Jump to content
ljm42

WireGuard quickstart

166 posts in this topic Last Reply

Recommended Posts

1 hour ago, david279 said:

I saw something like this too. I run pihole in a Vm and when the NAT setting in wireguard is set to yes all the clients in pihole have the name of unRAID server. The Pihole is ran in a ubuntu VM on my unRAID server. Once i set NAT to No all the correct client names returned to normal. Now i run wireguard with NAT set to No and enabled a static route on my route for wireguard to my unRAID server and all is good now.

Excellent, I presume you have set up a manual port forwarding rule on your router.

 

Btw. This solution is also applicable to docker containers running on custom IP addresses (e.g. pi-hole in a container with its own address)

Share this post


Link to post
2 minutes ago, bonienl said:

Excellent, I presume you have set up a manual port forwarding rule on your router.

 

Btw. This solution is also applicable to docker containers running on custom IP addresses (e.g. pi-hole in a container with its own address)

While we looking this....Can we add the ability to use both ipv4 and ipv6 addresses for wireguard at the same time. The GUI right now its either ipv4 or ipv6. I know i could just added the address line in the cmd line to the wg0.conf for ipv6 but it would be convenient if i could do it in the GUI. I ran a wireguard server in a VM for a while so im used to playing with that config file. 

Share this post


Link to post
3 minutes ago, david279 said:

Can we add the ability to use both ipv4 and ipv6 addresses for wireguard at the same time

You can add a second tunnel, one for IPv4 and another for IPv6

Share this post


Link to post

Ok, I'm confused, I tried searching for the answer, but I can't seem to find it...

Why not just use duckdns/openvpn?? What's so great about wireguard?

Share this post


Link to post
1 minute ago, takkkkkkk said:

What's so great about wireguard?

A lot ....

Share this post


Link to post

From www.wireguard.com

 

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.

 

You can search online for comparisons between WireGuard and other VPN solutions.

Share this post


Link to post
4 hours ago, bonienl said:

Need more info.

I have multiple VMs all reachable when wireguard is active 

It's not that they aren't reachable. I have my router set up to send all the internet traffic from a VM running on unraid over an open vpn connection instead of my ISP. When Wireguard was running it sent all traffic from my VM over my ISP connection bypassing the VPN set up on the router. When I turned Wireguard off the traffic once again got routed over the OpenVPN connection on the router. 

 

4 hours ago, david279 said:

I saw something like this too. I run pihole in a Vm and when the NAT setting in wireguard is set to yes all the clients in pihole have the name of unRAID server. The Pihole is ran in a ubuntu VM on my unRAID server. Once i set NAT to No all the correct client names returned to normal. Now i run wireguard with NAT set to No and enabled a static route on my route for wireguard to my unRAID server and all is good now.

Setting NAT in Wireguard to "no" and adding a static route to my router keeps my VM traffic with the VPN connection on the router. This has solved my issue completely, THANK YOU @david279!

Share this post


Link to post

Hi All

 

I don't seem to see the option to change  the "local tunnel network pool" anymore in Advanced view

Also tried to delete the plugin and install it again, nut the last update made i vanish from my plugin list maybee by design?

Should I delete the config folder on the flash drive to get back to "start"?

 

UPDATE: Delete the folder rebooted the server, did the configuration again - found that Local tunnel was in the Peer name (Sorry)

 

I am now connected but no handshake?

Added the port and also the static route, and I see some activity so what could I be missing?

 

image.png.7c86b1f28985c2968c295575249acd35.png

 

image.thumb.png.5f982150db407dfc9f9d5c4f0bc46ce0.png

 

Edited by casperse

Share this post


Link to post

Is there an option with the "Remote tunneled access" to restrict the access to the Unraid LAN? That is, I would like to make a setup with only IP tunneling/forwarding without an access to the LAN. Is this possible?

 

Share this post


Link to post

What is the advantage or disadvantage of "Remote access to Lan" vs "Remote tunneled access"?

Share this post


Link to post
1 hour ago, Gragorg said:

What is the advantage or disadvantage of "Remote access to Lan" vs "Remote tunneled access"?

Depends on what you are trying to do. See the description and diagram in the first post of this thread.

Share this post


Link to post
8 hours ago, ptr78 said:

Is there an option with the "Remote tunneled access" to restrict the access to the Unraid LAN? That is, I would like to make a setup with only IP tunneling/forwarding without an access to the LAN. Is this possible?

No, as mentioned in the first post, you really need to trust the people that you give this VPN access to. Regardless of which access type you choose, assume the user could get full access to your LAN.

