WireGuard quickstart


ljm42

Recommended Posts

1 minute ago, ljm42 said:

 

It looks like you have set the Gateway to the IP of your router? Per the OP that should be the IP of your Unraid system.

 

 

 

Yes, I should have been more clear. My Unraid is 192.168.0.1. My router is 192.168.0.254. Call me weird, but I don't like the router taking the first address.

Link to comment

I think my docker settings were somewhat corrupted. I think even though 'Host access to custom networks' showed enabled it actually wasn't. Possibly for containers created after a certain Unraid update. I stopped and started docker service a couple of times and toggled Host access setting back and forth in-between. Now I got access to docker containers with custom ips, too.

Link to comment

Now I have an issue with the Local tunnel firewall option, which doesn't seem to have any effect. I've entered the IP of the docker I want to access and changed the rule to Allow. However when testing I can still access any IP on the LAN. I also tried rule Deny, but that didn't have any effect either.

 

Have I misunderstood the purpose of that setting?

Link to comment
3 minutes ago, lsaranto said:

Now I have an issue with the Local tunnel firewall option, which doesn't seem to have any effect. I've entered the IP of the docker I want to access and changed the rule to Allow. However when testing I can still access any IP on the LAN. I also tried rule Deny, but that didn't have any effect either.

 

Have I misunderstood the purpose of that setting?

 

I have actually never used that feature. Thinking out loud... I wonder if it can't block access to resources that are on this server? See if it works to block access to something else on your network.

Link to comment
On 9/11/2021 at 8:25 PM, Bulletoverload said:

I am having an issue where my android phone is working fine, but my windows laptop is not.

 

Both are configured identically, see picture. My android phone does everything. I can access my shares and web GUIs.

 

My laptop can access shares but cannot access ANY webGUIs (unraid, dockers, gateway) OR use RDP. My laptop can successfully ping my gateway/local DNS server, as well as the computer I am trying to RDP with. Unraid server can ping my laptop. The local computer I am trying to RDP onto cannot ping my laptop, however.

 

Phone and laptop are on identical wifi as of testing and I have already tried opening the firewalls. My laptop can only succesfully ping using IP address, not hostname, but NSLOOKUP shows correct entries coming from my local DNS/Gatewat.

 

Any thoughts? 

 

https://imgur.com/a/Tky0Bcp

Anything @ljm42?

 

 

Edit: Nevermind! I just got the wireguard update and its working now. weird. 

Edited by Bulletoverload
Link to comment

Hi guys, 

 

So I managed to set up Wireguard in UNRAID and everything runs fine so far. However, I noticed that I'm unable to access some of my Docker applications that are running behind an NGINX Reverse Proxy. Does anyone have an idea what might lead to them being unaccessible? 

 

Wireguard client is connected using 'Remote tunnelled access'

NAT is disabled in the Wireguard settings

I am running a static route to my UNRAID Server in my Unifi Controller

Wireguard's port is forwarded in Unifi's port forwarding settings

 

Happy to provide more information, if needed.

 

Link to comment

I've set up wireguard for a complex network but I'm unable to access my shinobicctv docker that is on a vlan.  The vlan has a subnet of 10.5.20.0/24.  I'm able to ping and tracert all ip addresses on the vlan through wireguard but can't access them via webgui.  I can access the router at 10.5.20.1 tough.  Any ideas?

Link to comment
  • 2 weeks later...

I've been trying for way too long to get a split tunnel VPN working... I've searched this post repeatedly but still am a bit confused.

 

My goal: I want to use my home DNS (dual piholes), have access to local IPs, with all external network data skipping the tunnel (limited upload at site).

 

I have a fully working remote tunneled access setup, wg0. This works perfectly on numerous clients.

 

[Interface]
#wg0
PrivateKey=deleted=
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
#01
PublicKey=deleted=
PresharedKey=deleted=
AllowedIPs=10.253.0.2

=====================================

[Interface]
#01
PrivateKey=deleted=
Address=10.253.0.2/32
DNS=192.168.1.112,192.168.1.111

[Peer]
#rehoboam
PresharedKey=deleted=
PublicKey=deleted=
Endpoint=deleted.com:51820
AllowedIPs=0.0.0.0/0

 

I have been trying (unsuccessfully) to get a split tunnel up. Here's my current not working config for wg1.

