WireGuard quickstart


ljm42

Recommended Posts

19 hours ago, ljm42 said:

Not sure what happened, but hopefully you saw this in the Troubleshooting section of the guide:

 

thanks, I think I might try later; what this plugin will modify the system when active the tunnle? like iptables ...

Edited by trott
Link to comment
On 10/16/2019 at 3:40 PM, nuhll said:

I GOT IT WORKING 100%

This is not entirely true.

With your router acting as DNS forwarder, it will cache DNS entries and make them available to your cliients BEFORE pi-hole gets a chance to block.

In other words you will still see many advertisments.

 

The only true way to block unwanted content is by setting the pi-hole DNS server as the FIRST choice to clients.

 

Edited by bonienl
  • Like 1
Link to comment
26 minutes ago, bonienl said:

This is not entirely true.

With your router acting as DNS forwarder, it will cache DNS entries and make them available to your cliients BEFORE pi-hole gets a chance to block.

In other words you will still see many advertisments.

 

The only true way to block unwanted content is by setting the pi-hole DNS server as the FIRST choice to clients.

 

Sorry, thats false.

 

What should it cache when it NEVER gets an ip to that domain??? ;) ;) ;) Also i see it working just fine. The only reason that the dns blocking works, without a correct route to docker containers was that it first go to the first router, instead of direct to the docker. I cant reach dockers either. I think there need to be a route added to unraid to allow access from 10.* to br0 but i cant translate the network settings inside unraid.

 

I think the route is missing inside unraid bc all other devices can access all other things in network fine without adding any route anywhere.

Edited by nuhll
Link to comment

Having the same issue, but not quite sure where to go from here.  I use Pi-hole through Docker on br0 with its own IP address (10.0.1.7).  Adding a static route to the Unraid IP (10.0.1.5) allowed me to access external domains using Remote Tunneled Access but only with an external DNS server set in the Wireguard profile.  I can access all other LAN IPs on the network except for the Pi-hole IP.  If I use my router IP (10.0.1.1) for DNS, it still works, but I get DNS leaks (I'm assuming its because the primary DNS IP for Pi-hole that's set is failing so its falling back to the external secondary).

 

** Edit: Read up on the other Wireguard thread and tried using a VLAN for Pi-hole to fix the issue.  Looks like everything is working on a remote client (using iOS to test) and can access all Docker IPs remotely.  In case this helps anyone else, thought I'd post screenshots.

 

Unraid network settings for VLAN:

unraid-vlan.thumb.PNG.4a05a24958b62788cabbde6be51ee110.PNG

 

Unraid Docker settings after setting that up:

unraid-docker.thumb.PNG.cc00a8ead2fe9fb776a9d447897f20e2.PNG

 

Unraid Pi-hole settings (I also set the "ServerIP" variable to the same and left "INTERFACE" variable as eth0):

unraid-pihole.thumb.PNG.2ee52a768f9f1d460e825a211b53c235.PNG

 

Unifi Static route:

unifi-static.thumb.PNG.8ff0676f01d4ac43d7ffb64a93bfaad4.PNG

 

Unifi VLAN settings:

unifi-vlan.thumb.PNG.6f6d71fbb2f16ecc709abaa03f917473.PNG

 

Wireguard client settings:

unraid-wireguard.thumb.PNG.138978883a056c8a7abdce83c39943b1.PNG

 

I'm no expert on this stuff, but from what I got from the other thread and setup here, it seems to be working and the IP shows as the Unraid/home network when accessing external domains when Wireguard is turned on.

Edited by sswany
Link to comment

I played around with this today and got it going. Pretty cool! Faster than the built in VPN in sophos as too!

 

Leaving the following info as I use sophos UTM 9 and it might help anyone else using this firewall and this service:

 

 

Setup NAT forwarding for port forward to your server as demonstrated here and automatically create a firewall rule:  

  

 

Setup WireGuard per the instructions at the top of this thread. For basic server and Lan access, you are done.

 

 

 

If you want VPN access to the internet from a peer/client: Use the VPN address/pool provide by the wireguard setup for clients to use starting at xxx.xx.xx.0 and add a masquerading rule to allow that pool to access External (WAN). 

