Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard quickstart

Featured Replies

bonsoir

j'ai un soucis le remote tunneled access fonctionne pas chez moi ; j'arrive a me connecter au vpn avec mon telephone une fois connecté il a plus d'acces internet mes j'arrive a pingué mon téléphone depuis l'interface wireguard 

si quelqu'un a une idée

merci Anthony1310892537_Capturedcrande2022-02-0719-23-25.thumb.png.41ce35602f73107c7e4ad54802fcf48a.png

  • Replies 979
  • Views 431.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

  • I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

  • I was having problems getting this all to work but I figured it out after about an hour.   I was able to connect to the vpn but was not able to connect to anything on my network or get an in

Posted Images

1 hour ago, vmlinuz said:

merci Anthony

Anyone wishing to reply go to this thread

 

Running UnRAID 6.10.RC2 utilizing the built-in wireguard VPN. I can connect a phone and laptop just fine. I can ping the unRAID server and get to the internet all through the tunnel. What I can't do is get to other things on my local network that oare on teh same VLAN as the unRAID server. I have the tunnel set for "Remote tunnel access". Seems I am missing a route somewhere, but can't figure it out. Routing table shown below. unRAID is 10.5.254.80/24 and vpn clients are 10.5.253.2 and .3

 

Thoughts on this one?

image.thumb.png.800ea133a7d69cf8943778e211c2ea74.png

astro-server-diagnostics-20220211-1000.zip

  • Author
On 2/5/2022 at 10:53 PM, J05u said:

I am having no issues to connect to my server via wireguard, but i can't connect to dockers on my network

 

46 minutes ago, mgadbois said:

Seems I am missing a route somewhere, but can't figure it out.

 

Sounds like you need to add a static route to your *router* so that devices on your network can communicate with the WireGuard network pool. See the "Complex Networks" portion of the first post in this thread.

 

If you continue to have issues, read the section below that that explains how "Use NAT", "host access to custom networks", and having a static route all interact. Certain combinations do not work well together.

Added static route in my Router and all works now.

 

Thanks

I was on vacation for a week, when I got back my flash drive had some issues so I restored from a week old backup.
Anyways everything is fine except my WireGuard isn't working. It won't stay Active. I click slider, it shows Active, I change tabs and go back and it's Inactive. I uninstalled the Plugin, reinstalled and same thing, my old Peers still there too.


Any ideas? How do I completely erase WireGuard so when I install it, it's brand new? Logs show nothing.

I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something?

  • Author
On 2/14/2022 at 9:59 PM, nxtiak said:

How do I completely erase WireGuard so when I install it, it's brand new?

 

Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option.

  • Author
18 hours ago, MylesM said:

I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something?

 

You'll want to ping the tunnel IPs, not the lan/wan IPs.

 

The tunnel has its own network range:

image.png

 

The server usually has a .1 address in that pool:
image.png

 

And then each peer has a unique address in that pool:

image.png
 

7 minutes ago, ljm42 said:

 

Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option.

  

Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ?

  • Author
2 minutes ago, nxtiak said:

Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ?

 

When you hit save, does the cursor move to a new field so you can fix a value?  i.e. maybe you are using an invalid character in the name.  If not, try switching the slider from basic to advanced and see if it moves to a field now.

4 hours ago, ljm42 said:

 

When you hit save, does the cursor move to a new field so you can fix a value?  i.e. maybe you are using an invalid character in the name.  If not, try switching the slider from basic to advanced and see if it moves to a field now.

 

When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens.

  • Author
3 hours ago, nxtiak said:

 

When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens.

 

Can you try a different browser?

1 hour ago, ljm42 said:

 

Can you try a different browser?

 

I just tried with Firefox and same thing happens. Screen refreshes when I click Apply.

Can you open a terminal window and show the output of (assuming you want to activate tunnel 0)

wg-quick up wg0

 

8 hours ago, bonienl said:

Can you open a terminal window and show the output of (assuming you want to activate tunnel 0)

wg-quick up wg0

 

 

root@Server:~# wg-quick up wg0
wg-quick: `/etc/wireguard/wg0.conf' does not exist
root@Server:~#
 

The conf file should reside on your usb drive.

