WireGuard quickstart


ljm42

728 posts in this topic Last Reply

Recommended Posts

31 minutes ago, Pixel5 said:

 

i have solved this problem now with the help from some people on the unraid subreddit.

the problem was that allowed IP´s needed to contain 0.0.0.0/0 in order to route all traffic through the VPN.

 

Click the little "eye" icon on the right side of the peer, this will show you the config file the system setup for this peer. If the peer is set to "Remote tunneled access" then you should see: AllowedIPs=0.0.0.0/0

 

If the config file on the client had a different setting, then you forgot to update the client after changing the "peer type of access" here.

Link to post
  • Replies 727
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

34 minutes ago, PsYcRo said:

Thats what I have already done but after the import where can I connect to it. The Gui seems very chaotic from first for a new user like me. I have wireguard on different rpi installed but that was straight forward. in my example I have wg0 now imported but where can I now connect to it:

 

image.thumb.png.84431132c742769377529b4f5426a5d1.png

 

 

Change the "basic" slider to "advanced" to see more of the settings from your config file. Change "inactive" to "active" to start the tunnel.

Link to post
59 minutes ago, ljm42 said:

 

Change the "basic" slider to "advanced" to see more of the settings from your config file. Change "inactive" to "active" to start the tunnel.

I already tried it with the slider active but no response...

Here is the requested screenshot:

 

image.thumb.png.ae8fd051e03dbb08299054d04a4dbf18.png

Link to post
8 hours ago, PsYcRo said:

I already tried it with the slider active but no response...

Here is the requested screenshot:

 

image.thumb.png.ae8fd051e03dbb08299054d04a4dbf18.png

 

Looks like it defaulted to "VPN tunneled access". I don't think that is what you want, probably "Remote Access to Server".  You can turn on the help to see the difference. I'd recommend clicking the little "eye" icons on the right side of the screen to see what the configs look like. You may need to make further tweaks until the configs look like what the rpi is expecting.

 

Also, click the "key" icons and confirm that the local tunnel has both a public and private key, and that the peer has at least a public key. You don't need to include those in any screenshots though. The same keys will be visible if you click the "eye" icons.

 

Also there is a peer endpoint but not a local endpoint, that means your server has to make an outgoing request to start the tunnel. If you want either end to be able to start the tunnel, add a local endpoint here and a peer endpoint on the other end (edit: you'll also need a port forward on this end)

 

How do you plan to test this? Note that the WireGuard connection is only on the server, it is not shared with your LAN. Will you be transferring files from the command line or through a docker?

(FYI, LAN to LAN is possible as well, although a bit more complicated: https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/ ) 

 

Link to post
19 hours ago, Fuggin said:

Actually a problem... I inadvertently made 2 tunnels. How do I delete wg1? I tried the command on the console but it wouldn't work.

 

Change the slider from Basic to Advanced, then a Delete Tunnel button will appear.

Link to post

Anyone using Untangle or OPNSENSE for the firewall? Based on my evaluation of these two software, there is no "bypass firewall rule..." checkbox like pfsense has to allow for asymmetric routing. How can I achieve the same function as the bypass by using additional policy/NAT/routing rules?

Link to post
17 hours ago, timmyx said:

Well I can't get wireguard to work consistently

Everytime I reboot or shutdown it's gone

 

"Gone" as in not started? Do you have the tunnel set to autostart?

 

Or "Gone" as in nothing is there and you have to recreate it? The files are stored in the config/wireguard folder on your flash drive. If those files go missing then I'd suspect an issue with your flash drive. We may be able to confirm issues with the flash drive if you upload your diagnostics zip file ( from Tools -> Diagnostics )

Link to post

Im having a strange problem and i cannot figure out whats wrong

I edited a peer recently and from that point forward i cannot activate the tunnel.

 

I did try to save it, remove it and re-import but whenever i add in "peer allowed IPs" the LAN network with x.x.x.x/24 the tunnel wont activate.

 

Tunnel:

Local tunnel network pool: 10.245.0.0/24
Local tunnel address: 10.245.0.1
Endpoint: [redacted, static ip]:51820
Local server uses NAT: No (i tried with Yes, nothing changes)

First Peer:

Peer name: something
Peer type of access: Remote access to LAN
Peer tunnel address: 10.245.0.2
Peer allowed IPs: 10.245.0.2

 

Whenever i put (192.168.10.0/24 is the lan)

Peer allowed IPs: 10.245.0.2, 192.168.10.0/24

 

The tunnel wont stay On, if i press on the button it moves but if i F5 the page or go to another and come back is OFF.