 

[Interface]
#wg1
PrivateKey=deleted=
Address=10.253.1.1
ListenPort=51821
PostUp=logger -t wireguard 'Tunnel WireGuard-wg1 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg1 stopped'

[Peer]
#01 
PublicKey=deleted=
PresharedKey=deleted=
AllowedIPs=10.253.1.2,192.168.0.0/21

======================================

[Interface]
#01 
PrivateKey=deleted=
Address=10.253.1.2/32
DNS=192.168.1.112,192.168.1.111

[Peer]
#rehoboamsplit
PresharedKey=deleted=
PublicKey=deleted=
Endpoint=deleted.com:51821
AllowedIPs=10.253.1.1/32, 192.168.1.0/24

 

I have repeated all configuration changes for the new tunnel including adding static routes and port forwarding.

 

Static routes

1624748708_staticroutes.PNG.89a97d95071fa9aa609352ae58066977.PNG

 

Port forwarding overview

361105218_portforwarding.PNG.eb78d138af7713dea7a75615327a395b.PNG

 

Detail of the new wg1 address, matches 51820

314630955_portforwardingdetail.PNG.4ddde09d0252e2c5749960701039c70e.PNG

 

Resulting WAN in firewall

880877591_waninfirewall.PNG.546915ff782458fc8d0357742ddcdcd5.PNG

Any tips what I'm doing wrong?

Link to comment
  • 3 weeks later...

I cannot add a peer or modify an existing Wireguard peer.  Every time I try, the message below appears:
 

I wanted to change a particular peer from Access to Server to Access to LAN but it's a no go due to this message about the peer name.  I cannot make any changes to peers at all.

 

I am running 6.10 RC1 on this server.  Could it be related to that version in particular?

image.png

 

UPDATE:  It looks like I was able to change it on another computer (Chrome instead of Firefox).  I did not get this popup message and it let me make the change after correcting the error in another peer name.  Apparently, allowed characters in peer names have changed since I first set up the peers.  A peer I was not trying to change in any way contained an invalid character (an apostrophe) and was triggering the warning even though it had nothing to do with my attempt to add a new peer or change an existing peer.

Edited by Hoopster
  • Like 1
Link to comment

Thanks for the brilliant guide - I followed it some time ago and it has been working fine. However I noticed some behaviour today that made me question if I knew just what I thought it was doing, or indeed how private data in the tunnel is.

 

Was at a mate's place who's ISP has some very strict content filters done at the ISP level, not at his home network level. I have WireGuard configured on my phone to connect back to my unRaid server in "Remote Tunneled Access" mode. Connecting to his WiFi and then turning WireGuard on I could access addresses on my home LAN - WireGuard was connected correctly. I then searched for a few terms that would trigger his ISP's content filter, and I was redirected to the "access denied" page from his ISP. I thought this wasn't possible? Surely my search should have been directed through the tunnel and out my home ISP? How is his ISP capturing the data in the tunnel between my phone and my server? We both use different ISP's, so it was very obvious that it was his ISP filtering/restricting my VPN traffic, not mine.

 

Things I tried:

  • Connect to my home lan via data/WireGuard - no restrictions.
  • Connect to my home lan via mate's Wifi/WireGuard - content restrictions.
  • Check "My IP" while connected via mate's WiFi/WireGuard - showed my home static address.

Interestingly, I turned on the bundled VPN in the latest Opera mobile browser while connected to mate's WiFI - "My IP" showed an address in Sweden, and the same searches that would trigger the content filter while connected to my VPN would now work without restriction.

 

This experience has shaken my faith in using WireGuard on insecure networks, say coffee shops etc, as it seems as if a "man in the middle" is able to read the supposedly-encrypted traffic between my device and my server. I'd really appreciate if someone was able to cast some light on just what is going on here.

 

Thanks.

 

Link to comment

I am just getting started with Unraid but from what I can tell from @Curious_George scenario, it seems to me that he might be sending DNS queries to the locally connected LAN rather than sending the DNS queries back to his home network to be resolved by his home DNS server/ISP. I believe there is a setting for this in the Wireguard settings but I can't remember where it is now.

Edited by Arius
  • Like 1
Link to comment
On 10/25/2021 at 1:05 AM, Curious_George said:

Was at a mate's place who's ISP has some very strict content filters done at the ISP level, not at his home network level. I have WireGuard configured on my phone to connect back to my unRaid server in "Remote Tunneled Access" mode. Connecting to his WiFi and then turning WireGuard on I could access addresses on my home LAN - WireGuard was connected correctly. I then searched for a few terms that would trigger his ISP's content filter, and I was redirected to the "access denied" page from his ISP. I thought this wasn't possible? Surely my search should have been directed through the tunnel and out my home ISP? How is his ISP capturing the data in the tunnel between my phone and my server? We both use different ISP's, so it was very obvious that it was his ISP filtering/restricting my VPN traffic, not mine.

