Jump to content
ljm42

WireGuard quickstart

607 posts in this topic Last Reply

Recommended Posts

4 hours ago, bonienl said:

To give access to a specific IP address on the client side, you need to set the "Peer allowed IPs" accordingly. I.e. enter the address(es) which may be reached

 

Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible?

Share this post


Link to post
32 minutes ago, INTEL said:

Actualy I'm trying to allow peer to connect to specific VM on my server, or specific docker on my server, and no access to rest of my network. Is that possible?

At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side.

 

A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there.

 

Share this post


Link to post
3 minutes ago, bonienl said:

At the client side access is controlled by the "Peer allowed IPs", but of course a client can change these. Wireguard does not have a mechanism to restrict incoming access at the server side.

 

A possible solution is to use iptables (firewall), but this requires manual work and won't be stored permanently. Besides, iptables is not the most user-friendly firewall configuration out there.

 

Thank's, i figured it won't work like that. 

Share this post


Link to post
9 hours ago, bonienl said:

When the WAN IP address changes, your router needs to take care of it. WireGuard will follow automatically.

My router will take care of it, but, I have it on a UPS, much like UnRaid, so there will be no shutdown or reboot. So I assume, based on what you said, and I understand correctly, WireGuard will monitor and automagically update should the WAN IP change, without the need for a reboot, restart et, which is awesome sauce.

Share this post


Link to post
On 11/30/2019 at 1:58 PM, SupremeArmchair said:

I'm also having problems with the wireguard plugin. I followed the instructions under quickstart, and forwarded my router on port 51820 and set up my peer as my phone. However, I am unable to connect on my phone to wireguard. Even on the same WiFi as my server, my phone will still not be able to connect to wireguard. It seems unable to make a handshake with the server. Wireguard is on, peer is setup with a QR code and remote to LAN. Has anyone had an issue like this?

Using a IOS phone I am having the same problem. Port forwarding seems to working as my windows client is working. Its just the phone that has problems

Share this post


Link to post

Not having any luck getting this to work at all.

 

I have 2 NICs. Bridging is enabled on both. I have VLANs enabled on eth1.

 

Anyway, long story short, it seems that Wireguard isn't listening on my server. Here's the output of lsof -i -P -n | grep UDP

 

rpcbind    2020    rpc    6u  IPv4    14656      0t0  UDP *:111
rpcbind    2020    rpc    8u  IPv6    14658      0t0  UDP *:111
rpc.statd  2025    rpc    5u  IPv4    13692      0t0  UDP 127.0.0.1:929
rpc.statd  2025    rpc    8u  IPv4    13695      0t0  UDP *:58404
rpc.statd  2025    rpc   10u  IPv6    13699      0t0  UDP *:44546
ntpd       2055    ntp   16u  IPv4    11914      0t0  UDP 127.0.0.1:123
ntpd       2055    ntp   17u  IPv6  9942089      0t0  UDP [fe80::8423:1eff:feb5:9a7b]:123
ntpd       2055    ntp   18u  IPv6    11918      0t0  UDP [::1]:123
ntpd       2055    ntp   19u  IPv4  9937148      0t0  UDP 10.100.0.133:123
avahi-dae  4448  avahi   14u  IPv4    21288      0t0  UDP *:5353
avahi-dae  4448  avahi   15u  IPv6    21289      0t0  UDP *:5353
avahi-dae  4448  avahi   16u  IPv4    21290      0t0  UDP *:46303
avahi-dae  4448  avahi   17u  IPv6    21291      0t0  UDP *:49977
dhcpcd    24541   root    0u  IPv4  9938170      0t0  UDP 10.100.0.133:68
dnsmasq   25171 nobody    3u  IPv4  9944874      0t0  UDP *:67
dnsmasq   25171 nobody    5u  IPv4  9944877      0t0  UDP 192.168.122.1:53
nmbd      25531   root   17u  IPv4  9942622      0t0  UDP *:137
nmbd      25531   root   18u  IPv4  9942623      0t0  UDP *:138
nmbd      25531   root   19u  IPv4  9942639      0t0  UDP 10.100.0.133:137
nmbd      25531   root   20u  IPv4  9942640      0t0  UDP 10.100.0.255:137
nmbd      25531   root   21u  IPv4  9942641      0t0  UDP 10.100.0.133:138
nmbd      25531   root   22u  IPv4  9942642      0t0  UDP 10.100.0.255:138
nmbd      25531   root   23u  IPv4  9942643      0t0  UDP 192.168.122.1:137
nmbd      25531   root   24u  IPv4  9942644      0t0  UDP 192.168.122.255:137
nmbd      25531   root   25u  IPv4  9942645      0t0  UDP 192.168.122.1:138
nmbd      25531   root   26u  IPv4  9942646      0t0  UDP 192.168.122.255:138
nmbd      25531   root   28u  IPv4  9968888      0t0  UDP 172.17.0.1:137
nmbd      25531   root   29u  IPv4  9968889      0t0  UDP 172.17.255.255:137
nmbd      25531   root   30u  IPv4  9968890      0t0  UDP 172.17.0.1:138
nmbd      25531   root   31u  IPv4  9968891      0t0  UDP 172.17.255.255:138
wsdd      25538   root    3u  IPv6  9939632      0t0  UDP *:3702

It seems UDP 51820 isn't listening at all.

Share this post


Link to post

Ran into a strange issue and fixed today, not sure if anyone has reported this but couldn't find anything in a rudimentary search.

