WireGuard quickstart

ljm42

By ljm42
in Plugins and Apps

Recommended Posts

nuhll Rising Star

nuhll

Posted
Posted
3 hours ago, ljm42 said:

Go to Settings -> VPN Manager and switch from basic to advanced mode and look at the settings for your server, you'll see a "local tunnel network pool". It will be something like 10.253.0.0/24.  All devices in this tunnel get their own unique tunnel address, from 10.253.0.1 to 10.253.0.253. Unraid manages this for you automatically, except for the bug that has been reported when using "remote tunneled access". Until that is fixed, you can pick any IP from 10.253.0.1 to 10.253.0.253, as long as it isn't already assigned to another client on this page.

So its the Client IP inside the VPN Network. 

Link to comment
  • Replies 935
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

ljm42
ljm42

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

kaiguy
kaiguy

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

Can0n
Can0n

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

nuhll Rising Star

nuhll

Posted
Posted (edited)

Ive read about the secruity problems with it, and as far as i understand this just is just  a problem for big companies. I mean we can add 2, 3, 4 peers by hand np.

 

Should i be able to ping the "local tunnel address" from my normal network?

 

 

I dont understand why its not working. I changed allowed IPS to 0.0.0.0 which should mean everything, right?

 

The handshake seems to work. Data sent: 960 BData received: 1.25 KBLast handshake: 57 seconds ago

 

But i cant browse internet (or local network) via mobile if i enable the VPN.


See Picture for more. What ive changed on client (mobile) was adding a dns server (my own local DNS Server) in this case its 192.168.86.5

wire.png

Edited by nuhll
Link to comment
nuhll Rising Star

nuhll

Posted
Posted (edited)
18 minutes ago, bonienl said:

If your DNS server is another machine as your Unraid server, it needs a route back to your mobile over the VPN tunnel.

 

In other words your mobile gets to your local DNS server over the VPN tunnel, but the DNS server doesn't know the way back.

 

Would make sense, but pihole doesnt show any DNS querrys (from mobile) and internet is also not working (i also tried 8.8.8.8 btw)

 

Its not another machine, but its another IP. Its a pihole docker on unraid.

 

Also reaching unraid (192.168.86.2) in my case, should not involve DNS and should work right away, but doesnt... :D OR?

 

I must say i have a crazy network, so it might be causing issues, but i dont really know where to look because i have no exp with VPNs.

 

Basically i have 3 routers (multiple, tripple NAT), i dont know if that makes a difference. Why? Because i bundle 4 Internet lines (2x LTE + 2x DSL)

 

The DNS is only pointing to one router ofc, and all routers (between WAN and unraid) redirect the port to the correct destination (thats not my first port redirect, never had problems with that)

 

the 10.* is also not used in my network.

Edited by nuhll
Link to comment
H2O_King89 Contributor

H2O_King89

Posted
Posted
Would make sense, but pihole doesnt show any DNS querrys (from mobile) and internet is also not working (i also tried 8.8.8.8 btw)
 
Its not another machine, but its another IP. Its a pihole docker on unraid.
 
Also reaching unraid (192.168.86.2) in my case, should not involve DNS and should work right away, but doesnt...  OR?
 
I must say i have a crazy network, so it might be causing issues, but i dont really know where to look because i have no exp with VPNs.
 
Basically i have 3 routers (multiple, tripple NAT), i dont know if that makes a difference. Why? Because i bundle 4 Internet lines (2x LTE + 2x DSL)
 
The DNS is only pointing to one router ofc, and all routers (between WAN and unraid) redirect the port to the correct destination (thats not my first port redirect, never had problems with that)
 
the 10.* is also not used in my network.



Mac vlan is block and won’t work. I’m switching my adguard to pi when it cones in



Sent from my iPhone using Tapatalk Pro
Link to comment
Xaero Enthusiast

Xaero

Posted
Posted
On 10/11/2019 at 9:15 PM, ljm42 said:
  •  
  • If you can connect from some locations but not others, keep in mind that the "broken" remote locations may have a firewall that blocks UDP traffic. Hopefully WireGuard will support TCP in the future, but currently there is no workaround for this.

