WireGuard quickstart

[Stubbs]

Can more documentation be provided for importing Wireguard configurations? There is an option for this at the top right of the VPN Manager, but I'm not sure how to get it working for Docker Containers.

 

I imported my commercial VPN's .conf file, the Unraid VPN manager automatically marked it as "VPN tunneled access for docker" which is what I want. Then I tried changing one of my container's network type to "Custom - wg2" (my imported .conf) but the webUI is inaccessible. Are there any further steps I should be taking?

[Doublemyst]

On 10/20/2022 at 8:38 PM, ljm42 said:

 

Don't feel bad, this is pretty advanced stuff. But I won't be able to give step by step.

 

In general, I would say to setup two tunnels on each server, one for your phone/laptop/whatever and one for server to server communication. That will simplify things for you.

 

Over here I have a guide on setting up LAN to LAN between two servers:

  https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

might be more than you are looking for but it should help.

 

Hi @ljm42

 

Thanks for your help so far. At the moment being, I have managed, to get it working. What I did is setting everything up on the second server, and removed everything on the first. It didn't work at first, but after a few days, when I tried again, it just worked. Now I can start Wireguard on my server (tunneled access) and connect to it. I can access all Dockers and VM over the local IP, or with the ControlC application. But the problem is, when I activate Wireguard on my phone, I don't have internet access on my phone.

 

Do you have any idea what the reason might be? I was thinking, that maybe the DNS Server isn't working correctly? On my home network I am using 192.168.1.50 on my router for DNS (local Adguard Home server).

 

Here is the setup of my unraid wireguard:

 

Thanks!

 

Edit: Weird behaviour, but on my phone, websites browsing with started WireGuard doesn't work, but as I started WireGuard, while being connected to a MS Teams call, it did reconect - which means, the internet is there, but surfing (probably DNS issue?) doesn't work.

On my Laptop, everything worked fine ...

 

Must be a problem with my phone .. maybe the private DNS setting inside my phone.

Edited January 23 by Doublemyst

[ljm42]

On 1/18/2023 at 8:31 PM, Stubbs said:

Can more documentation be provided for importing Wireguard configurations? There is an option for this at the top right of the VPN Manager, but I'm not sure how to get it working for Docker Containers.

 

I imported my commercial VPN's .conf file, the Unraid VPN manager automatically marked it as "VPN tunneled access for docker" which is what I want. Then I tried changing one of my container's network type to "Custom - wg2" (my imported .conf) but the webUI is inaccessible. Are there any further steps I should be taking?

 

In the first post of this thread you will find a link to this guide on connecting to a commercial provider:

https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access-to-a-commercial-vpn-provider/

 

[RKCloud]

Hi,

I am a newbie here but I followed all the steps perfectly... but I am not able to make fireguard work. I was able to open the port 51820 in my router, configured VPN manager try to connect from my iPhone. I could even see the handshake is successful but I am not able to access local shares or Unraid server through my iPhone.

 

Can anyone tell me what else I need to do and where I am making a mistake ?

[rousseau]

On 10/11/2019 at 10:15 PM, ljm42 said:

There are some configurations you'll want to avoid, here is how a few key settings interact:

 

• With "Use NAT" = Yes and "Host access to custom networks" = disabled (static route optional)

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - accessible!

  • dockers with custom IP - NOT accessible

  • (this is the "simple network" setup assumed by the guide above)

• With "Use NAT" = Yes and "Host access to custom networks" = enabled (static route optional)

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - NOT accessible

  • dockers with custom IP - NOT accessible

  • (avoid this config)

• With "Use NAT" = No and no static route

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - NOT accessible

  • dockers with custom IP - NOT accessible

  • (avoid this, if "Use NAT" = No, you really need to add a static route in your router)

• With "Use NAT" = No and "Host access to custom networks" = disabled and static route 

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - accessible!

  • dockers with custom IP - NOT accessible

  • (You've come this far, just set "Host access to custom networks" to enabled you're set)

• With "Use NAT" = No and "Host access to custom networks" = enabled and static route 

  • server and dockers on bridge/host - accessible!

  • VMs and other systems on LAN - accessible!

  • dockers with custom IP - accessible!

  • (woohoo! the recommended setup for complex networks)

 

 

Hi,

 

 

I am trying to setup the last option in the list above for 'Complex Networks':

 

"With "Use NAT" = No and "Host access to custom networks" = enabled and static route 

--server and dockers on bridge/host - accessible!