 

It sounds like your client is using the local LAN's DNS server. This shouldn't really be possible if you are in "Remote Tunneled Access" mode. 

 

Note that every time you make a change to the VPN settings, you need to download the new settings to the client. If I had to guess, I'd say you first set this up using one of the other modes, then changed the server to "Remote Tunneled Access" and forgot to forward the change to the client.

 

I'd suggest that you delete the client config, then confirm the server is set to Remote Tunneled Access and has the Peer DNS server set to whatever DNS you use on your LAN. Then download the config to the client again.

Link to comment
10 hours ago, Konstellis said:

I would like to make my SMB shares remotely accessible to a guest (read-only) via wireguard.

The shares are set to "Secure" and a guest account is present.

 

How can I create a WG tunnel/peer which is exclusively tied to the guest account?

 

WireGuard creates a VPN tunnel, it doesn't care what you do with it. There is no concept of exclusively tying it to an SMB guest account.

 

Link to comment
On 10/3/2021 at 7:16 PM, bigmak said:

I've been trying for way too long to get a split tunnel VPN working... I've searched this post repeatedly but still am a bit confused.

 

My goal: I want to use my home DNS (dual piholes), have access to local IPs, with all external network data skipping the tunnel (limited upload at site).

 

I have a fully working remote tunneled access setup, wg0. This works perfectly on numerous clients.

 

I have been trying (unsuccessfully) to get a split tunnel up. Here's my current not working config for wg1.

 

It is the peer/client that controls whether to use split tunneling or not. Because of this, you just need wg0.

 

* On wg0, you have already created a peer that uses "remote tunneled access". I assume you set the "Peer DNS Server" to your pihole.

* For split tunneling, on wg0 create another peer with "remote access to LAN". You will want to set the "Peer DNS Server" to your pihole here as well. 

* Download both peer configs to your client and switch between them as needed.

 

Link to comment
3 hours ago, Konstellis said:

 

Thank you for your reply!

So there is no way to make an SMB share remotely accessible with read-only permissions?

First make the share read only for a given user, then provide the user with a Wireguard config.

 

i.e. when you make the share read only for a given user, it is read only regardless of whether you are directly connected on the LAN or connected via Wireguard

Link to comment

I have followed the tutorials, guides and videos multiple times but I am unable to figure out the following; I cannot access my other 'lan' devices, be it another PC with an SMB share or my Synology NAS via Share or WebGUI. I have access to my server and docker containers hosted on the Unraid Server however.

 

I have set up the following on Unraid/Wireguard;

 

Use NAT = No
Use UPnP = Yes
Host access to custom networks = enabled
Local Network Pool = 10.253.0.0/24
Peer DNS = 1.1.1.1

Tried both Remote tunnled access and Remote Access to LAN

In my Router (TP-LINK) I have set the following;
Static Routing: dest-net 10.253.0.0 255.255.255.0 10.75.75.7 Enabled (Advanced Routing > Static Routing List)
Port Forwarding: 51820 > 51820 on 10.75.75.7 (I know this should not be needed with UPnP, just to be sure)

I have also tried;
- With "Use NAT" = Yes and "Host access to custom networks" = disabled (static route optional)
- With "Use NAT" = No and "Host access to custom networks" = disabled and static route 

Is there something I am totally overlooking as at this point I have no clue anymore. I tried different configs and double-checked stuff, assuming that "VMs and other systems on LAN - accessible!" also includes my other PC's and the Synology NAS?

Edited by Ocgineer
Link to comment
3 hours ago, Ocgineer said:

Is there something I am totally overlooking as at this point I have no clue anymore.

 

TBH I can't see any issues with your config, seems like it should give you access to your whole network. Unfortunately, I don't have any suggestions

Link to comment

After following the quickstart guide I can't get wireguard to create a handshake. I have set up my port forward and tried multiple connection methods, I want to use tunneled access but have been unsuccessful with any. I'm using duckdns. Is there a way I can verify if traffic is traversing through my unifi network at all?

Edited by wolfNZ
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.