WireGuard quickstart


ljm42

728 posts in this topic Last Reply

Recommended Posts

4 hours ago, bonienl said:

To give access to a specific IP address on the client side, you need to set the "Peer allowed IPs" accordingly. I.e. enter the address(es) which may be reached

 

Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible?

Link to post
  • Replies 727
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.     What can you do with WireGuard? Let's walk t

Thanks for the quick writeup! I was scratching my head for a good 10 minutes until I realized I had to toggle Inactive to Active. Not sure why my mind read that as clicking inactive would inactivate i

I found if you do someething strange in the set up and hit apply, you will lose access to the server...you will not be able to ping it or load the interface.   to fix without rebooting after

Posted Images

32 minutes ago, INTEL said:

Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible?

At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side.

 

A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there.

 

Link to post
3 minutes ago, bonienl said:

At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side.

 

A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there.

 

Thank's, i figured it won't work like that. 

Link to post
9 hours ago, bonienl said:

When the WAN IP address changes, your router needs to take care of it. WireGuard will follow automatically.

My router will take care of it, but, I have it on a UPS, much like UnRaid, so there will be no shutdown or reboot. So I assume, based on what you said, and I understand correctly, WireGuard will monitor and automagically update should the WAN IP change, without the need for a reboot, restart et, which is awesome sauce.

Link to post
On 11/30/2019 at 1:58 PM, SupremeArmchair said:

I'm also having problems with the wireguard plugin. I followed the instructions under quickstart, and forwarded my router on port 51820 and set up my peer as my phone. However, I am unable to connect on my phone to wireguard. Even on the same WiFi as my server, my phone will still not be able to connect to wireguard. It seems unable to make a handshake with the server. Wireguard is on, peer is setup with a QR code and remote to LAN. Has anyone had an issue like this?

Using a IOS phone I am having the same problem. Port forwarding seems to working as my windows client is working. Its just the phone that has problems

Link to post

Not having any luck getting this to work at all.

 

I have 2 NICs. Bridging is enabled on both. I have VLANs enabled on eth1.

 

Anyway, long story short, it seems that Wireguard isn't listening on my server. Here's the output of lsof -i -P -n | grep UDP

 

rpcbind    2020    rpc    6u  IPv4    14656      0t0  UDP *:111
rpcbind    2020    rpc    8u  IPv6    14658      0t0  UDP *:111
rpc.statd  2025    rpc    5u  IPv4    13692      0t0  UDP 127.0.0.1:929
rpc.statd  2025    rpc    8u  IPv4    13695      0t0  UDP *:58404
rpc.statd  2025    rpc   10u  IPv6    13699      0t0  UDP *:44546
ntpd       2055    ntp   16u  IPv4    11914      0t0  UDP 127.0.0.1:123
ntpd       2055    ntp   17u  IPv6  9942089      0t0  UDP [fe80::8423:1eff:feb5:9a7b]:123
ntpd       2055    ntp   18u  IPv6    11918      0t0  UDP [::1]:123
ntpd       2055    ntp   19u  IPv4  9937148      0t0  UDP 10.100.0.133:123
avahi-dae  4448  avahi   14u  IPv4    21288      0t0  UDP *:5353
avahi-dae  4448  avahi   15u  IPv6    21289      0t0  UDP *:5353
avahi-dae  4448  avahi   16u  IPv4    21290      0t0  UDP *:46303
avahi-dae  4448  avahi   17u  IPv6    21291      0t0  UDP *:49977
dhcpcd    24541   root    0u  IPv4  9938170      0t0  UDP 10.100.0.133:68
dnsmasq   25171 nobody    3u  IPv4  9944874      0t0  UDP *:67
dnsmasq   25171 nobody    5u  IPv4  9944877      0t0  UDP 192.168.122.1:53
nmbd      25531   root   17u  IPv4  9942622      0t0  UDP *:137
nmbd      25531   root   18u  IPv4  9942623      0t0  UDP *:138
nmbd      25531   root   19u  IPv4  9942639      0t0  UDP 10.100.0.133:137
nmbd      25531   root   20u  IPv4  9942640      0t0  UDP 10.100.0.255:137
nmbd      25531   root   21u  IPv4  9942641      0t0  UDP 10.100.0.133:138
nmbd      25531   root   22u  IPv4  9942642      0t0  UDP 10.100.0.255:138
nmbd      25531   root   23u  IPv4  9942643      0t0  UDP 192.168.122.1:137
nmbd      25531   root   24u  IPv4  9942644      0t0  UDP 192.168.122.255:137
nmbd      25531   root   25u  IPv4  9942645      0t0  UDP 192.168.122.1:138
nmbd      25531   root   26u  IPv4  9942646      0t0  UDP 192.168.122.255:138
nmbd      25531   root   28u  IPv4  9968888      0t0  UDP 172.17.0.1:137
nmbd      25531   root   29u  IPv4  9968889      0t0  UDP 172.17.255.255:137
nmbd      25531   root   30u  IPv4  9968890      0t0  UDP 172.17.0.1:138
nmbd      25531   root   31u  IPv4  9968891      0t0  UDP 172.17.255.255:138
wsdd      25538   root    3u  IPv6  9939632      0t0  UDP *:3702

