Dynamix WireGuard VPN


bonienl

Recommended Posts

20 minutes ago, xorinzor said:

Interesting, though you can kinda confirm it by checking the output of 


netstat -atunl | grep 51820

 

udp        0      0 0.0.0.0:51820           0.0.0.0:*                          
udp6       0      0 :::51820                :::*     

 

I'm also going to reboot my Unifi Gateway as it's doing a couple strange things.

Link to comment
42 minutes ago, xorinzor said:

the blurred local endpoint, just to make sure, isn't set to Unraids local IP, but your external IP. Correct? In which case, did your external IP perhaps change?

Good point.

This is either your external (public) IP address or a resolveable name. Make sure this is still correct, i.e. update if your router has changed its external address.

Link to comment
Just now, bonienl said:

Good point.

This is either your external (public) IP address or a resolveable name. Make sure this is still correct, i.e. update if your router has changed its external address.

This hasn't changed and can confirm working as I'm tunneled into my network through a VM right now. I just have the FQDN in there right now.

Link to comment

can you connect from the local network to the server?

This would further narrow down if it's related to the port forwarding, or something else.

 

EDIT: Can you also put a screenshot of your routing table here? (viewable at /Settings/NetworkSettings)

Edited by xorinzor
Link to comment
5 minutes ago, musicking said:

Tried a different tunnel on a different port, removed the config and plugin completely and then reconfigured everything from scratch, still no go :(

Another route you may want to try.

 

Enable UPnP on your router and Unraid server. Remove the static port forwarding entries in your router.

 

With UPnP enabled Unraid should see (and report in the GUI) what the router is doing as port forwarding.

Link to comment

I will have to test shutting down eth1 and eth0 when I get home, don't want to via SSH in case I get disconnected.

 

image.thumb.png.fc5d0b6ab5d1a20f24508badb5932b09.png

I am having 0 port forwarding issues with my other rules, so it would be strange if UPNP fixed the issue. I might try it though, just for the reporting. I wasn't able to see any issues in the logs when I checked my port forwarding logs

Link to comment
6 minutes ago, musicking said:

I will have to test shutting down eth1 and eth0 when I get home, don't want to via SSH in case I get disconnected.

 

image.thumb.png.fc5d0b6ab5d1a20f24508badb5932b09.png

I am having 0 port forwarding issues with my other rules, so it would be strange if UPNP fixed the issue. I might try it though, just for the reporting. I wasn't able to see any issues in the logs when I checked my port forwarding logs

What output do you get on the command below?

sysctl -a | grep -e "ipv4.ip_" -e "wg0"

Don't be suprised, the output is quite a lot ;)

Edited by xorinzor
Link to comment
4 minutes ago, xorinzor said:

sysctl -a | grep -e "ipv4.ip_" -e "wg0"

