Jump to content
ljm42

WireGuard quickstart

538 posts in this topic Last Reply

Recommended Posts

3 hours ago, ljm42 said:

Go to Settings -> VPN Manager and switch from basic to advanced mode and look at the settings for your server, you'll see a "local tunnel network pool". It will be something like 10.253.0.0/24.  All devices in this tunnel get their own unique tunnel address, from 10.253.0.1 to 10.253.0.253. Unraid manages this for you automatically, except for the bug that has been reported when using "remote tunneled access". Until that is fixed, you can pick any IP from 10.253.0.1 to 10.253.0.253, as long as it isn't already assigned to another client on this page.

So its the Client IP inside the VPN Network. 

Share this post


Link to post
4 minutes ago, nuhll said:

So its the Client IP inside the VPN Network. 

yes, to be more precise the IP address of the tunnel endpoint at the client (peer) side.

Edited by bonienl

Share this post


Link to post

Ive read about the secruity problems with it, and as far as i understand this just is just  a problem for big companies. I mean we can add 2, 3, 4 peers by hand np.

 

Should i be able to ping the "local tunnel address" from my normal network?

 

 

I dont understand why its not working. I changed allowed IPS to 0.0.0.0 which should mean everything, right?

 

The handshake seems to work. Data sent: 960 BData received: 1.25 KBLast handshake: 57 seconds ago

 

But i cant browse internet (or local network) via mobile if i enable the VPN.


See Picture for more. What ive changed on client (mobile) was adding a dns server (my own local DNS Server) in this case its 192.168.86.5

wire.png

Edited by nuhll

Share this post


Link to post

If your DNS server is another machine as your Unraid server, it needs a route back to your mobile over the VPN tunnel.

 

In other words your mobile gets to your local DNS server over the VPN tunnel, but the DNS server doesn't know the way back.

 

Share this post


Link to post
18 minutes ago, bonienl said:

If your DNS server is another machine as your Unraid server, it needs a route back to your mobile over the VPN tunnel.

 

In other words your mobile gets to your local DNS server over the VPN tunnel, but the DNS server doesn't know the way back.

 

Would make sense, but pihole doesnt show any DNS querrys (from mobile) and internet is also not working (i also tried 8.8.8.8 btw)

 

Its not another machine, but its another IP. Its a pihole docker on unraid.

 

Also reaching unraid (192.168.86.2) in my case, should not involve DNS and should work right away, but doesnt... :D OR?

 

I must say i have a crazy network, so it might be causing issues, but i dont really know where to look because i have no exp with VPNs.

 

Basically i have 3 routers (multiple, tripple NAT), i dont know if that makes a difference. Why? Because i bundle 4 Internet lines (2x LTE + 2x DSL)

 

The DNS is only pointing to one router ofc, and all routers (between WAN and unraid) redirect the port to the correct destination (thats not my first port redirect, never had problems with that)

 

the 10.* is also not used in my network.

Edited by nuhll

Share this post


Link to post
Would make sense, but pihole doesnt show any DNS querrys (from mobile) and internet is also not working (i also tried 8.8.8.8 btw)
 
Its not another machine, but its another IP. Its a pihole docker on unraid.
 
Also reaching unraid (192.168.86.2) in my case, should not involve DNS and should work right away, but doesnt...  OR?
 
I must say i have a crazy network, so it might be causing issues, but i dont really know where to look because i have no exp with VPNs.
 
Basically i have 3 routers (multiple, tripple NAT), i dont know if that makes a difference. Why? Because i bundle 4 Internet lines (2x LTE + 2x DSL)
 
The DNS is only pointing to one router ofc, and all routers (between WAN and unraid) redirect the port to the correct destination (thats not my first port redirect, never had problems with that)
 
the 10.* is also not used in my network.



Mac vlan is block and won’t work. I’m switching my adguard to pi when it cones in



Sent from my iPhone using Tapatalk Pro

Share this post


Link to post

now we just need Wireguard to update and get working on Fedora, cannot get Device wg0 added to my fedora 30 workstation laptop 

Share this post


Link to post
On 10/11/2019 at 9:15 PM, ljm42 said:
  •  
  • If you can connect from some locations but not others, keep in mind that the "broken" remote locations may have a firewall that blocks UDP traffic. Hopefully WireGuard will support TCP in the future, but currently there is no workaround for this.