 

 

 

That's it. A note though, the plugin still complains about this:

 

 Remark: configure your router with port forwarding of port 51820/UDP to 86.75.30.9

 

But everything still works. Don't know if its a bug or if it's sophos being sophos.

 

Either way, thanks for the great feature!

 

Edited by 1812
Link to comment
45 minutes ago, bonienl said:

The remark is given as a reminder to the user, because the server can't really check if the proper forwarding rule is actually set on your router. 

 

Perhaps instead of “Remark”’the text should say “Reminder” because I thought I was doing it wrong and forwarding wasn’t working because it kept showing up....partly due to the explanation in the first post about auto UDP... (and maybe I didn’t read all the explanation very closely and it is clear?)

Link to comment
2 minutes ago, nuhll said:

What about removing it IF first connection happend AND address didnt changed.

Sorry, I don't understand what you try to say.

 

When UPnP is enabled on Unraid (see management settings) and UPnP is enabled on the router, then port forwarding is done automatically. The result is displayed in the GUI.

 

When the router has UPnP disabled or does not support it, or Unraid has the UPnP setting disabled, then manual port forwarding is required on the router, in this case Unraid can not check the actual status and gives the remark message.

 

Link to comment
46 minutes ago, bonienl said:

Sorry, I don't understand what you try to say.

 

When UPnP is enabled on Unraid (see management settings) and UPnP is enabled on the router, then port forwarding is done automatically. The result is displayed in the GUI.

 

When the router has UPnP disabled or does not support it, or Unraid has the UPnP setting disabled, then manual port forwarding is required on the router, in this case Unraid can not check the actual status and gives the remark message.

 

.........

 

Remove the message to port forward


IF 

first successfully connection

AND

didnt changed address

 

just a suggestion... 

 

I also would like a tutorial on how to get the connection to br0 fixed, without vlans (my routers/switches dont support that)

 

I wonder if you cant just add a custom rule to unraids network setup which redirects all wg0 traffic to the router? and then router -> unraid -> br0?

Edited by nuhll
Link to comment
1 hour ago, bonienl said:

BR0 is a directly connected interface and it is not possible to overrule routing to point to the gateway, which has always a higher metric.

aha.

 

How does the traffic from my network reach br0 then?

 

router -> unraid -> br0?

 

If the 10.253 er subnet reaches unraid not local (to avoid br0 cant reach host) , but over the router, wouldnt that work?

 

Anyway, can you tell me the easiest way to get that working?

Edited by nuhll
Link to comment
On 10/22/2019 at 7:09 AM, ljm42 said:

Activity with no handshake is odd, I don't think I have seen that before.

 

Not sure what you mean by "static route"? Are you trying to get around issues with VMs or dockers? I'd remove that until you get the basics down first.

 

i'd recommend you start with the scenario in the guide, "remote access to LAN". If you can get that working that will prove all the basics are good. If you have issues with that, go through the troubleshooting section with a fine tooth comb. Once you have the basics working you can move on to the other options.

I managed to get everything working its really fast and I LOVE IT!

BUT it only works if I connect to my "fault-tolerance (active-backup) IP not the "main ip" ?

I have tried so many things but this is the only one working, any idea to why? and how I can change the priority for Wireguard?

 

image.png.750d841b5d85f1fdc9e08346e9b97230.png

 

Network setup:

image.thumb.png.2ddcd573a5f8390c8ace5c2fe216157d.png

eth4

image.thumb.png.f23f3ee2bb2eb7e53b608b8fdeb5be90.png

Wireguard:

image.png.dd6ebb252d8e5e4af18b134e480ef1e1.png

 

Any suggestions?

Link to comment

So trying out the RC branch for the first time and installed RC5.  Went to setup wiregaurd with the Dynamix plugin.  Ran into a show stopper up front.  I use a DDNS with a .network FQDN.  When I entered my .network domain in the local endpoint input box it generates an error that my .network domain is not a true FQDN.  I assume someone just hard coded the vanilla .com / .net / .org in the error checking for that field.  Can we get that fixed?

Link to comment
59 minutes ago, gdeyoung said:

I assume someone just hard coded the vanilla .com / .net / .org in the error checking for that field.

Nothing hardcoded. Verification is done using regular expressions and the current implementation accepts top domain names between 2 and 6 characters.

