WireGuard quickstart


ljm42

704 posts in this topic Last Reply

Recommended Posts

10 minutes ago, RuggedRaider said:

Another question. Is the peer setup designed for the client type specifically or the type of connection.  Can I setup a peer connection for "remote access to LAN" and then download that profile config file and install on WireGuard via my work laptop?

 

You should create a new peer config for each device. That will allow all of the devices to connect at the same time, and in the event that one device is lost or stolen, you only have to delete that one config from the server and the rest of the devices will continue to work.

Link to post
  • Replies 703
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

Link to post
On 5/12/2021 at 6:02 AM, Gdtech said:

I have upgraded to Unraid 6.9.2 and now having problems with adding wireguard peers, i have 15 wireguard peers running now but when I try to add another peer it does not give me a blank entry to fill in, the cursor just jumps to one of the existing entries that are already running. I thought at first it was maybe the browser so I tried Firefox, Google chrome, Microsoft Edge but all act the same.

When i add a new Tunnel such as WG1 i can start adding more peers, Is there a limit on how many peers per tunnel ?

 

Thanks

 

Please ensure you are on version the latest version of the plugin (currently 2021.05.10a). No point in troubleshooting older versions :) 

 

As a test, I just created a tunnel with 20 peers no problem. I wouldn't expect there to be a limit, pretty sure it just increments a counter.

 

I'd guess it is putting the cursor in a field that has a problem. If that doesn't seem to be the case, try switching from basic to advanced mode, perhaps the field with the problem is not visible in basic mode.

 

Still not working? We'll need to see a screenshot. You'll want to blank out any sensitive parts (keys, public ip addresses, endpoints)

Link to post

Good afternoon,

 

 Currently searching for an option to my issue and hope wireguard might be the solution.

 

My only internet option currently is Starlink and due to CGNat I will not be able to access my plex server remotely.

 

Can this be used to allow external access to my plex server again?

 

Cheers,

 

Chris

Link to post

I followed your guide and got it up and running. My question is regarding the relationship of a tunnel to a peer and how this should be configured rather than what can be done. 

 

With one tunnel, should I only have one peer? or should I set multiple peers for one tunnel assuming the subnet access level should be the same for all peers?

 

I am intending to use this for two use cases. 

    1- remote server management from 2 or 3 devices. my guess is one tunnel, 2-3 peers with the needed subnet configured. 

    2- privatizing mobile device traffic back to the server internet connection. this would be likely a lesser subnet range to strictly hairpin traffic back out to the web from the server internet connection (mobile device->server->web). I'm also guessing this would be a second tunnel for these peers?

 

Any guidance or clarity around this concept is greatly appreciated. 

Link to post

A single tunnel can support multiple connections (peers). Each peer wiil have the same access rights, e.g. "Remote connection to LAN".

 

If you want different peers to have different access rights, you could set up multiple tunnels, each with a different connection type and let peers connect to one or the other.

 

Link to post

So I got wireguard set up and can access all of my containers via the web ui except binhex-sabnzdb vpn container.  Tried searching for container access topics here but didn't find any comments with this particular issue.  I have sab set up in bridge mode. 

 

Wireguard is set up with remote tunneled access and tried remote access to server peer set up with the same results.

 

Would appreciate any thoughts on why this is occurring only for sab and if there is something I can change to make it accessible.

Link to post
So I got wireguard set up and can access all of my containers via the web ui except binhex-sabnzdb vpn container. 


I think you need to add the wireguard tunnel IP range to the Lan Network variable in the Sab VPN docker. Just add it after your normal home LAN range, separated by a comma.

Edit: if you’re using the defaults for wireguard, the IP range to add to Sab is 10.253.0.0/24
Link to post
Posted (edited)
On 5/25/2021 at 2:33 PM, Jorgen said:

 


I think you need to add the wireguard tunnel IP range to the Lan Network variable in the Sab VPN docker. Just add it after your normal home LAN range, separated by a comma.

Edit: if you’re using the defaults for wireguard, the IP range to add to Sab is 10.253.0.0/24

 

Do you have any links I can read to get sab vpn setup with wireguard?  I am struggling mightily following different guides that have been made for other dockers but not for specifically getting wireguard (through mullvad) working with sab vpn.  I used the guide from Dad_Rage I found, but I can't access the web ui.

 

Edit - got to web ui, but now I'm getting a  [Errno 99] Address not available - Check for internet or DNS problems

Edited by NitrizzleStizzle
Link to post
Do you have any links I can read to get sab vpn setup with wireguard?  I am struggling mightily following different guides that have been made for other dockers but not for specifically getting wireguard (through mullvad) working with sab vpn.  I used the guide from Dad_Rage I found, but I can't access the web ui.
 
Edit - got to web ui, but now I'm getting a  [Errno 99] Address not available - Check for internet or DNS problems

Are you talking about the same situation as Twinkie above, where you need to access Sab vpn while your client is connected via wireguard from outside your home network?
Or are you talking about setting up Sab vpn to use wireguard to connect to mullvad?
If it’s the latter, you’ll need to post the question in the support thread for the Sab vpn docker you’re using.


