WireGuard quickstart


ljm42

Recommended Posts

On 7/10/2021 at 12:54 AM, dannydev said:

Hey guys, I know this was referenced recently but is there a way to route only certain containers/VMs through the "VPN tunneled access" feature? When using my current config generated from pia-wg, it attempts to route all data going out of the server to the VPN.

 

This thread has the latest info on connecting to commercial providers:  

There has been no change in regards to individual dockers, so what you see on the first post there is still correct.

Link to comment
On 7/13/2021 at 2:36 PM, ezzys said:

Hi all,  I have set up wireguard and I can access internet and local lan from my android phone when out and about. However when I tried to use the wireguard config with ubuntu I can only access the internet, not the lan. This means that I cannot access my unraid server (the main purpose of running wireguard).

 

I have pretty much used all the standard / default settings and I am tunnelling all traffic, with 0.0.0.0/0 in my config file.

 

Does anyone have any suggestions?

 

So your phone and Ubuntu clients are configured identically in the Unraid webgui, but they behave differently? It would have to be something about the Ubuntu client or the network it is on that is causing the issue. For instance, if the Ubuntu client and the Unraid server are both on the same subnet then things will not work correctly. Or if the Ubuntu client has a firewall perhaps it is blocking access to certain subnets.  I would start by troubleshooting the Ubuntu client since you know the configuration works correctly on the phone.

 

Link to comment
On 7/1/2021 at 2:22 PM, ljm42 said:

 

"Gone" as in not started? Do you have the tunnel set to autostart?

 

Or "Gone" as in nothing is there and you have to recreate it? The files are stored in the config/wireguard folder on your flash drive. If those files go missing then I'd suspect an issue with your flash drive. We may be able to confirm issues with the flash drive if you upload your diagnostics zip file ( from Tools -> Diagnostics )

I'm sorry, I mean the connection never gets through again. All settings are there, auto-start on, but once the server is rebooted, the tunnel stops working

 

Am I the only one with this sort of problem? :(

Link to comment
  • 5 weeks later...

I used to have a Wireguard tunnel set up and running, but I was unable to get remote working by using my domain name (only my server IP would work remotely). I was able to use this to access the WebGUI remotely.

 

I recently switched from using Google domain, to using Cloudflare for DNS management. I have been able to get everything set up to where I can now access docker containers like Jellyfin remotely (using Nginx Proxy Manager).

 

I have read that you should not use NPM to access your WebGUI remotely. So I am trying to set up up a Wireguard tunnel again. 

 

I can not seem to get it to work properly. 

 

Right now I am able to connect to the Tunnel/Peer I set up on my phone. If I try to go to mydomain.com, it directs me to the NPM 'Congratulations' landing page. I want it to work where going to mydomain.com sends me to my Unraid WebGUI. If I try to access my WebGUI by going to 192.xxx.x.xxx it just times out and doesnt take me anywhere. 

 

Where am I messing up? I'm not sure if I'm missing something on my router (Unifi), Cloudflare, NPM, or unraid GUI. 

 

Any help would be much appreciated. 

 

**edit**

 

All of the above was on my Phone, not connected to my LAN. When I connect to my LAN, I am able to access my WebGUI by going to 192.xxx.x.xxx, and if I go to mydomain.com I still get the NPM 'Congratulations' landing page.

 

**edit #2**

 

I was not able to get anything to work at all when selecting 'remote tunnel access'. When I switched to 'Remote access to LAN' that is when I started to be able to access the internet, and the NPM 'Congratulations' landing page. 

Edited by hive_minded
Link to comment

 

On 8/15/2021 at 11:52 AM, hive_minded said:

I want it to work where going to mydomain.com sends me to my Unraid WebGUI

 

WireGuard VPN does not change the url to your webgui. It is intended to give your remote device access to your network as though it were connected directly to the network.

 

On 8/15/2021 at 11:52 AM, hive_minded said:

I was not able to get anything to work at all when selecting 'remote tunnel access'. When I switched to 'Remote access to LAN' that is when I started to be able to access the internet, and the NPM 'Congratulations' landing page. 

 

If VPN works on "Remote access to LAN" but not "Remote tunneled access", there is likely a DNS issue. Switch from basic view to advanced and set the "Peer DNS server", either to the DNS server on Unraid's LAN (if there is one) or a global DNS server like 8.8.8.8

 

Don't forget that every time you make a change to the WireGuard config settings, you need to download the new config file to your phone

Link to comment

So, I had this working fine and for some reason it recently stopped.  I can't get it to show a connection or handshake.  I've tried to reconfigure and even deleted the tunnel and started from scratch.  I have upnp enabled on my router but the server is showing it's not set.  I also have the port forwarded to the server. I've switched to my wan ip instead of ddns that was working.  I've read through the troubleshooting tips at the start of this thread but am not sure where to look next.  Any recommendations on what info I can provide to help get this resolved? Client is on an Android phone, wifi is off in order to use cell network.