 

If you uninstall WG after having setup a connection, your wg0 interfaces remain and they are unable to be deleted manually via network settings/unraid routing table gui. You instead have to reinstall WG and then remove the config to correct.

 

I think these routes should be removed once the plugin is uninstalled.

Edited by sirkuz

Share this post


Link to post
1 minute ago, sirkuz said:

Ran into a strange issue and fixed today, not sure if anyone has reported this but couldn't find anything in a rudimentary search.

Did you hit Submit to soon?

Share this post


Link to post
8 minutes ago, sirkuz said:

I think these routes should be removed once the plugin is uninstalled.

The plan is for this to become builtin instead of a plugin.

Share this post


Link to post

So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes.

 

Thoughts?

 

My network connections today:

Eth0/Eth1 - bonded, bridging = false.

Eth2 - VM/Docker LAN connections, bridging=true

Eth3 - VM/Docker IoT connections, bridging=true

Edited by JasonJoel

Share this post


Link to post

Thank you very much for this, and especially for the excellent setup instructions.  Everything went super easy and smooth (once I realized I accidentally forwarded port 51280 instead of 51820).

Share this post


Link to post

Hi,

can i also use this to connect my unraid server to my already existing wireguard network? (on another not-unraid server).

I tried it a little bit but it didnt do something.

Share this post


Link to post

Excellent guide and it worked flawlessly, thank you.

 

My knowledge base is thin, so sorry if this question is naive:  when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi?

 

Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN?

 

Thanks!

 

Share this post


Link to post
1 hour ago, J.Nerdy said:

My knowledge base is thin, so sorry if this question is naive:  when active on a client (iPhone) is all traffic routed through wireguard to home LAN, thus encrypted and serving as VPN for safe browsing on unsecured wifi?

 

Or is it just a point to point tunnel that allows for encrypted access to addresses on the servers LAN?

It depends on which "Peer type of access" you choose.  "Remote tunneled access" pushes everything through the VPN tunnel, the others do split tunneling (where only the traffic destined for Unraid's network use the VPN tunnel)

Share this post


Link to post
6 hours ago, Danny08 said:

can i also use this to connect my unraid server to my already existing wireguard network? (on another not-unraid server).

yes

Share this post


Link to post
3 hours ago, ljm42 said:

yes

and.. how?

i tried it like on every other server and it doenst do anything and i cant find logs.

Share this post


Link to post
8 hours ago, Danny08 said:

and.. how?

It is unclear to me what you try to achieve.

If there is another server setting up a WG tunnel, then it might be as simple as setting routing for the Unraid server to the "external" WG tunnel, but this has nothing to do with the WG implementation on Unraid

Share this post


Link to post
8 hours ago, Danny08 said:

and.. how?

i tried it like on every other server and it doenst do anything and i cant find logs.

That is way beyond this guide and will require you to read up on Wireguard. The plugin takes care of all the details for you *if* it is managing the tunnel. If you are connecting to another tunnel that is not managed by Unraid, you will need to deal with setting up the private/public keys, assigning the IP address, determining the endpoint urls, etc.  All of this is Wireguard specific, nothing to do with the fact that the client is Unraid.

 

Once you have created a config file for the Unraid client that will connect to your other system, choose the "Import config" option in the plugin. I honestly haven't done that in a while so I don't recall the exact steps after that. But it should get you close.

 

There is really only one caveat that I can think of - Unraid will ignore any dns server setting that is in the config file, probably best to just leave that out.  Everything else is standard wireguard.

 

Note that everything mentioned in the second post still applies - troubleshooting is very difficult because wireguard fails silently. There are no helpful logs to look at. It works or it doesn't.

Share this post


Link to post

Fantastic easy VPN.

I haven't seen such easy VPN since LANCOM hardware "drag n' drop" VPN.

 

Share this post


Link to post
On 12/12/2019 at 5:35 PM, Psybernoid said:

It seems UDP 51820 isn't listening at all.

Use "wg" instead

root@vesta:/# wg
interface: wg0
  public key: +vmlfqmRg6XxRCo86Ynqzsobd4kN0HXZsq2bN13akCI=
  private key: (hidden)
  listening port: 51821

 

Share this post


Link to post
On 12/12/2019 at 8:54 PM, JasonJoel said:

So what is the verdict - can you use WireGuard if your Eth0/Eth1 is in a bond, or not (for Remote to LAN type conections)? I would rather not disable the bond, as I regularly go over a single 1Gb connection of bandwidth when doing backups on multiple nodes.

 

Thoughts?

 

My network connections today:

Eth0/Eth1 - bonded, bridging = false.

Eth2 - VM/Docker LAN connections, bridging=true

Eth3 - VM/Docker IoT connections, bridging=true

Yes, this works (I tested this using a bonded interface with 4 members)

Share this post


Link to post

I know that I missing something simple:  when using remote tunneled access, I can hit my server and LAN without an issue, but the client can not browse to addresses outside the LAN (internet).  I thought maybe it was DNS resolotion, but, entering IP addresses for sites still timeout.  (I assume the server is routing all traffic when using tunneled access and sending back to client)

 

Is there a configuration besides setting remote tunneled access that I will need to change?

Share this post


Link to post

Switch to "advanced view" and set "Local server uses NAT" = "Yes".

(If this setting is "No" you will need to add a static route on your router to point back to the WG tunnel)

Share this post


Link to post

My ip range is 192. and my VM firewall in 172. When I connect I can access everything on 192 but how do I add the 172 range so my firewall is active as well?

 

Thanks

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.