Your ".network" is 7 characters. I'll make an update to allow longer names.

 

Ps. Update is available

Edited by bonienl
Link to comment

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.

 

to fix without rebooting after deleted autostart from /etc/wireguard just get to the command line locally and type

 

ifconfig wg0 down

 

the server immediately becomes available and then you can go back to wireguard turn it off, correct the setting and enable it again

  • Like 3
Link to comment

I tried setting this up. I've been using openvpn-as docker with no issues but with wireguard I cannot get the handshake to initialize.

 

On my iPhone the log indicates:

...
2019-11-08 14:53:52.110832: [NET] peer(q4nv…iXkg) - Handshake did not complete after 5 seconds, retrying (try 19)
2019-11-08 14:53:52.111139: [NET] peer(q4nv…iXkg) - Sending handshake initiation
2019-11-08 14:53:57.174070: [NET] peer(q4nv…iXkg) - Handshake did not complete after 5 seconds, retrying (try 20)
2019-11-08 14:53:57.174466: [NET] peer(q4nv…iXkg) - Sending handshake initiation
2019-11-08 14:54:02.217420: [NET] peer(q4nv…iXkg) - Handshake did not complete after 20 attempts, giving up

At first I thought it was a port forward issues, I tried enabling UPnP and letting wireguard do its thing but that didn't help. It appears that my client is hitting the service as the data sent/received goes up but no handshake.VPN.thumb.PNG.f1686e186587db2d1ad72f75601d562f.PNG

 

Any ideas what would be causing this? Are there any logs available within unRAID I can look at?

 

Thanks.

 

Link to comment
2 hours ago, bonienl said:

Try to set the MTU size to 1400 and see if that makes a difference.

Just tried it, no luck. I changed it both on unRAID and my iPhone Client.

 

The odd thing is, I can get it working on a Win 10 Client on my network. 

 

I've been testing with my iPhone with wifi turned off. Would my Cell service be blocking something? (I'm on Bell in Canada)

 

Update: I can get it working on my iPhone while connecting to the same network as my server (Internally). Looking like my network is to blame. I'm using Google WiFi if anyone is curious.

Edited by Trites
Updated Information
Link to comment
On 11/8/2019 at 12:52 PM, Trites said:

Just tried it, no luck. I changed it both on unRAID and my iPhone Client.

 

The odd thing is, I can get it working on a Win 10 Client on my network. 

 

I've been testing with my iPhone with wifi turned off. Would my Cell service be blocking something? (I'm on Bell in Canada)

 

Update: I can get it working on my iPhone while connecting to the same network as my server (Internally). Looking like my network is to blame. I'm using Google WiFi if anyone is curious.

did you set up your port forwarding? im on telus (canada) and no issues once i set up port forwarding

Link to comment
On 11/8/2019 at 12:10 PM, Trites said:

I tried setting this up. I've been using openvpn-as docker with no issues but with wireguard I cannot get the handshake to initialize.

 

On my iPhone the log indicates:


...
2019-11-08 14:53:52.110832: [NET] peer(q4nv…iXkg) - Handshake did not complete after 5 seconds, retrying (try 19)
2019-11-08 14:53:52.111139: [NET] peer(q4nv…iXkg) - Sending handshake initiation
2019-11-08 14:53:57.174070: [NET] peer(q4nv…iXkg) - Handshake did not complete after 5 seconds, retrying (try 20)
2019-11-08 14:53:57.174466: [NET] peer(q4nv…iXkg) - Sending handshake initiation
2019-11-08 14:54:02.217420: [NET] peer(q4nv…iXkg) - Handshake did not complete after 20 attempts, giving up

At first I thought it was a port forward issues, I tried enabling UPnP and letting wireguard do its thing but that didn't help. It appears that my client is hitting the service as the data sent/received goes up but no handshake.VPN.thumb.PNG.f1686e186587db2d1ad72f75601d562f.PNG

 

Any ideas what would be causing this? Are there any logs available within unRAID I can look at?

 

Thanks.

 

under the wg0 tunnel Local endpoint: is your public facing IPv4 address 

 

under the peer (your phone) make sure peer end point is the static internal IP of your unraid server

 

Link to comment
  • itimpi pinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.