 

upnp.PNG.fbc491851e02207c4de7b7ca54d92d3c.PNGforward.PNG.f429b7523ec272946e7eb24eaa0e5f4e.PNGsettings.thumb.PNG.e6aeeca34e6267d78dd2eff9ec76736d.PNG

Link to comment
1 hour ago, Waltm said:

I can't get it to show a connection or handshake. 

 

Everything looks good. Once you start the WireGuard client on the phone, are you doing anything to trigger a data transfer? There won't be a handshake until you send data. 

Link to comment
12 hours ago, ljm42 said:

 

Everything looks good. Once you start the WireGuard client on the phone, are you doing anything to trigger a data transfer? There won't be a handshake until you send data. 

 

 

Yeah, I try to reach the unRaid server in the phones web browser using it's ip address, and splashtop to access other machines on the network. They are the only things I really use it for and both stopped working.

 

Oddly enough, after 3 days of trying everything I can think of, it just started working on it's own this morning.  I'm happy that it's working but it really bugs me when problems 'resolve' themselves without me knowing what caused them or why they suddenly work again.  I'll try switching it back to ddns when I get home tonight but don't think I'll have an issue with that now either.  

 

Thanks for chiming in with advice, I really appreciate the help.

 

It still shows upnp forwarding not set, but can I ignore that if it seems to be working again, or is it something I should be concerned with?

Link to comment

Hey,

 

Quick question, I set Wireguard VPN for few members of my family, mainly to access to Overseer and Nextcloud.

 

I used "remote access to server" as tunneling for all clients.

In setting, they can connect to theserver using IP address 10.253.0.1

 

But, they also can access with the local address of the server (for my case 192.168.1.10), is that excepted behavior ?

Thanks !

Link to comment
On 8/20/2021 at 4:42 AM, Waltm said:

 

 

Yeah, I try to reach the unRaid server in the phones web browser using it's ip address, and splashtop to access other machines on the network. They are the only things I really use it for and both stopped working.

 

Oddly enough, after 3 days of trying everything I can think of, it just started working on it's own this morning.  I'm happy that it's working but it really bugs me when problems 'resolve' themselves without me knowing what caused them or why they suddenly work again.  I'll try switching it back to ddns when I get home tonight but don't think I'll have an issue with that now either.  

 

Thanks for chiming in with advice, I really appreciate the help.

 

That is confusing, but I am glad it is working

 

On 8/20/2021 at 4:42 AM, Waltm said:

It still shows upnp forwarding not set, but can I ignore that if it seems to be working again, or is it something I should be concerned with?

 

Since you have manually setup a port forward, just change "Local gateway uses UPnP" to No.

 

Link to comment
7 minutes ago, Alex.b said:

Hey,

 

Quick question, I set Wireguard VPN for few members of my family, mainly to access to Overseer and Nextcloud.

 

I used "remote access to server" as tunneling for all clients.

In setting, they can connect to theserver using IP address 10.253.0.1

 

But, they also can access with the local address of the server (for my case 192.168.1.10), is that excepted behavior ?

Thanks !

 

If you click the little "eye" icon next to the peer and look at the AllowedIPs you'll see the IPs the client is able to connect to. It looks like it includes both the tunnel IP and the server's LAN IP. TBH I only expected to see the tunnel IP there, but I guess it doesn't hurt.

Link to comment
1 minute ago, ljm42 said:

 

If you click the little "eye" icon next to the peer and look at the AllowedIPs you'll see the IPs the client is able to connect to. It looks like it includes both the tunnel IP and the server's LAN IP. TBH I only expected to see the tunnel IP there, but I guess it doesn't hurt.

Oh yes, you're right : AllowedIPs=10.253.0.1/32, 192.168.1.10/32

But doesn't appear there :

 

image.png.8524cad6472a479539e5dbd7dc605d14.png

 

I tested the plugin few months ago, I'm pretty sure it wasn't possible to access with the server's LAN IP. I don't need to worry? Isn't that going to create a security issue or something ? I want to compartmentalize as much as possible. (Sorry I'm a little anxious to open the server! 😂)

Link to comment
4 minutes ago, Alex.b said:

Oh yes, you're right : AllowedIPs=10.253.0.1/32, 192.168.1.10/32

But doesn't appear there :

 

image.png.8524cad6472a479539e5dbd7dc605d14.png

 

I tested the plugin few months ago, I'm pretty sure it wasn't possible to access with the server's LAN IP. I don't need to worry? Isn't that going to create a security issue or something ? I want to compartmentalize as much as possible. (Sorry I'm a little anxious to open the server! 😂)

 

WireGuard has two sets of "Allowed IPs", one that goes in the server config and one that goes in the client config.

 

The webgui allows you to edit the one that goes on the server. You can click the "eye" icon next to the tunnel name to confirm that.

 

The webgui modifies the one that goes in the client file depending on what you choose for "peer type of access". If you want to modify it further after installing on the client you can, but it is usually not necessary.

 

I can't think of a reason why having both IPs there would be a riskier than just having the tunnel IP. They both provide access to the server.

 

 

Link to comment

Okay, thanks for the clarification!

 

Last question, with the WebUI password and no access at all to Shares, I did what was necessary to "secure access" and prevent them from doing stupid things or uploading malware or something like this ?