FWIW; you can use something like sslh coupled with something like udptunnel to handle the UDP packets of wireguard over TCP on the SSL port (443) which is generally not blocked anywhere. This would be pretty manual to setup since the unraid implementation of wireguard doesn't "just have this" but there are dockers for BOTH of these things...

Share this post


Link to post

I was having problems getting this all to work but I figured it out after about an hour.

 

I was able to connect to the vpn but was not able to connect to anything on my network or get an internet connection on my phone.

 

It turned out to be a DNS issue and adding the address of my home router as the DNS server to the wireguard app on my phone fixed all of my problems.  
 

Overall, easier to setup than openvpn but still took a while to troubleshoot.
 

I will probably keep openvpn as a backup to wireguard.

  • Like 1
  • Thanks 1

Share this post


Link to post

Just finished setting up and testing WireGuard. Very easy, and all is working great. Can access unRaid Gui, unRaid shares, and all servers on the LAN from a remote laptop in a different state. 

 

Great performance.

 

Very impressed so far.

 

Thanks to the entire team.

 

Next step to try is ipad client access.

Share this post


Link to post

Slight issue here. I was successfully able to set up Wireguard using the Remote Access to Server option and connect via my phone. However, this has broken local access to Unraid's GUI for me. I am still able to connect to dockers such as Plex, Sonarr, etc while on the local network, just not the Web GUI.

Share this post


Link to post

It seemed so easy at the start. But im lost. Like suggested im using "remote tunneled access". - i want to access my LAN(s) - and Internet.

 

My phone can connect (handshake) with unraid.

 

Finally i can access unraid ip. (ive entered unraid ip in allowed ips) and see the unraid interface.

 

BUT i cant access internet (ive tried setting DNS to 8.8.8.8 or blank) [i think i cant access unraid when i set an DNS server???]


So ive changed allowed ips to 0.0.0.0/0 (which should mean access to all ipv4 addresses)

 

Then nothing works (no unraid ip, no internet)

 

Any help?


I have different subnets, does this have anything to do with it? (but any of the subnets would be allowed by 0.0.0.0/0 (so i dont see the problem)

 

I would really like A LOG FILE, somewhere.... 

 

 

Edit:
 

SO ive got it working. Im not quite sure what the problem was. But i disabled "private DNS" in android settings. Ive removed DNS Server in the wireguard clients config (just blank). LAN and WAN is working.

 

Terrirble speed, but ill test that later. (around 2,5Mbits)

 

AllowedIPs ive set just to the peer tunnel address, it seems like i understand that wrong in the first place, its not what the client is allowed to talk to, its which ips are allowed to connect to the VPN (?).

 

 

NOW is the question, how to use my own pihole DNS server when connected to VPN (thats the whole point for me for VPNing in) I guess my phone can reach the DNS Server 192.168.86.5 perfectly fine, but someone mentioned my dns 

 

Edit2: I dont know why. But it keeps stopping to work...?! No Lan/WAN.

 

Can anyone post a documentation how to archive the following: VPN into unraid, reach LAN and Internet?

Edited by nuhll

Share this post


Link to post

I've been trying to set this up to work like OpenVPN does for me, creating a direct tunnel to my server and being able to access everything as if I was sitting at the server. This includes access to my LAN and home internet. This appears to be what the remote tunneled access should do, but the most that I can get out of it is access to my LAN. Internet access does not come through. I did read about the DNS discussion earlier in this thread, but I don't plan on making any DNS changes to my phone or other computers.

 

So my question is, is it possible to setup Wireguard to function as a OpenVPN replacement, with the same functionality and simplicity, only requiring enabling the VPN connection on my phone to work through my server? Thanks.

 

Edit: I also had an issue with my script using lftp which could not access my remote server when wireguard was active for this configuration. I haven't really looked into it yet.

Edited by blu3wh0

Share this post


Link to post

Maybe its a bug, or not good working on all phones, but what u ask should do "remote tunneled acccess".