FWIW; you can use something like sslh coupled with something like udptunnel to handle the UDP packets of wireguard over TCP on the SSL port (443) which is generally not blocked anywhere. This would be pretty manual to setup since the unraid implementation of wireguard doesn't "just have this" but there are dockers for BOTH of these things...

Link to comment
bu2d Newbie

bu2d

Posted
Posted

I was having problems getting this all to work but I figured it out after about an hour.

 

I was able to connect to the vpn but was not able to connect to anything on my network or get an internet connection on my phone.

 

It turned out to be a DNS issue and adding the address of my home router as the DNS server to the wireguard app on my phone fixed all of my problems.  
 

Overall, easier to setup than openvpn but still took a while to troubleshoot.
 

I will probably keep openvpn as a backup to wireguard.

  • Like 1
  • Thanks 1
Link to comment
tomjrob Rookie

tomjrob

Posted
Posted

Just finished setting up and testing WireGuard. Very easy, and all is working great. Can access unRaid Gui, unRaid shares, and all servers on the LAN from a remote laptop in a different state. 

 

Great performance.

 

Very impressed so far.

 

Thanks to the entire team.

 

Next step to try is ipad client access.

Link to comment
earhog Newbie

earhog

Posted
Posted

Slight issue here. I was successfully able to set up Wireguard using the Remote Access to Server option and connect via my phone. However, this has broken local access to Unraid's GUI for me. I am still able to connect to dockers such as Plex, Sonarr, etc while on the local network, just not the Web GUI.

Link to comment
nuhll Rising Star

nuhll

Posted
Posted (edited)

It seemed so easy at the start. But im lost. Like suggested im using "remote tunneled access". - i want to access my LAN(s) - and Internet.

 

My phone can connect (handshake) with unraid.

 

Finally i can access unraid ip. (ive entered unraid ip in allowed ips) and see the unraid interface.

 

BUT i cant access internet (ive tried setting DNS to 8.8.8.8 or blank) [i think i cant access unraid when i set an DNS server???]


So ive changed allowed ips to 0.0.0.0/0 (which should mean access to all ipv4 addresses)

 

Then nothing works (no unraid ip, no internet)

 

Any help?


I have different subnets, does this have anything to do with it? (but any of the subnets would be allowed by 0.0.0.0/0 (so i dont see the problem)

 

I would really like A LOG FILE, somewhere.... 

 

 

Edit:
 

SO ive got it working. Im not quite sure what the problem was. But i disabled "private DNS" in android settings. Ive removed DNS Server in the wireguard clients config (just blank). LAN and WAN is working.

 

Terrirble speed, but ill test that later. (around 2,5Mbits)

 

AllowedIPs ive set just to the peer tunnel address, it seems like i understand that wrong in the first place, its not what the client is allowed to talk to, its which ips are allowed to connect to the VPN (?).

 

 

NOW is the question, how to use my own pihole DNS server when connected to VPN (thats the whole point for me for VPNing in) I guess my phone can reach the DNS Server 192.168.86.5 perfectly fine, but someone mentioned my dns 

 

Edit2: I dont know why. But it keeps stopping to work...?! No Lan/WAN.

 

Can anyone post a documentation how to archive the following: VPN into unraid, reach LAN and Internet?

Edited by nuhll
Link to comment
blu3wh0 Newbie

blu3wh0

Posted
Posted (edited)

I've been trying to set this up to work like OpenVPN does for me, creating a direct tunnel to my server and being able to access everything as if I was sitting at the server. This includes access to my LAN and home internet. This appears to be what the remote tunneled access should do, but the most that I can get out of it is access to my LAN. Internet access does not come through. I did read about the DNS discussion earlier in this thread, but I don't plan on making any DNS changes to my phone or other computers.

 

So my question is, is it possible to setup Wireguard to function as a OpenVPN replacement, with the same functionality and simplicity, only requiring enabling the VPN connection on my phone to work through my server? Thanks.

 

Edit: I also had an issue with my script using lftp which could not access my remote server when wireguard was active for this configuration. I haven't really looked into it yet.

Edited by blu3wh0
Link to comment
nuhll Rising Star

nuhll

Posted
Posted (edited)

Hahha, i found out one of the biggest issues....