--VMs and other systems on LAN - accessible!

--dockers with custom IP - accessible!

(woohoo! the recommended setup for complex networks)"

 

 

I have tried the following settings:

-WireGuard 'Local server uses NAT' = No

-Docker 'Host access to custom networks' = Enabled

-static route on my router 10.253.0.0/24 to IP_of_Unraid_machine

 

with the above, when I connect my mobile device (on cellular network) to WireGuard, I get access to other machines on my LAN, and to Unraid Docker containers with custom IPs. But I don't have access to the WAN. A traceroute on my mobile device stops at my router and doesn't make it out to the WAN, even if I try to access a website by URI (i.e., 172.217.1.14 for google.com )

 

 

I then tried the following settings (which corresponds to the second entry in the list from 'Complex Networks'):

-WireGuard 'Local server uses NAT' = Yes (only change compared to above)

-Docker 'Host access to custom networks' = Enabled

-static route on my router 10.253.0.0/24 to IP_of_Unraid_machine

 

with the above, when I connect my mobile device (on cellular network) to WireGuard, I get access to other machines on my LAN, and to Unraid Docker containers with custom IPs, and now I also get access to the WAN.

 

 

I am left scratching my head why my setup works with the opposite 'Local server uses NAT' setting compared to the quickstart guide? The guide says I should leave the 'Local server uses NAT' set to 'No', but when I do that I lose access to the WAN. When I leave 'Local server uses NAT' set to 'Yes', then I get access to everything LAN, Docker containers with custom IPs, and the WAN, but the quickstart guide specifically indicates these settings should not work this way.

 

Am I missing something obvious here? Will having 'Local server uses NAT' set to 'Yes' create problems down the road for me?

 

 

Very confused, thank you for any insight you can provide!

[Caennanu]

Good day all,

 

I've been using wireguard for a while, and always had the issue that i cannot acces the internet while connected to the VPN. Previously this was an non issue, as i didn't actually needed it, it recently however has become an issue.

 

Now, i'm geussing since i used the quickstart guide, i should post here. So let me start with explaining the layout of my network. Starting from the ISP going in.

 

From the ISP side, i have a WAN box (Ubiquiti EdgeRouter-12).

- I use this to connect my optical connection directly to my network. This ER also serves as my firewall / DHCP server.

- It runs the DHCP for 4 Vlan's (something with not wanting CCTV and IoT mixed in a network)

The ER has a static route to my ICX 6450-48P, which serves as my router.

- Primary reason for this is because the routing capacity of the ER is lacking

- secondary reason, i need PoE ports more than the ER can supply, and i already had the ER

- Third reason, the ICX has no WAN ability

From the ICX, i connect to another ICX via a single 10gb fiber connection. Which has the unraid box behind it. The 2nd ICX is in switch mode.

 

Firewall ruling disables acces between the different subnet, and the CCTV camera's have 1 hour of acces to the internet a week for only time synchronisation.

 

On unraid i run dockers for pihole and lancache. Which effectively are my internal DNS servers. This should be a nice to know, but not a requirement as i don't need these for DNS purposes when using Wireguard.

 

Troubleshooting steps:

Changed connection types, which didn't yield any results (logical, but worth a shot)

Changed DNS from local to 8.8.8.8, no notable results

Added allowed ip's equal to the subnets of my Vlan's with the /24 notation, no notable results.

When doing a tracert to a (both DNS and IP), i get a result only from my unraid box, everything after that times out.

 

So my understanding is that the internet requests do not leave the unraid server. Which leads me to believe i'm missing a link between the server and the router. Am i assuming correctly? (NAT issue?)

 

--- Solved ---

After adding the static route not only to the ICX router but also to the ER (WAN), it works.

So maybe one could adjust the write up, that the static routing needs to be in other places as well when there is a split configuration?

 

Edited March 7 by Caennanu

[Evan Butson]

I followed the instructions (which are really well written) and yet couldn't connect, long story short I discovered that here in Australia, not sure about other countries a lot of our ISPs have enabled a thing called CGNAT, which basically kills most remote access type applications, you have to contact your ISP and request to Opt Out of CGNAT, they will ask for a valid reason (because they don't just want everyone opting out) which I did, and half an hour later, bammo, everything worked.