net.ipv4.conf.wg0.accept_local = 0
net.ipv4.conf.wg0.accept_redirects = 1
net.ipv4.conf.wg0.accept_source_route = 1
net.ipv4.conf.wg0.arp_accept = 0
net.ipv4.conf.wg0.arp_announce = 0
net.ipv4.conf.wg0.arp_filter = 0
net.ipv4.conf.wg0.arp_ignore = 0
net.ipv4.conf.wg0.arp_notify = 0
net.ipv4.conf.wg0.bc_forwarding = 0
net.ipv4.conf.wg0.bootp_relay = 0
net.ipv4.conf.wg0.disable_policy = 0
net.ipv4.conf.wg0.disable_xfrm = 0
net.ipv4.conf.wg0.drop_gratuitous_arp = 0
net.ipv4.conf.wg0.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.wg0.force_igmp_version = 0
net.ipv4.conf.wg0.forwarding = 1
net.ipv4.conf.wg0.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.wg0.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.wg0.ignore_routes_with_linkdown = 0
net.ipv4.conf.wg0.log_martians = 0
net.ipv4.conf.wg0.mc_forwarding = 0
net.ipv4.conf.wg0.medium_id = 0
net.ipv4.conf.wg0.promote_secondaries = 0
net.ipv4.conf.wg0.proxy_arp = 0
net.ipv4.conf.wg0.proxy_arp_pvlan = 0
net.ipv4.conf.wg0.route_localnet = 0
net.ipv4.conf.wg0.rp_filter = 0
net.ipv4.conf.wg0.secure_redirects = 1
net.ipv4.conf.wg0.send_redirects = 0
net.ipv4.conf.wg0.shared_media = 1
net.ipv4.conf.wg0.src_valid_mark = 0
net.ipv4.conf.wg0.tag = 0
net.ipv4.ip_default_ttl = 64
net.ipv4.ip_dynaddr = 0
net.ipv4.ip_early_demux = 1
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv4.ip_local_port_range = 32768    60999
net.ipv4.ip_local_reserved_ports =
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.ip_nonlocal_bind = 0
net.ipv4.ip_unprivileged_port_start = 1024
net.ipv4.neigh.wg0.anycast_delay = 100
net.ipv4.neigh.wg0.app_solicit = 0
net.ipv4.neigh.wg0.base_reachable_time_ms = 30000
net.ipv4.neigh.wg0.delay_first_probe_time = 5
net.ipv4.neigh.wg0.gc_stale_time = 60
net.ipv4.neigh.wg0.locktime = 100
net.ipv4.neigh.wg0.mcast_resolicit = 0
net.ipv4.neigh.wg0.mcast_solicit = 3
net.ipv4.neigh.wg0.proxy_delay = 80
net.ipv4.neigh.wg0.proxy_qlen = 64
net.ipv4.neigh.wg0.retrans_time_ms = 1000
net.ipv4.neigh.wg0.ucast_solicit = 3
net.ipv4.neigh.wg0.unres_qlen = 101
net.ipv4.neigh.wg0.unres_qlen_bytes = 212992
net.ipv6.conf.wg0.accept_dad = -1
net.ipv6.conf.wg0.accept_ra = 1
net.ipv6.conf.wg0.accept_ra_defrtr = 1
net.ipv6.conf.wg0.accept_ra_from_local = 0
net.ipv6.conf.wg0.accept_ra_min_hop_limit = 1
net.ipv6.conf.wg0.accept_ra_mtu = 1
net.ipv6.conf.wg0.accept_ra_pinfo = 1
net.ipv6.conf.wg0.accept_redirects = 1
net.ipv6.conf.wg0.accept_source_route = 0
net.ipv6.conf.wg0.addr_gen_mode = 1
net.ipv6.conf.wg0.autoconf = 1
net.ipv6.conf.wg0.dad_transmits = 1
net.ipv6.conf.wg0.disable_ipv6 = 0
net.ipv6.conf.wg0.disable_policy = 0
net.ipv6.conf.wg0.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.wg0.drop_unsolicited_na = 0
net.ipv6.conf.wg0.enhanced_dad = 1
net.ipv6.conf.wg0.force_mld_version = 0
net.ipv6.conf.wg0.force_tllao = 0
net.ipv6.conf.wg0.forwarding = 0
net.ipv6.conf.wg0.hop_limit = 64
net.ipv6.conf.wg0.ignore_routes_with_linkdown = 0
net.ipv6.conf.wg0.keep_addr_on_down = 0
net.ipv6.conf.wg0.max_addresses = 16
net.ipv6.conf.wg0.max_desync_factor = 600
net.ipv6.conf.wg0.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.wg0.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.wg0.mtu = 1420
net.ipv6.conf.wg0.ndisc_notify = 0
net.ipv6.conf.wg0.ndisc_tclass = 0
net.ipv6.conf.wg0.proxy_ndp = 0
net.ipv6.conf.wg0.regen_max_retry = 3
net.ipv6.conf.wg0.router_solicitation_delay = 1
net.ipv6.conf.wg0.router_solicitation_interval = 4
net.ipv6.conf.wg0.router_solicitation_max_interval = 3600
net.ipv6.conf.wg0.router_solicitations = -1
net.ipv6.conf.wg0.seg6_enabled = 0
net.ipv6.conf.wg0.suppress_frag_ndisc = 1
net.ipv6.conf.wg0.temp_prefered_lft = 86400
net.ipv6.conf.wg0.temp_valid_lft = 604800
net.ipv6.conf.wg0.use_oif_addrs_only = 0
net.ipv6.conf.wg0.use_tempaddr = -1
net.ipv6.neigh.wg0.anycast_delay = 100
net.ipv6.neigh.wg0.app_solicit = 0
net.ipv6.neigh.wg0.base_reachable_time_ms = 30000
net.ipv6.neigh.wg0.delay_first_probe_time = 5
net.ipv6.neigh.wg0.gc_stale_time = 60
net.ipv6.neigh.wg0.locktime = 0
net.ipv6.neigh.wg0.mcast_resolicit = 0
net.ipv6.neigh.wg0.mcast_solicit = 3
net.ipv6.neigh.wg0.proxy_delay = 80
net.ipv6.neigh.wg0.proxy_qlen = 64
net.ipv6.neigh.wg0.retrans_time_ms = 1000
net.ipv6.neigh.wg0.ucast_solicit = 3
net.ipv6.neigh.wg0.unres_qlen = 101
net.ipv6.neigh.wg0.unres_qlen_bytes = 212992