 

I always run my mobile in energy saver mode... which prevents apps like wireguard from running correctly... 

 

YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode)


So theres that mysteriom cleared... next question is, how to get my lokal DNS running. Tutorial on the internet say you can use your lokal DNS Server (which doesnt seem to work for me) if i set the DNS to 192.168.86.5 nothing works (local dns not, local ip not, internet not)

 

I GOT IT WORKING 100%

 

I needed to enter my routers IP as DNS (which himself get the DNS from my local DNS Server - i guess it was blocking other DNS Servers?)

 

Thats my Setup which seems to work for now with my own dns Server:

1.thumb.png.c0640137e28ec20931c5ebdd12c3712f.png

Screenshot_20191016-154840.thumb.jpg.60c3ab756baeb75b76f519926678ff8d.jpg

Screenshot_20191016-154916.thumb.jpg.74de4814693f5b80a7db5a009eedd8cd.jpg

Screenshot_20191016-155020.thumb.jpg.93d2ca69ed36199ef30e79f8d4f9ac7d.jpg

 

 

 

Only problem left is, how to block youtube ads on mobile... on desktop i dont get any ads bc of pihole, but on mobile, even with pihole as dns server, i still get ads.. anyone any idea?

Edited by nuhll
  • Like 1
Link to comment
ljm42 Experienced

ljm42

Posted
  • Author
Posted
2 hours ago, nuhll said:

YOU NEED to enable UNLIMITED DATA USAGE and DEACTIVATE any ENERGY saving features for wireguard (!!!) (or dont use energy saver mode)

Thanks for this call out, I've added it to Troubleshooting section.

 

I think you might be right about needing to specify a DNS server when in "Remote tunneled access" mode. I'll do some more testing

Link to comment
bonienl Veteran

bonienl

Posted
Posted
19 minutes ago, earhog said:

Screwed up my webgui with no way to get it back here.. great plugin

This plugin adds new pages to the GUI and certainly doesn't screw up the GUI. There MUST be something else in your system going on.

 

You can manually remove the plugin: delete the file "dynamix.wireguard.plg" in the folder /config/plugins on your USB stick and restart your server.

 

  • Like 1
Link to comment
earhog Newbie

earhog

Posted
Posted (edited)
11 minutes ago, bonienl said:

This plugin adds new pages to the GUI and certainly doesn't screw up the GUI. There MUST be something else in your system going on.

 

You can manually remove the plugin: delete the file "dynamix.wireguard.plg" in the folder /config/plugins on your USB stick and restart your server.

 

It messed up when I set up the tunnel, killed local access somehow. Webgui doesn't show when I connect an hdmi/dp cable. All I can do is ssh and pull up dockers. Deleting the plugin does nothing, musta done something to a system file

Edited by earhog
Link to comment
earhog Newbie

earhog

Posted
Posted (edited)

I just followed the quick start guide, I've deleted all wireguard files. No dice.

 

 

I ended up disabling SSL and I can now access my webgui.. Something about my default unraid SSL set up it did not play nice with, but now I can no longer renable SSL. 

Edited by earhog
Link to comment
climber455 Newbie

climber455

Posted
Posted

Let me first say that setting this up was a breeze, you guys did a great job. One thing I noticed though is at when Wireguard is running, even if no clients are connected, it breaks network bridging to my VM. My windows VM internet traffic gets sent over a vpn that is configured on my router, this determination is made based on the IP address of the VM itself. When wireguard is in an active state the VM internet traffic is basically bypassing my router based config and sending traffic out my regular internet connection. When i do a IP check i'm getting the public IP address of my internet connection, not the one supplied by the router VPN connection. I'm not entirely sure how this is happening, the only thing i can think is that there is a configuration bug with the network bridge in Unraid that the VM is using.  

Link to comment
bonienl Veteran

bonienl

Posted
Posted
47 minutes ago, earhog said:

I just followed the quick start guide, I've deleted all wireguard files. No dice.

 

 

I ended up disabling SSL and I can now access my webgui.. Something about my default unraid SSL set up it did not play nice with.

 

With SSL enabled, it requires DNS to work properly. If the DNS server is not reachable when the tunnel is active, it makes the GUI not reachable.

 

Link to comment
  • itimpi pinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing