Dynamix WireGuard VPN


bonienl

Recommended Posts

On 4/14/2020 at 4:25 PM, SpuddyUK said:

Any ideas why the dashboard widget is showing an active tunnel when I disconnect many minutes beforehand? Android client. I even dropped my device into airplane mode to be sure it wasn't still connected somehow. Is there a way to get it more accurate or poll connection status quicker?

 

Thanks in advance, everything else is working perfectly!

 

image.png.5c69c40c4ef1b6e96f2be5d6cdef0b89.png

Did you get any answer to this? I have same issue. If it is an issue that is.

 

TIA!

Link to comment
On 4/14/2020 at 1:25 PM, SpuddyUK said:

Any ideas why the dashboard widget is showing an active tunnel when I disconnect many minutes beforehand? Android client. I even dropped my device into airplane mode to be sure it wasn't still connected somehow. Is there a way to get it more accurate or poll connection status quicker?

 

Thanks in advance, everything else is working perfectly!

 

image.png.5c69c40c4ef1b6e96f2be5d6cdef0b89.png

  

3 hours ago, Shomil Saini said:

Did you get any answer to this? I have same issue. If it is an issue that is.

 

TIA!

 

"Active" simply means the tunnel is enabled on the Unraid side, has nothing to do with whether someone is currently connected to it.
 

The "handshake" column shows that "Peer 1" last connected to tunnel WG0 7 minutes and 23 seconds ago.

 

If you no longer want the tunnel to be available for connections, go to Settings -> VPN Manager and change the "Active" slider for tunnel WG0 to "Inactive". If you want to "forget" the fact that "Peer 1" connected 7 minutes and 23 seconds ago but still keep the tunnel up, change the slider from Active to Inactivate and then back to Active. That will clear the connection list.

 

 

Edited by ljm42
  • Like 1
Link to comment
On 6/21/2020 at 1:30 PM, ljm42 said:

  

 

"Active" simply means the tunnel is enabled on the Unraid side, has nothing to do with whether someone is currently connected to it.
 

The "handshake" column shows that "Peer 1" last connected to tunnel WG0 7 minutes and 23 seconds ago.

 

If you no longer want the tunnel to be available for connections, go to Settings -> VPN Manager and change the "Active" slider for tunnel WG0 to "Inactive". If you want to "forget" the fact that "Peer 1" connected 7 minutes and 23 seconds ago but still keep the tunnel up, change the slider from Active to Inactivate and then back to Active. That will clear the connection list.

 

 

Thanks @ljm42, I completely understand your explanation. I think it is a wonderful add-on to have the widget on the Dashboard.

 

To me however, what the more relevant question is "Which device is currently connected and since how long?"

And a second follow up to that is "If a device is disconnected, then when was it last connected?" - this is partly vaguely answered by the current "Last Handshake Time" on Dashboard which is essentially last connection initiation time.

 

If the Dashboard can be modified by me or developers to see this, then it will be more relevant, as I have provided access to friends & family as well.

 

Cheers! and Be Safe.

Link to comment
20 hours ago, Shomil Saini said:

Thanks @ljm42, I completely understand your explanation. I think it is a wonderful add-on to have the widget on the Dashboard.

 

To me however, what the more relevant question is "Which device is currently connected and since how long?"

And a second follow up to that is "If a device is disconnected, then when was it last connected?" - this is partly vaguely answered by the current "Last Handshake Time" on Dashboard which is essentially last connection initiation time.

 

If the Dashboard can be modified by me or developers to see this, then it will be more relevant, as I have provided access to friends & family as well.

 

Cheers! and Be Safe.

The dashboard is simply formatting the output of the "wg show" command provided by WireGuard. wg does not provide a counter of "how long" a device was connected, probably because it is designed to let connections seamlessly drop and reconnect. It does show the amount of data that was transferred though. I guess WireGuard feels the length of time somebody was connected is less important than the amount of data they transferred.

  • Thanks 1
Link to comment
1 hour ago, ljm42 said:

I guess WireGuard feels the length of time somebody was connected is less important

WireGuard is a stateless protocol, it doesn't maintain a connected or disconnected state, and hence can't keep time.

