WireGuard quickstart


Recommended Posts

On 10/11/2019 at 4:15 PM, ljm42 said:

If your "Peer type of connection" includes one of the LAN options but you can only access Unraid, go to Settings -> Network Settings and see whether "Enable bridging" is yes.  If bridging is disabled, you will not be able to access your LAN over WireGuard.

I am still having the issue where I can access the Unriad webui but I cannot access the share nor any other device on the network. I am using a MacBook Pro to connect to my VPN/server. Bridging is enabled on the server however this did not fix the issue. I have also updated the peer to make sure that the connection is set to "remote access to LAN"

Link to comment

My previous setup of pihole and wireguard with remote tunneled access worked flawlessly, and I was able to access my unraid server, dockers and the internet through the VPN. I have since updated to the latest unraid server version 6.11.3 and my pihole wireguard setup does not connect to the internet anymore. The currrent setup is with "Use NAT" = No and "Host access to custom networks" = enabled and static route setup as outlined in this guide. I am sort of stumped because I don't know what settings have changed.

 

I currently have access to my unraid server and its dockers but no access to the internet. Pihole fixed IP is 192.168.0.10 and unraid server ip is 192.168.0.201. Below are my wireguard, TP-Link Router and pihole docker settings.

 

Wireguard:

image.png.eb019946e35183536388b885ab453360.png

TP-Link Router:

image.png.c541a76bec346a317a035a3c57219aa5.png

Pihole:

image.png.88c235a5da48b982c180ea0bcc074d90.png

Link to comment
  • 2 weeks later...

Firstly, thank you for your contribution to the Unraid built-in Wireguard VPN.

 

I have a question about "Peer type of access" of the built-in Wiregurad.

I found the type of "Remote access to server" do not actually limit the peer to access other LAN address. According to my test, even I select "Remote access to server", the peer can still change the allowed ips to access my LAN. Then I checked the wg config file and there seems no restriction strategy to limit the peer.

 

This is my config (auto generated by the Unraid Web UI)

 

PrivateKey=XXXX
Address=10.253.0.1
ListenPort=51820
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200
PostUp=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev br0 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.50.0/24 via 192.168.50.1 dev br0 table 200

 

 

I also check the route table and iptables and there seems no restriction strategy. 

Is this a feature or bug? 

Though I do know how to restrict other peers to access my LAN by modifying iptables, I still hope that I can do this operation on the Web UI.

 

Unraid Version: 6.11.3 stable

Link to comment
7 hours ago, ArthurYZY said:

Firstly, thank you for your contribution to the Unraid built-in Wireguard VPN.

 

I have a question about "Peer type of access" of the built-in Wiregurad.

I found the type of "Remote access to server" do not actually limit the peer to access other LAN address. According to my test, even I select "Remote access to server", the peer can still change the allowed ips to access my LAN. Then I checked the wg config file and there seems no restriction strategy to limit the peer.

 

"Remote access to server" is not enforced by the server. It is actually a WireGuard client setting where the client gets to choose whether to access the tunnel IP or the LAN IP.

 

You may want to turn on the help and check out the "Local tunnel firewall" option

Link to comment
6 hours ago, ljm42 said:

 

"Remote access to server" is not enforced by the server. It is actually a WireGuard client setting where the client gets to choose whether to access the tunnel IP or the LAN IP.

 

You may want to turn on the help and check out the "Local tunnel firewall" option

I got this. Thanks. 

“Remote access to server” just seems to help generate a well-defined peer config for sharing. For security, it is still necessary to set the blacklist or whitelist on UI

  • Like 1
Link to comment

Hi, im using Wireguard with Remote tunneled acess, i can reach everything in my network except all docker or vms...even they have a sepperate ip. Any ideas how to change this ?

 

My Router: 192.168.1.1 (reachable via vpn)

Unraid: 192.168.1.200 (reachable via vpn)

 

eg Adguard Docker: 192.168.1.202 (NOT reachable via vpn)

 

 

Screenshot 2022-11-28 122959.jpg

Link to comment
12 hours ago, ymurawski said:

Hi, im using Wireguard with Remote tunneled acess, i can reach everything in my network except all docker or vms...even they have a sepperate ip. Any ideas how to change this ?

 

My Router: 192.168.1.1 (reachable via vpn)

Unraid: 192.168.1.200 (reachable via vpn)

 

eg Adguard Docker: 192.168.1.202 (NOT reachable via vpn)

 

 

Screenshot 2022-11-28 122959.jpg

 

Re-read the first two posts, in particular the section titled "Complex networks"

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.