense, wireguard works as expected with almost not modifications. Using it with untangle only gives me server access even when remote tunneled access is selected. And if I create a rule to bypass all apps for the Wireguard subnet, still no joy.... I feel like I'm missing one setting somewhere but dont know what it is.

---

 

edit

 

putting my laptop in the subnet that Wireguard uses allows access to all devices on the lan across subnets but no internet access, even when changing DNS from local to something like 1.1.1.1

Edited by 1812
Link to comment
  • 2 weeks later...

Hello,

 

I would like from my wireguard vpn to access a custom virsh network, someone knows how to do it please ?

 

Network wg1 (network of wireguard vpn ) : 192.168.51.0/27

 

Network virbr0-lab : 192.168.50.0/27

 

I would like them to communicate together to access in RDP a vm present in the virbr0-lab network from a pc connected in VPN to the wg1 network

 

Cordially.

Edited by JamesAdams
Link to comment

I think there is something wrong with my Wireguard plugin. Adding a 2nd Tunnel WG1 shows the fields all weird with underscores and any changes I make I cannot click the Apply button. Has anyone experienced this before?

 

 

Screenshot 2021-04-11 132811.jpg

Link to comment
6 minutes ago, remati said:

I think there is something wrong with my Wireguard plugin. Adding a 2nd Tunnel WG1 shows the fields all weird with underscores and any changes I make I cannot click the Apply button. Has anyone experienced this before?

 

 

Screenshot 2021-04-11 132811.jpg

What Unraid version?

Link to comment
7 hours ago, remati said:

It appears it is happening on both my unraid servers on Version: 6.8.3

Do you have anything installed to customize your GUI?

 

WireGuard supports multi-language, which is not available in Unraid 6.8, though it should display all text correctly.

 

Just made a quick test, this is a bug. Will correct it.

Edited by bonienl
Link to comment

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

 

Link to comment
1 hour ago, jameson_uk said:

Is there anyway to add additional authentication in WireGuard?

I have been able to get everything setup but it seems a bit too easy to enable access on my Android phone.

I can simply click the shortcut menu item to connect, using OpenVPN I am have configured 2FA so someone cannot simply press a button to get full access to my LAN.


It would be even better if I could use U2F from my Yubikey devices but I would take being able to add Google Authenticator as a first step

 

WireGuard does not currently support 2FA, and I don't see it on their todo list: https://www.wireguard.com/todo/

Link to comment
2 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

 

That fully depends on the device where you are installing WireGuard.

When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.

 

Link to comment
3 hours ago, jameson_uk said:

Is there anyway of adding any form of authentication (beyond the shared keys)

You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.

Link to comment
 
That fully depends on the device where you are installing WireGuard.
When I use my iPad pro, it requires a fingerprint authentication first before installing the WireGuard tunnel.
 
You can/should set a lock screen on your client device, but there is no way to enforce that from Unraid's end. The WireGuard protocol does not currently have any options related to this or to requiring a pin/password/2FA before starting the tunnel. It is not something we can add ourselves, it would need to be added to the WireGuard protocol first.
This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?
Link to comment
3 hours ago, jameson_uk said:

This is setup on an Android phone. The wireguard app setup the connection by just scanning the QR which is fine but there is no control over opening the app and it added a shortcut to open the tunnel in the menu where you can turn on the torch (and is available without unlocking the phone).

Are there any other Android clients that only open with biometric authentication?

 

On my Android (OnePlus 7 Pro), before unlocking the phone I can pull down from the top to access certain apps like the flashlight. VPN is in that list, but when I click it, I am immediately prompted to unlock the phone. It sounds like a security hole in your phone if it puts VPN in the same authentication-free category as the fliashlight!

 

I believe there are other Android clients out there, but rather than recommend anything I haven't used I'll just suggest you try Google :)  Also, nothing says you have to switch to WireGuard, if you are happy with OpenVPN you can continue to use it.

Link to comment
  • 2 weeks later...

I have tried a bit of skimming of this thread as well as searching - but is anyone able to answer a quick question regarding wireguard functionality.

Currently I have OpenVpn setup via docker container. This works great until you need to spin down the array. Will setting up wireguard, since it is a plugin and not a docker based solution, allow me to spin up and down the array while still maintaining vpn access?

Link to comment
1 hour ago, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

Best guess based on what you have written... make sure you are trying to access the server by IP address and not by shortname.  i.e. make an SMB connection to \\ipaddress not to \\tower

 

Link to comment

Hi All, I'm new to unRAID and really am loving it.  Currently I only have my media setup but am working through new functionality.

 

I'm confused with WireGuard though.  I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Thanks!

Link to comment
On 5/3/2021 at 7:43 AM, Claudio C said:

Hi all,

 

I'm using wireguard as VPN service. I'm using Peer type of access: Remote access to LAN

It works fine but I don't have access to the share folder (SMB).

 

Could you help me ? 

 

14 hours ago, Claudio C said:

I tried also with IP but nothing.

 

This is my configuration

 

image.png.e27f363872637ad7ceae1b5d768a1fb9.png

 

image.thumb.png.cf1648c13b9c0dd9acd58b65ac6ae47c.png

 

You have "Use NAT" = No, there should be a remark telling you to setup a static route in your router, have you done that?  There are more details in the "complex networks" portion of the first post.  Until you work through that nothing on the LAN (including accessing the server by its LAN IP) will work.

 

FYI, you can also access the server by its tunnel IP. So SMB to \\10.253.0.1 should work regardless of the "Use NAT" setting or whether you have a static route setup.

Link to comment
Quote

Hi All, I'm new to unRAID and really am loving it. 

Welcome!

 

1 hour ago, RuggedRaider said:

I've setup "remote access to LAN" and with my peer (android phone) enabled I can access my unRAID from outside my network via the IP Address.  I can also access my PLEX, SONARR, etc dockers so all that seems to work fine. 

nice!

 

1 hour ago, RuggedRaider said:

My first question is regarding the "LAN" part of the access.  What does that entail?  Previously I used my phones VPN to remote desktop access my personal laptop when it was at the house. With "remote access to LAN" can I do that? What port would I use?

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

 

 

1 hour ago, RuggedRaider said:

My second question is regarding the other VPN options, specifically the "Remote Tunneled Access". Do i create that as a 2nd Peer option and have both available on my phone or does one supersede the other?

Yes you can have two VPN profiles/peers defined on your phone. Use "Remote access to LAN" when you trust the network you are on and just want to route the remote LAN traffic over WireGuard.  use "Remote Tunneled Access" when you are someplace with "risky" wifi and you want all your traffic going over WireGuard.

  • Like 1
Link to comment
1 hour ago, ljm42 said:

When you setup "remote access to LAN" you will be able to access other devices on your LAN through the tunnel. So from your phone you would first make a VPN connection to Unraid to get access to the LAN, then you would start the remote desktop software on the phone and connect to your personal laptop by IP.

Okay, that helps. For some reason I thought the remote access to LAN would rid me of the need for microsoft RDP. Makes sense now that I think about it.

 

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

Thank you!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.