So if you have all your setup, and port forwarding looking right and it's still not working, check your ISP if CGNAT is optioned, and if so, try opting out.

 

 

[schreibman]

is there a way to log wireguard stats, specifically peer info?  

this info on a given frequency:

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  preshared key: (hidden)
  endpoint: 172.58.111.98:47136
  allowed ips: 10.253.0.2/32
  latest handshake: 1 minute, 45 seconds ago
  transfer: 851.32 KiB received, 8.84 MiB sent

 

*and by chance is exposing the wg interface, like  wg0 to the GUI dashboard network 

INTERFACE widget?*

edit:  Dhoope its already there ! scroll down ! VPN 

Edited May 12 by schreibman
ooops it already there!

[srepper]

Hey Squad,

 

I can't activate my vpn server, does someone know why?

 

( from extern port 58120 is closed )

 

 

Port 58120 is forwarding from extern to intern via fritzbox

 

 

UPNP is activate but unraid think it is not. So in the config it is disabled.

 

 

Static rules:

 

Wireguard config:

[ljm42]

15 hours ago, srepper said:

UPNP is activate but unraid think it is not.

 

I think you might have missed this from the first post:

Quote

If UPnP is enabled on your router and you want to use it in Unraid, go to Settings -> Management Access and confirm "Use UPnP" is set to Yes

 

 

Also, you are getting a warning that your local endpoint doesn't resolve to Unraid's WAN IP. I'd really recommend investigating that, the the port forward doesn't matter if the local endpoint doesn't point to your router.

[srepper]

1 hour ago, ljm42 said:

 

I think you might have missed this from the first post:

 

 

 

thanks for response

I forgot to upload my setting

 

[Digaumspider]

Is there any way at all to check the Unraid built-in Wireguard for the logs to see if someone I haven't authorized has been accessing my network via wireguard?

In short, my FW has passed multiple connections from outside that didn't come from me, and now I want to check my wireguard and make sure these were just attempts and wireguard shut them down or if they passed for some reason.

 

Thanks.

[Lecso]

Hey.

I have set up the VPN in Settings>VPN Manager. It works on my android phone but not on my other Windows laptop. Has anybody encounter this problem? When I connect to the VPN from my phone and ping it from Unraid it replies, but the windows laptop does not.

[Caennanu]

On 6/9/2023 at 6:40 PM, Lecso said:

Hey.

I have set up the VPN in Settings>VPN Manager. It works on my android phone but not on my other Windows laptop. Has anybody encounter this problem? When I connect to the VPN from my phone and ping it from Unraid it replies, but the windows laptop does not.

My best guess is that your windows is on the same if not similar subnet, and the phone is not.

[Lecso]

3 hours ago, Caennanu said:

My best guess is that your windows is on the same if not similar subnet, and the phone is not.

My laptop was on a wifi hotspot created on my phone. On the phone that works. I also have problem with an ipad. Remote access to server and remote access to LAN has internet, I can reach the Unraid login page and my routers login page, but nothing else on my local network. I tested this on the hotspot shared from my phone too.

[Caennanu]

18 hours ago, Lecso said:

My laptop was on a wifi hotspot created on my phone. On the phone that works. I also have problem with an ipad. Remote access to server and remote access to LAN has internet, I can reach the Unraid login page and my routers login page, but nothing else on my local network. I tested this on the hotspot shared from my phone too.

Allright. 

 

Can you connect to the unraid server via its DNS address, or only via its ip address? If the latter. its likely something in your DNS settings.

[Lecso]

1 hour ago, Caennanu said:

Allright. 

 

Can you connect to the unraid server via its DNS address, or only via its ip address? If the latter. its likely something in your DNS settings.

I will try to explain it better!

I tried two android phones with mobile data, their settings are Remote Connect to LAN. Both worked as they should, I reached everything like I was on my home network. I could reach my 3D printer, Unraid, my router, everything on their usual address.
However, the Ipad, connected to one of these android phone's hotspot could only reach my router on its default 192.168.1.1 address and my Unraid server login page via this address (in Remote connect to LAN mode too): (but not on the 192.168.1.121, Unraid's address on my home network)

Edited June 11 by Lecso

[Caennanu]

On 6/11/2023 at 6:07 PM, Lecso said:

I will try to explain it better!