Sent from my iPhone using Tapatalk
Link to post
On 3/13/2021 at 5:48 PM, Wanty said:

Hi, so tbh I am really lost about Wireguard. I've spent a day (more actually) on that trying different methods:

  • remote access to server
  • remote access to LAN
  • remote tunnelled access

I did setup my port forwarding correctly on port 51820 (internal and external) to my server (192.168.1.7) as UDP.

In Unraid my network interface (eth0 and eth1) have bridging enabled
I've tried with and without my dynDNS (duckdns) as a local endpoint
I also noticed that the local tunnel network pool is using /24 for subnet where my Wireguard client (my phone) was using /32. So I've tried /32 server & client side and also /24 server & client side.

I've tried with and without preshared key
I've tried with and without peer DNS server. And for the different DNS servers address used: 1.1.1.1 / 8.8.8.8 / 192.168.1.254 (my router)

 

As on client side, I did make sure that I was able to access my Unraid web interface and different services around (different ports) from my local network connected via WiFi.

As soon as I turn off WiFi and enable Wireguard I am not able to have a handshake nor I can access anything.

I've tried my local network local tunnel network on my phone none of them worked.

 

Here is more or less what I've used in my Wireguard settings

image.thumb.png.28669089df1ae5453dbe5f6f89b33426.png

 

I did disable battery saving abilities on my phone, background data & unrestricted data usage.

 

Someone would be able to help me ?

Thanks in advance

I have the same problem as you, did you manage to solve it?

 

I just started my 5th unraid server, and that is 5th time setting wireguard, and 1st time I cannot configure.

I have port forwarded (51820 UDP), wireguard is on 192.168.1.253, router is on 192.168.1.254.

Just a basic config - remote access to lan not working.

It's a fresh unraind install, basicly nothing on it, only wireguard plugin.

Link to post

I have wireguard setup with "Remote access to server" so my laptop can access my unraid server.

 

I'm trying to understand how to access a VM that's running on unraid, but has it's own IP.

 

For example, my unraid server has IP of 192.168.1.2 and my VM has IP of 192.168.1.100.

For my wireguard tunnel and client setup, my unraid server then is accessible via 10.253.0.1. 

 

How do I access the VM?  Do I need to have it also connect as it's own Wireguard client?  I'm confused because when I read the first post it talks about VMs being accessible but I'm not sure how that works exactly becuase how can my laptop (when I'm away from my LAN and connected via Wireguard) be able to access the VM without an addressable IP?

Link to post

hey all, hope everyone is well.

so after following this guide to a T, it says connected but nothing loads, even with set to remote tunnelled access, with 8.8.8.8 set I get nothing. 

 

also when I connect to the client on my phone, it won't even load the unread dashboard.

 

what have I missed

Link to post
On 6/2/2021 at 9:38 PM, tmchow said:

I have wireguard setup with "Remote access to server" so my laptop can access my unraid server.

 

I'm trying to understand how to access a VM that's running on unraid, but has it's own IP.

 

For example, my unraid server has IP of 192.168.1.2 and my VM has IP of 192.168.1.100.

 

"Remote access to server" will give you access to the server's main tunnel IP. If you want to access IPs on the Unraid server's network you want "Remote access to LAN". Be sure to update the client config after making this change.

 

If you run into trouble, see the "Complex networks" section of the first post as there are certain settings that conflict with each other.

Link to post
7 minutes ago, ljm42 said:

"Remote access to server" will give you access to the server's main IP. If you want to access other IPs on the network you want "Remote access to LAN". Be sure to update the client config after making this change.

 

If you run into trouble, see the "Complex networks" section of the first post as there are certain settings that conflict with each other.

 

In my example where my setup is this:

  • unraid server has IP of 192.168.1.2
  • VM has IP of 192.168.1.100
  • When connected via wireguard my unraid server is 10.253.0.1

If i make the change to "Remote access to LAN", what is the IP of the VM? Is it just addressed with 192.168.1.100 still and counts on no network conflict?

Link to post
41 minutes ago, tmchow said:

If i make the change to "Remote access to LAN", what is the IP of the VM? Is it just addressed with 192.168.1.100 still and counts on no network conflict?

 

The VM will be accessed via its usual IP of 192.168.1.100. 

 

In terms of avoiding conflicts, when you choose "Remote access to LAN" the webgui will give you a warning that the peer's network cannot use the same network range as Unraid's network:

image.png

Link to post

I can no longer get Wireguard to work. I previously had it running for months without any issues and loved the convenience of it.

I recently transitioned to Cloudflare DDNS from DuckDNS whilst settuping NGINX Proxy Manager for the first time. 

I deleted the Wireguard folder from the /boot/config folder in an attempt to reinstall the plugin from scratch, but now I cannot create a tunnel, let alone a new peer.
When I click apply, nothing is saved and it prompts me to create the tunnel again.