Have tried to do a file system repair of the usb drive?
Take the drive out (after shutting down) and run a repair on a windows machine.

 

5 hours ago, bonienl said:

The conf file should reside on your usb drive.

Have tried to do a file system repair of the usb drive?
Take the drive out (after shutting down) and run a repair on a windows machine.

 


So I did that last week and it found errors. So today I decide it's probably time to swap out the USB drive. Just did it and I'm able to save configuration but can't activate wg-quick up wg0 now gives an error:

root@Server:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
root@Server:~#
 

I have wireguard up and running and I am able to connect to my unraid server from anywhere. It works awesome.

 

I am working out of the country currently and I am still able to connect to my local network but I was under the impression that I could use the wireguard vpn to get around geo-blockers and visit websites and video services as if I was in my home country (USA). But when I try and hit for instance a local Florida news website www.WESH.com I get stopped saying:

 

Quote

Sorry, this content is not available in your region.

 

My type of access is "Remote Tunneled Access"

 

TIA

Hi,

 

the setup "Remote access to LAN" works fine and the client is connected and can ping the IPs in the remote LAN.

But in the config I said "Local tunnel firewall" Allow and only set 10.0.0.11 as allowed.

Nevertheless am I able to ping 10.0.0.10 (Unraid Server itself) - no other hosts.

 

Is that by design and cannot be removed?

Attached the generated iptables config:

 

# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*mangle
:PREROUTING ACCEPT [585916432:1133041336885]
:INPUT ACCEPT [40469455:499819706678]
:FORWARD ACCEPT [546394462:633615039025]
:OUTPUT ACCEPT [32114760:4849559837]
:POSTROUTING ACCEPT [578543223:638470079442]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
COMMIT
# Completed on Fri Mar  4 21:31:04 2022
# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*nat
:PREROUTING ACCEPT [98:29053]
:INPUT ACCEPT [67:21594]
:OUTPUT ACCEPT [32:2057]
:POSTROUTING ACCEPT [60:9200]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3875 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8181 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 4443 -j MASQUERADE
-A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3875 -j DNAT --to-destination 172.17.0.2:3875
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 7818 -j DNAT --to-destination 172.17.0.4:8181
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 1880 -j DNAT --to-destination 172.17.0.4:8080
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18443 -j DNAT --to-destination 172.17.0.4:4443
COMMIT
# Completed on Fri Mar  4 21:31:04 2022
# Generated by iptables-save v1.8.5 on Fri Mar  4 21:31:04 2022
*filter
:INPUT ACCEPT [2045:465504]
:FORWARD ACCEPT [188:71769]
:OUTPUT ACCEPT [1269:1510752]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:WIREGUARD - [0:0]
:WIREGUARD_DROP_WG0 - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -j WIREGUARD
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3875 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP
-A WIREGUARD_DROP_WG0 -j RETURN
COMMIT
# Completed on Fri Mar  4 21:31:04 2022

 

Edited by Thomas K

The WireGuard tunnel terminates on Unraid itself, you can not exclude Unraid as a destination.

IPtables is used for accessing or blocking other devices in your LAN.

 

-A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
-A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP
-A WIREGUARD_DROP_WG0 -j RETURN

 

Why are the iptables rules created on br0 and not wg0?

A tcpdump shows, that the traffic from the peer to the wireguard host is not crossing br0 - only wg0, so the rule does not match.

Traffic from the peer to other local lan destinations cross br0 and so the rule matches.

Edited by Thomas K

Worked it out, you have to filter the INPUT chain of the wg0 device incoming. My example if some else needs it:

 

iptables -N WIREGUARD_INPUT
iptables -N WIREGUARD_DROP_WG0_INPUT
iptables -A INPUT -j WIREGUARD_INPUT

iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0_INPUT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT
iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -j DROP
iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN

That would be great of a future update. Streamlined version building on existing WIREGUARD_DROP_WG0

iptables -N WIREGUARD_INPUT
iptables -A INPUT -j WIREGUARD_INPUT
iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.