Link to comment

I don't think it's the router, I see the router logs passing the connection using the port forwarding rule...but then nothing.

 

Edit: What is strange is the Wireguard Clients appear to connect just fine (no issue in the log). I'm not seeing anything connected via Unraid though (no handshake). I tried locally through a VM and it appears to work, but no updated handshake in Unraid.

 

More Edits: Son of a B*tch....handshake just updated in the Plugin page and it's working. I have no idea what the "fix" was. This will forever bug me now that I don't know why it started working.

 

Also, thank you everyone, you are all awesome for helping me.

Edited by musicking
More Info
Link to comment

Just built an unRAID server.  It's been running fine for about a month.  I have a tunnel setup and 5 clients/peers.  Wireguard works great...until I reboot the server.  It was autostarting just fine, but even with the autostart ticked to on, the tunnel no longer starts.  I was on 6.8.2 when I noticed it not auto starting.  I downgraded back to 6.8.1 and the issue still persists.  I've toggled autostart and I can see that the autostart file in the config folder on the flash drive gets updated with wg0 and all the correct config files are there, but it just will not autostart anymore.  I even created a second tunnel just to test with and it autostarts just fine.  Do I just need to blow away wg0 and recreate it or is there something else I can try?

 

Also I see an import tunnel button, but how do I export one?  Do I just grab the wg0.conf file off the flash drive?

 

Thanks!

Link to comment

Autostart should work, it sounds like something got corrupted in your configuration file. Try

wg-quick up wg0

And post the result.

 

1 hour ago, cbf305 said:

Also I see an import tunnel button, but how do I export one?

Click on the "eye" icon of the tunnel and choose download (or read the QR code)

Link to comment

Here are the results:

root@unRAID:~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.100.100.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.100.100.7/32 dev wg0
[#] ip -4 route add 10.100.100.6/32 dev wg0
[#] ip -4 route add 10.100.100.5/32 dev wg0
[#] ip -4 route add 10.100.100.4/32 dev wg0
[#] ip -4 route add 10.100.100.3/32 dev wg0
[#] ip -4 route add 10.100.100.2/32 dev wg0
[#] ip -4 route add 10.37.2.0/24 dev wg0
[#] ip -4 route add 10.37.150.0/24 dev wg0
[#] logger -t wireguard 'Tunnel WireGuard-wg0 started'
[#] iptables -t nat -A POSTROUTING -s 10.100.100.0/24 -o br0 -j MASQUERADE

Thanks for the tip about the download button.  On my screen those two buttons are just off the bottom edge of the pop-up window, but I can see all the clients so I never had the need to scroll down 😛

 

FWIW, the wg0 appears to operate normally when it's up.  My laptop and phone can get in and get to my stuff whenever I am out of the house.