Share this post


Link to post

Hahha, i found out one of the biggest issues....

 

I always run my mobile in energy saver mode... which prevents apps like wireguard from running correctly... 

 

YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode)


So theres that mysteriom cleared... next question is, how to get my lokal DNS running. Tutorial on the internet say you can use your lokal DNS Server (which doesnt seem to work for me) if i set the DNS to 192.168.86.5 nothing works (local dns not, local ip not, internet not)

 

I GOT IT WORKING 100%

 

I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server - i guess it was blocking other DNS Servers?)

 

Thats my Setup which seems to work for now with my own dns Server:

1.thumb.png.c0640137e28ec20931c5ebdd12c3712f.png

Screenshot_20191016-154840.thumb.jpg.60c3ab756baeb75b76f519926678ff8d.jpg

Screenshot_20191016-154916.thumb.jpg.74de4814693f5b80a7db5a009eedd8cd.jpg

Screenshot_20191016-155020.thumb.jpg.93d2ca69ed36199ef30e79f8d4f9ac7d.jpg

 

 

 

Only problem left is, how to block youtube ads on mobile... on desktop i dont get any ads bc of pihole, but on mobile, even with pihole as dns server, i still get ads.. anyone any idea?

Edited by nuhll

Share this post


Link to post
2 hours ago, nuhll said:

YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode)

Thanks for this call out, I've added it to Troubleshooting section.

 

I think you might be right about needing to specify a DNS server when in "Remote tunneled access" mode. I'll do some more testing

Share this post


Link to post
Screwed up my webgui with no way to get it back here.. great plugin

Did you not make a backup of the flash before updating or installing the plugin?


Sent from my iPhone using Tapatalk Pro

Share this post


Link to post
Screwed up my webgui with no way to get it back here.. great plugin
Elaborate

Sent from my NSA monitored device

Share this post


Link to post
19 minutes ago, earhog said:

Screwed up my webgui with no way to get it back here.. great plugin

This plugin adds new pages to the GUI and certainly doesn't screw up the GUI. There MUST be something else in your system going on.

 

You can manually remove the plugin: delete the file "dynamix.wireguard.plg" in the folder /config/plugins on your USB stick and restart your server.

 

Share this post


Link to post
11 minutes ago, bonienl said:

This plugin adds new pages to the GUI and certainly doesn't screw up the GUI. There MUST be something else in your system going on.

 

You can manually remove the plugin: delete the file "dynamix.wireguard.plg" in the folder /config/plugins on your USB stick and restart your server.

 

It messed up when I set up the tunnel, killed local access somehow. Webgui doesn't show when I connect an hdmi/dp cable. All I can do is ssh and pull up dockers. Deleting the plugin does nothing, musta done something to a system file

Edited by earhog

Share this post


Link to post

Local access should not be affected, no clue what you did.

 

You can delete the files wg0.cfg and wg0.conf in folder /boot/config/wireguard using your ssh session. A "reboot" is required to restore.

Share this post


Link to post

I just followed the quick start guide, I've deleted all wireguard files. No dice.

 

 

I ended up disabling SSL and I can now access my webgui.. Something about my default unraid SSL set up it did not play nice with, but now I can no longer renable SSL. 

Edited by earhog

Share this post


Link to post

Let me first say that setting this up was a breeze, you guys did a great job. One thing I noticed though is at when Wireguard is running, even if no clients are connected, it breaks network bridging to my VM. My windows VM internet traffic gets sent over a vpn that is configured on my router, this determination is made based on the IP address of the VM itself. When wireguard is in an active state the VM internet traffic is basically bypassing my router based config and sending traffic out my regular internet connection. When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection. I'm not entirely sure how this is happening, the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using.  

Share this post


Link to post
47 minutes ago, earhog said:

I just followed the quick start guide, I've deleted all wireguard files. No dice.

 

 

I ended up disabling SSL and I can now access my webgui.. Something about my default unraid SSL set up it did not play nice with.

 

With SSL enabled, it requires DNS to work properly. If the DNS server is not reachable when the tunnel is active, it makes the GUI not reachable.

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.