 

If you really want to do it, you could potentially put WireGuard on a raspberry pi on its own VLAN. But that is well beyond the scope of what we are trying to do with this plugin.

Share this post


Link to post
16 hours ago, casperse said:

I am now connected but no handshake?

Added the port and also the static route, and I see some activity so what could I be missing?

Activity with no handshake is odd, I don't think I have seen that before.

 

Not sure what you mean by "static route"? Are you trying to get around issues with VMs or dockers? I'd remove that until you get the basics down first.

 

i'd recommend you start with the scenario in the guide, "remote access to LAN". If you can get that working that will prove all the basics are good. If you have issues with that, go through the troubleshooting section with a fine tooth comb. Once you have the basics working you can move on to the other options.

Edited by ljm42

Share this post


Link to post
9 minutes ago, ljm42 said:

No, as mentioned in the first post, you really need to trust the people that you give this VPN access to. Regardless of which access type you choose, assume the user could get full access to your LAN.

 

Yes, totally understandable. Thank you for the fast reply!

 

Share this post


Link to post
17 hours ago, casperse said:

Hi All

 

I don't seem to see the option to change  the "local tunnel network pool" anymore in Advanced view

Also tried to delete the plugin and install it again, nut the last update made i vanish from my plugin list maybee by design?

Should I delete the config folder on the flash drive to get back to "start"?

 

UPDATE: Delete the folder rebooted the server, did the configuration again - found that Local tunnel was in the Peer name (Sorry)

 

I am now connected but no handshake?

Added the port and also the static route, and I see some activity so what could I be missing?

 

image.png.7c86b1f28985c2968c295575249acd35.png

 

image.thumb.png.5f982150db407dfc9f9d5c4f0bc46ce0.png

 

Any suggestions I have read through the post and I can't see anything wrong...

I am only testing by phone app. Also tried to change tunnel to LAN but I still get no handshake? (Logfile on device says no to handshake)

Regards

Casperse

 

Unifi settings:

image.png.79bf2477bf6c075ff5be1840a51a18f7.png

Port forwarding: 

image.png.77c96e06d6188c0b52e8c3475478cc15.png

Edited by casperse

Share this post


Link to post

Ok so I just tried my other IP on my Unraid server (have a backup) and then it just worked? (Bridge is enabled!)

How can this be? what sets the priority of my IP's for the Unraid server?

 

Have I configured the network wrong?

Primary IP (Should be) 192.168.0.6

image.thumb.png.b4476f23cbb69ceee2c451b96e8183ab.png

 

Is it a bug? running 6.8 - rc3

 

Secondary IP: 192.168.0.13 <---- Wireguard connects to this one?

image.thumb.png.1251c592531d507d4dbd1bd16e81b1a6.png

Edited by casperse

Share this post


Link to post

Try testing with "Local gateway uses NAT = NO"

This prevents adding additional iptables rules to the server.

 

Share this post


Link to post
1 hour ago, bonienl said:

Try testing with "Local gateway uses NAT = NO"

This prevents adding additional iptables rules to the server.

 

SORRY spoke to fast Update No that didnt work either the handshake was cashed  @bonienl

Changed the static route to my primary IP and also the forwarding, changed NAT to NO and then no access

Edited by casperse

Share this post


Link to post

ok, I  add a peer with remote to Lan access, the tunnel can be activated(with mobile data connection), but I cannot connect the server by IP; I disconnect the tunnel, now I cannot even connect to server on the laptop in the same lan, enven ping cannot be reached; now I totally lost connection to the sever(web or ssh)

Share this post


Link to post

Wow I've been using this and it's simply amazing. Huge thank you to integrating this into Unraid.

Share this post


Link to post
On 10/23/2019 at 1:32 AM, trott said:

ok, I  add a peer with remote to Lan access, the tunnel can be activated(with mobile data connection), but I cannot connect the server by IP; I disconnect the tunnel, now I cannot even connect to server on the laptop in the same lan, enven ping cannot be reached; now I totally lost connection to the sever(web or ssh)

Not sure what happened, but hopefully you saw this in the Troubleshooting section of the guide:

Quote

If you can't reach the Unraid webgui for some reason and you need to prevent a WireGuard tunnel from automatically starting, delete this file from your flash drive and reboot:
  /boot/config/wireguard/autostart

 

Share this post


Link to post

I have amended the guide, there is now a section for "Complex Networks" that talks about setting "Use NAT" to "No" and adding a static route in your router. This is needed if you have Dockers with custom IPs or certain VM setups.

 

These changes should allow everything on the network to work normally. However, as several people have seen, your WireGuard clients may not be able to access those Dockers or VMs. This still needs to be figured out. If you find a solution, please comment :) 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.