It seems UDP 51820 isn't listening at all.

Link to post

Ran into a strange issue and fixed today, not sure if anyone has reported this but couldn't find anything in a rudimentary search.

 

If you uninstall WG after having setup a connection, your wg0 interfaces remain and they are unable to be deleted manually via network settings/unraid routing table gui. You instead have to reinstall WG and then remove the config to correct.

 

I think these routes should be removed once the plugin is uninstalled.

Edited by sirkuz
Link to post

So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes.

 

Thoughts?

 

My network connections today:

Eth0/Eth1 - bonded, bridging = false.

Eth2 - VM/Docker LAN connections, bridging=true

Eth3 - VM/Docker IoT connections, bridging=true

Edited by JasonJoel
Link to post

Excellent guide and it worked flawlessly, thank you.

 

My knowledge base is thin, so sorry if this question is naive:  when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi?

 

Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN?

 

Thanks!

 

Link to post
1 hour ago, J.Nerdy said:

My knowledge base is thin, so sorry if this question is naive:  when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi?

 

Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN?

It depends on which "Peer type of access" you choose.  "Remote tunneled access" pushes everything through the VPN tunnel, the others do split tunneling (where only the traffic destined for Unraid's network use the VPN tunnel)

Link to post
8 hours ago, Danny08 said:

and.. how?

It is unclear to me what you try to achieve.

If there is another server setting up a WG tunnel, then it might be as simple as setting routing for the Unraid server to the "external" WG tunnel, but this has nothing to do with the WG implementation on Unraid

Link to post
8 hours ago, Danny08 said:

and.. how?

i tried it like on every other server and it doenst do anything and i cant find logs.

That is way beyond this guide and will require you to read up on Wireguard. The plugin takes care of all the details for you *if* it is managing the tunnel. If you are connecting to another tunnel that is not managed by Unraid, you will need to deal with setting up the private/public keys, assigning the IP address, determining the endpoint urls, etc.  All of this is Wireguard specific, nothing to do with the fact that the client is Unraid.

 

Once you have created a config file for the Unraid client that will connect to your other system, choose the "Import config" option in the plugin. I honestly haven't done that in a while so I don't recall the exact steps after that. But it should get you close.

 

There is really only one caveat that I can think of - Unraid will ignore any dns server setting that is in the config file, probably best to just leave that out.  Everything else is standard wireguard.

 

Note that everything mentioned in the second post still applies - troubleshooting is very difficult because wireguard fails silently. There are no helpful logs to look at. It works or it doesn't.

Link to post
On 12/12/2019 at 5:35 PM, Psybernoid said:

It seems UDP 51820 isn't listening at all.

Use "wg" instead

root@vesta:/# wg
interface: wg0
  public key: +vmlfqmRg6XxRCo86Ynqzsobd4kN0HXZsq2bN13akCI=
  private key: (hidden)
  listening port: 51821

 

Link to post
On 12/12/2019 at 8:54 PM, JasonJoel said:

So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes.

 

Thoughts?

 

My network connections today:

Eth0/Eth1 - bonded, bridging = false.

Eth2 - VM/Docker LAN connections, bridging=true

Eth3 - VM/Docker IoT connections, bridging=true

Yes, this works (I tested this using a bonded interface with 4 members)

Link to post

I know that I missing something simple:  when using remote tunneled access, I can hit my server and LAN without an issue, but the client can not browse to addresses outside the LAN (internet).  I thought maybe it was DNS resolotion, but, entering IP addresses for sites still timeout.  (I assume the server is routing all traffic when using tunneled access and sending back to client)

 

Is there a configuration besides setting remote tunneled access that I will need to change?

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.