Link to comment

Yes.  With Autostart toggled off, the autostart file in:

/boot/config/wireguard/

is empty.  When I toggle on Autostart in the web UI, that same file now contains:

wg0 

In the file I also see that there is a trailing space and no CR.  I'm not sure if that is how it's supposed to be, but wanted to note it.  If I reboot with Autostart toggled on the tunnel does not activate until I go to the web UI and manually toggle Inactive to on.

 

When I manually brought up the tunnel with wg-quick and refreshed the web UI, the tunnel then displayed Active with the toggle on.

Link to comment
56 minutes ago, cbf305 said:

If I reboot with Autostart toggled on the tunnel does not activate until I go to the web UI and manually toggle Inactive to on.

I can not reproduce your situation.

I created a tunnel WG0 with a remote peer, activated it and switched autostart on.

After a reboot the tunnel is active again, like it was before rebooting the system.

 

Since you don't get any error message when manually activating the tunnel, it should work too after a reboot, which my own testing confirms.

I don't know what is going wrong for you.

 

Can you post diagnostics after rebooting your system?

Edited by bonienl
Link to comment

I'm having issues with transfer speeds through the tunnel. I'm not sure if my problem fits in the scope of this topic. My apologies if it doesn't.

 

I've been using iperf to test the speeds through my tunnel and at best I'm only getting maybe 2 Mbits. Here is my setup and what I have done to troubleshoot. I'm just wondering if anyone has any other ideas.

 

I have a 500/50 internet using an older motorola sb6141.

I was using a tp-link archer c2 ac750 but replaced it last night with a netgear r6260 ac1600.

The router has to switches connected. Switch 1 is an unmanaged cisco (don't recall the model). Switch 2 is a ubiquiti edgemax. Both are gigabit.

All devices capable of gigabit are running at gigabit. This includes all devices used for testing with iperf.

Also, all home network computers can get 250-300Mbps through my internet connection (limits of the sb6141) and also achieve near 1Gbps with iperf.

I also checked iperf on 2 pc's connected to both switches (switch 1 through router hub to switch 2).

 

I was actually hoping wireguard in my unraid server would have solved my slow tunnel speeds but it hasn't.

Tunnels are only used to access my home lan only.

 

I first had a rpi running pivpn. The rpi is in switch 2. I ran iperf server on both the rpi and another win7 pc in the same switch. Both resulted in slow speeds through the tunnel. I have a nginx reverse proxy setup on the rpi and if I use it for an iperf test I can achieve 40-50 Mbits.

 

I thought maybe it was my rpi (rpi3b+) running openvpn and not having enough horsepower so I setup a test ubuntu server and ran pivpn on it. Still got the same slow tunnel speeds. So I tried a l2tp/ipsec vpn on both the rpi and ubuntu servers. Still same slow tunnel speeds.

 

At a loss and planning a unraid server, I noticed wireguard support and built my server last weekend. Got wireguard setup ran an iperf test. Same slow speeds. I ran iperf tests through wireguard to iperf servers running on devices connected to both switches. All tested at about 2 Mbits.

 

My unraid server shows a gig network connection and file transfers across my home network (traversing through both switches) are achieving 40-50Mbits or faster. The server can achieve 250-300Mbps internet speeds.

 

As a last resort I replace my old tp-link router with a netgear r6260 last night. Ran some iperf tests this morning and still getting 2 Mbits. The only thing left I can think of is maybe my old sb6141. I have a arris sb6183 that I'm getting ready to install but I wanted to see if anyone had any other ideas or suggestions.

 

Again, my apologies if this isn't the scope of this topic.

 

Edit. Just to add, I just tried using the openvpn builtin to the netgear router and I still only get 2 Mbits.

Edited by lviperz
add a test result
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.