I have also noticed it constantly tells me " UPnP: forwarding not set" despite the fact I have had the portforwarding setup for months and never made any adjustments on the router.

please help!

Link to post
I can no longer get Wireguard to work. I previously had it running for months without any issues and loved the convenience of it.
I recently transitioned to Cloudflare DDNS from DuckDNS whilst settuping NGINX Proxy Manager for the first time. 
I deleted the Wireguard folder from the /boot/config folder in an attempt to reinstall the plugin from scratch, but now I cannot create a tunnel, let alone a new peer.
When I click apply, nothing is saved and it prompts me to create the tunnel again.
I have also noticed it constantly tells me " UPnP: forwarding not set" despite the fact I have had the portforwarding setup for months and never made any adjustments on the router.
please help!
I'd recommend rebooting so it can recreate the necessary folder on the flash drive as it comes back up.

Also, be sure to read the note in the second post of this thread about disabling the cloudflare dns proxy. It doesn't work with wireguard traffic, only http traffic

Sent from my GM1917 using Tapatalk

Link to post

im having some issues getting all my traffic routed through my unraid server.

 

I can connect both from my laptop and my phone to via VPN to the unraid server without any issues when its set to remote tunneled access but it seems like not all my traffic is routed through the server as my ip address on my phone and my laptop does not change at all.

 

This was very annoying in the last two weeks as i wanted to use my VPN to make netflix think im still in my home country but it never worked.

 

does anyone have any idea whats going on here?

Link to post

Hello,

 

sorry if this was already asked, but can I use the vpn manager to import a tunnel and to connect to a different wg-server over this plugin or is this not possible and the plugin is only working as a server?

 

Purpose want to connect to a client where I run a wg-server at rpi and rsync files between two NAS.

Link to post
On 10/12/2019 at 4:15 AM, ljm42 said:

With "Use NAT" = No and "Host access to custom networks" = enabled and static route 

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - accessible!

  • dockers with custom IP - accessible!

  • (woohoo! the recommended setup for complex networks)

Suddenly, I was having issues accessing my Dockers on custom VLAN's.  It was working fine last year and it stopped working around starting this year, doesn't know exactly when (Dockers on Bridge/Host and pfsense in a VM were still working fine.)

 

I now found a solution:

"Host access to custom networks" = disabled

 

This fixed the issue for me completely. In the network tabs, all routes for "shim-br0.xx" disappeared. But it's working now, so I am happy :)

Link to post
4 hours ago, PsYcRo said:

Hello,

 

sorry if this was already asked, but can I use the vpn manager to import a tunnel and to connect to a different wg-server over this plugin or is this not possible and the plugin is only working as a server?

 

Purpose want to connect to a client where I run a wg-server at rpi and rsync files between two NAS.

 

Yep, there is an "Import Tunnel" button in the upper right corner

 

image.png

Link to post
On 6/13/2021 at 3:49 AM, Pixel5 said:

im having some issues getting all my traffic routed through my unraid server.

 

I can connect both from my laptop and my phone to via VPN to the unraid server without any issues when its set to remote tunneled access but it seems like not all my traffic is routed through the server as my ip address on my phone and my laptop does not change at all.

 

This was very annoying in the last two weeks as i wanted to use my VPN to make netflix think im still in my home country but it never worked.

 

does anyone have any idea whats going on here?

 

With your phone on your home network along with Unraid (and WireGuard disabled) visit this page to find the external IP for that network:

  https://www.whatismyip.com/

 

Then leave your home and make a "Remote Tunneled Access" WireGuard connection to Unraid. Visit the website above and confirm you have the same external IP as your home network. If you don't, then perhaps you made a change to the WireGuard config on the server and forgot to update the client?

 

If the IP addresses are the same then in theory Netflix should think you are on your home network when you VPN there. If it doesn't, then perhaps they are using other signals to determine where you are located, such as GPS?

Link to post
11 hours ago, ljm42 said:

 

Yep, there is an "Import Tunnel" button in the upper right corner

 

image.png

Thats what I have already done but after the import where can I connect to it. The Gui seems very chaotic from first for a new user like me. I have wireguard on different rpi installed but that was straight forward. in my example I have wg0 now imported but where can I now connect to it:

 

image.thumb.png.84431132c742769377529b4f5426a5d1.png

 

Link to post
11 hours ago, ljm42 said:

 

With your phone on your home network along with Unraid (and WireGuard disabled) visit this page to find the external IP for that network:

  https://www.whatismyip.com/

 

Then leave your home and make a "Remote Tunneled Access" WireGuard connection to Unraid. Visit the website above and confirm you have the same external IP as your home network. If you don't, then perhaps you made a change to the WireGuard config on the server and forgot to update the client?

 

If the IP addresses are the same then in theory Netflix should think you are on your home network when you VPN there. If it doesn't, then perhaps they are using other signals to determine where you are located, such as GPS?

 

i have solved this problem now with the help from some people on the unraid subreddit.

the problem was that allowed IP´s needed to contain 0.0.0.0/0 in order to route all traffic through the VPN.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.