I tried two android phones with mobile data, their settings are Remote Connect to LAN. Both worked as they should, I reached everything like I was on my home network. I could reach my 3D printer, Unraid, my router, everything on their usual address.
However, the Ipad, connected to one of these android phone's hotspot could only reach my router on its default 192.168.1.1 address and my Unraid server login page via this address (in Remote connect to LAN mode too): (but not on the 192.168.1.121, Unraid's address on my home network)

Alright, i do not know exactly what an hotspot does... (i know its function, but not its technical details). 

It sounds like the android phone creates a virtual network. Kind of like a WAN port. Creating a different subnet for the ipad.

 

Can you check if the ipad gets an ip in the same range of your local network, and if it is the same. if that ip address is reserved from your own dhcp?

Edited June 17 by Caennanu

[Caennanu]

Well, whaddaya know...

Updated to 6.12 stable. And had the same issue.

 

I had to reboot my router, as my static route wouldn't take hold.

This allowed me to acces LAN, but nothing outside of it.

Maybe that is the issue on your end too?

[dole]

Hi,

 

I am new to Unraid (6.12) and trying to get WireGuard running. I have followed the instructions on the first page (no complex network) and I can connect my phone via WireGuard app with the peer profile. After connecting I have no access to internet or my unraid server. There is no handshake and no Data received or send. I have read partially through this thread but I have no clue were to start with (VPN beginner)

 

 

 

I have tried several peer types. Sometimes I get internet but never have access to my network or a successful handshake. Where can I start with troubleshooting?

 

Thank you guys

[dole]

Ok, I did some further investigations and found out that I have a IPv6 Address and that ipv4 is only available via DS Lite / CGNAT, so I cannot use the IPv4 protocol. However, I tried to change the settings in the VPN manager to "IPv6 only" but I cannot get the connection to be active after adding a peer. It will always reset after a few seconds and is inactive again. What can cause this behavior? With the "IPv4 + IPv6" setting I can set the connection to active but I still dont have internet access or access to any device in the network (from my phone with ipv6 address).

[FayeInMay]

I'm using:

 

With "Use NAT" = Yes and "Host access to custom networks" = enabled (static route optional) -> NO static rule was set

server and dockers on bridge/host - accessible!

VMs and other systems on LAN - NOT accessible

dockers with custom IP - NOT accessible

(avoid this config)

 

But my actual result with UnRaid 6.12.1 is:

 

With "Use NAT" = Yes and "Host access to custom networks" = enabled (static route optional) -> NO static rule was set

server and dockers on bridge/host - accessible!

VMs and other systems on LAN - NOT accessible

dockers with custom IP (on br0) - accessible!

(avoid this config)

Does anyone know why exactly that could be?

[FayeInMay]

My last question / post was answered with this.

 

[cobhc]

Hi all, I'm using Unraid's built-in WireGuard to obfuscate my received/sent traffic on a few different dockers.

 

The problem, however, is that I am now also using my Router to provide access to the network remotely (also through WireGuard) and cannot access the WebUI of those dockers, which are using the above tunnel (wg0) as their network. Is this something I can configure in the tunnel on Unraid, or am I out of luck doing it this way?

[chris111486]

A few months ago i replaced my router.  I then also proceeded to update unpaid OS to its current version at that time.  I tried to use WireGuard after all this ands it wasn’t working.  I then got busy with home and work and wasn’t able to get back around to troubleshooting the issue.  Now i have been able to get back trying to troubleshoot the issue and this is where i stand.  Long story short i went back to a clean slate.  Remade my domain on DDNS deleted the original tunnel created when i had WireGuard working. Followed steps on page 1 and it’s not a complex network and to no avail still unable to connect to server from external means.  When i go to do my port forwarding on router it doesn’t seem like it works.  And even the tunnel screen shows that it still doesn’t see port forwarding connected via the server.  I also tried upnp connection and nothing worked while trying to connect that way either.  After each change made on the router i did perform a reboot since i wasn’t sure if it would need a reboot for change to take, because i know that was 1 of my issues the first time i tried setting it up in the beginning a few years back.  I go into the logs on both unraid server and router and don’t see the IP of server.  I also did a trace route to see if my ISP is using CGNAT.  And am not 100% sure if that may be my issue.  I have attached photos to see if maybe anybody else sees something i missed.  And I understand the photo of tunnel setup screen says forward port but that is already set in my routers port forwarding.  Any ideas are greatly appreciated.