Syslog just says that the tunnel turned on and off

There is a more useful log for wireguard? There is nothing in /var/log

 

On this machine i have already a tunnel server to server that works flawlessy

Link to post

Open a terminal session from your browser (>_ button) and type

 

wg-quick up wg0

 

Assuming wg0 is the tunnel you want to activate, check the responses for errors.

 

 

Link to post
6 minutes ago, bonienl said:

Open a terminal session from your browser (>_ button) and type

 


wg-quick up wg0

 

Assuming wg0 is the tunnel you want to activate, check the responses for errors.

 

 

 

Here's the output:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.245.0.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.245.0.2/32 dev wg0
[#] ip -4 route add 192.168.10.0/24 dev wg0
RTNETLINK answers: File exists
[#] ip link delete dev wg0

 

Guess that the error is File exists

what does that mean?

Link to post

If you want the peer to access your LAN, change the type of access to "Remote access for LAN" and the LAN subnet will be added to the peer configuration (don't forget to update the peer configuration).

 

The setting "Peer allowed IPs" tells what the Unraid server is allowed to access on the peer, and since 192.168.10.0/24 is your local subnet it can not exist on the peer as well.

 

This is from the help in the GUI

 

This field is automatically filled in with the tunnel address of the peer. This allows the server to reach the peer over the tunnel.
When the peer is another server or router with additional networks, then their subnets can be added here to make these networks reachable over the tunnel.

 

Link to post
Posted (edited)
16 minutes ago, bonienl said:

If you want the peer to access your LAN, change the type of access to "Remote access for LAN" and the LAN subnet will be added to the peer configuration (don't forget to update the peer configuration).

 

The setting "Peer allowed IPs" tells what the Unraid server is allowed to access on the peer, and since 192.168.10.0/24 is your local subnet it can not exist on the peer as well.

 

This is from the help in the GUI

 

This field is automatically filled in with the tunnel address of the peer. This allows the server to reach the peer over the tunnel.
When the peer is another server or router with additional networks, then their subnets can be added here to make these networks reachable over the tunnel.

 

 

Well it was already on Remote access to LAN

I can connect but i can access only the unraid server and nothing on the lan

 

 

red.jpg

Edited by exico
added screenshot
Link to post

Are you sure the peer has the correct configuration? It needs to include your LAN subnet.

 

You need to set Local server uses NAT = Yes

This allows other devices on your LAN to communicate over the tunnel to the remote peer.

If you are trying to access docker containers on their custom network address, you will need to do additional steps, which are explained in the Wireguard guide.

 

Link to post

Yeah, my config includes allowed ips:

 

[Interface]
PrivateKey = REDACTED
Address = 10.249.0.2/32

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 10.249.0.1/32, 192.168.10.0/24
Endpoint = REDACTED:51820

 

NAT is on Yes as per screenshot

What I'm trying to access is something. I tried the server ipmi, the web interface of the switch, pfsense interface on the router. Nothing pops up, just the unraid works and shows up

Everything worked fine before...

Link to post

The wireguard configuration of wg0 is alright.

You said that you have configured multiple tunnels.

Have you tried testing with only one tunnel active at the time?

 

Link to post

I did not, just tried and nothing changed.

 

Just an hypotesis, can the setting "Host access to custom networks" set to enable in the docker settings be a problem?

I will have to wait to stop dockers to test this atm cause there is a task running

Link to post

It should not, but please test.

 

Host access is a hack to circumvent the network protection of docker itself. Normally host access is not required and should be disabled.

 

Link to post

Hey guys, I know this was referenced recently but is there a way to route only certain containers/VMs through the "VPN tunneled access" feature? When using my current config generated from pia-wg, it attempts to route all data going out of the server to the VPN.

890102002_VPNtunneledaccess.thumb.png.a6131d78569e69c172a5c38813e06205.png

Link to post

Hi all,  I have set up wireguard and I can access internet and local lan from my android phone when out and about. However when I tried to use the wireguard config with ubuntu I can only access the internet, not the lan. This means that I cannot access my unraid server (the main purpose of running wireguard).

 

I have pretty much used all the standard / default settings and I am tunnelling all traffic, with 0.0.0.0/0 in my config file.

 

Does anyone have any suggestions?

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.