Link to comment
27 minutes ago, Alex.b said:

Okay, thanks for the clarification!

 

Last question, with the WebUI password and no access at all to Shares, I did what was necessary to "secure access" and prevent them from doing stupid things or uploading malware or something like this ?

 

Please see this from the first post:
 

Quote

 

Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise.  Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network. 

 

 

Link to comment

do people generally use remote tunneled access or remote access to LAN if they want an always-on connection from their iOS device to access their server / apps / pihole adblocking etc.?

 

and also - does anyone know what kind of battery life impact having an always-on wireguard VPN (with either access to lan or remote tunneled access option) would have on a typical iPhone 11 / 12 etc.?

Edited by Linguafoeda
Link to comment

Hey,

I have configured it according to the instructions. Disabled NAT and add static route. I can connect to wireguard and access unraid (10.10.10.254) and router(10.10.10.253). However, other devices in the LAN cannot be accessed (incloud ap, unraid vm, custom ip docker).

Thanks !image.thumb.png.b8b7663e5de57d10a2943c791efef64c.pngimage.thumb.png.aec6b4a6730d13c913ab68b99154f079.png

Link to comment

I cannot access shares on unraid from my windows laptop.  I have "remote access to LAN" and indeed my laptop can ping my unraid server and my router, so I do indeed have connection to devices on my LAN.  I can also access my dockers webGUI's.  The wireguard connection is working in every way *except* I cannot access my shares.

Even if I type the network address into file explorer \\x.x.x.x\share it cannot access the share.

I tried setting tunnels both with specified NAT port forwarding and going UPnP alternatively.  No dice.  Before OpenVPN was deprecated I was using it as a docker image and was able to get remote access to my shares no problem... so I dunno what's going on here?

[SOLVED]
Had to stop the array and add the wireguard network pool to Settings > Network Services > SMB > hosts allow = 10.253.0.0/24   After I did that I could manually enter \\serverip\share in File Explorer and then map the drive.  Big success!

Edited by clay_statue
Solved!
Link to comment
11 hours ago, clay_statue said:

I cannot access shares on unraid from my windows laptop.  I have "remote access to LAN" and indeed my laptop can ping my unraid server and my router, so I do indeed have connection to devices on my LAN.  I can also access my dockers webGUI's.  The wireguard connection is working in every way *except* I cannot access my shares.

Even if I type the network address into file explorer \\x.x.x.x\share it cannot access the share.

I tried setting tunnels both with specified NAT port forwarding and going UPnP alternatively.  No dice.  Before OpenVPN was deprecated I was using it as a docker image and was able to get remote access to my shares no problem... so I dunno what's going on here?

[SOLVED]
Had to stop the array and add the wireguard network pool to Settings > Network Services > SMB > hosts allow = 10.253.0.0/24   After I did that I could manually enter \\serverip\share in File Explorer and then map the drive.  Big success!

 

Very interesting. I haven't heard of anyone having to do this before, what version of Unraid is it?

 

I don't see this setting anywhere, is it something you did under SMB Extras? Would you please post a screenshot so I can see how it all fits together?

Link to comment

I am having an issue where my android phone is working fine, but my windows laptop is not.

 

Both are configured identically, see picture. My android phone does everything. I can access my shares and web GUIs.

 

My laptop can access shares but cannot access ANY webGUIs (unraid, dockers, gateway) OR use RDP. My laptop can successfully ping my gateway/local DNS server, as well as the computer I am trying to RDP with. Unraid server can ping my laptop. The local computer I am trying to RDP onto cannot ping my laptop, however.

 

Phone and laptop are on identical wifi as of testing and I have already tried opening the firewalls. My laptop can only succesfully ping using IP address, not hostname, but NSLOOKUP shows correct entries coming from my local DNS/Gatewat.

 

Any thoughts? 

 

https://imgur.com/a/Tky0Bcp

Edited by Bulletoverload
Link to comment

I'm trying to get access to a docker that has custom Ip. I've tried to do everything listed in complex setups section, but just can't get it to work.

 

Currently I can access Unraid server over the wg connection. I can access dockers that use the server ip. I can access other lan devices. But cannot access dockers with custom ip.

 

I have set Use NAT to No and I have Host access to custom networks enabled. I'm using DD-WRT on my router and have set static route as follows. Is it set correctly?

 

Edit: I have Peer type set to 'Remote access to LAN'.

 

routing.png.2fcbdb9d68217aeed28c2b71bb69faa1.png

Edited by lsaranto
Link to comment
2 hours ago, lsaranto said:

I'm trying to get access to a docker that has custom Ip. I've tried to do everything listed in complex setups section, but just can't get it to work.

 

Currently I can access Unraid server over the wg connection. I can access dockers that use the server ip. I can access other lan devices. But cannot access dockers with custom ip.

 

I have set Use NAT to No and I have Host access to custom networks enabled. I'm using DD-WRT on my router and have set static route as follows. Is it set correctly?

routing.png.2fcbdb9d68217aeed28c2b71bb69faa1.png

 

It looks like you have set the Gateway to the IP of your router? Per the OP that should be the IP of your Unraid system.

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.