The "best" it can do is to show how long ago the last exchange took place (handshake).

 

  • Thanks 1
Link to comment
2 hours ago, ljm42 said:

The dashboard is simply formatting the output of the "wg show" command provided by WireGuard. wg does not provide a counter of "how long" a device was connected, probably because it is designed to let connections seamlessly drop and reconnect. It does show the amount of data that was transferred though. I guess WireGuard feels the length of time somebody was connected is less important than the amount of data they transferred.

 

1 hour ago, bonienl said:

WireGuard is a stateless protocol, it doesn't maintain a connected or disconnected state, and hence can't keep time.

The "best" it can do is to show how long ago the last exchange took place (handshake).

 

Thanks for explaining guys. It makes much more sense to me now. I can understand the limitations of WireGuard.

 

Cheers! 🍻

Link to comment
  • 2 weeks later...

Hey :)

 

I've been playing with the plugin and came across limiting the peer devices access to my local networks.

It nice to have a "Local tunnel firewall" option to give just access to speciffic ip addresses.

But is there a simple way via the plugin to limit that access even more ?

e.g.

Local tunnel network pool devices can only connect to local ip with port x

Link to comment
1 hour ago, Alex.b said:

Hello, I miss clicked to add a second tunnel. How can I delete it ? Thank you 😃

There should be a "Delete Tunnel" Button in the lower right corner, after you have enabled advanced view..? :)

Edited by Xuvin
Link to comment
  • 2 weeks later...

Hi all,

 

I have to say I like this tool so far. It seems easy to set up.

 

I have one question though and it my be Wiregaurd its self... setting up a Server to Server you need to specify a Peer End Point how ever the one I am trying to use is on a home broadband therefore dynamic. I would like to use a FQDN (ie DuckDNS) how ever it will not accept any thing but a proper IP.

 

Do you know if this is a limitation, a bug or even if there is a work around ?

 

Thanks

 

Terran

Link to comment

There is no problem using a dynamic dns entry for a client to server link so I am not sure why there should be a limitation on the server to server link.  I must admit I have not tried it myself though.   Perhaps there is some confusion between the address seen externally to your home LAN and the one seen internally after the WireGuard link has been established?

Link to comment

I have the Problem that i can't activate a VPN tunnel if i add a IP under "Local tunnel firewall:" (Allow/Deny doesn't make a difference). 

If i leave this field clear, the tunnel starts as normal. I attached a Screenshot (The "IP" is obviously faked). 

Is this a known problem?

urWG1.PNG

Link to comment
On 7/18/2020 at 9:40 AM, alael said:

1) When setting the peer to VPN Tunnelled access the Ui bugs out in 2 way

One bug reside in the fact that the peer endpoint become mandatory.

Another bug is that if that operation mode is selected you cannot generate any config by clicking on the little ''eye'' icon. (how one is supposed to use it then?)

VPN Tunneled mode is for connecting to a commercial VPN provider. A peer endpoint (the commercial provider) is required. And there is need to generate a config, that is done by the commercial provider.

 

See this post for more details about using VPN Tunneled mode:

 

On 7/18/2020 at 9:40 AM, alael said:

2) sometime when saving setting you set a certain endpoint for the tunnel with its port you click apply and the page reload and the field is again empty for no specific reason, This sometime does happen even peer settings you set something click apply and then those setting disappear.

I'm guessing you are trying to do something that is invalid for VPN Tunneled mode.

 

Maybe you need to choose a different access type for what you are trying to do? You can turn on help in the Unraid gui, or perhaps this post will point you in the right direction:

 

 

Link to comment
23 hours ago, PvD said:

I have the Problem that i can't activate a VPN tunnel if i add a IP under "Local tunnel firewall:" (Allow/Deny doesn't make a difference). 

If i leave this field clear, the tunnel starts as normal. I attached a Screenshot (The "IP" is obviously faked). 

Is this a known problem?

I don't normally use the firewall feature, but I just tested it with "Rule: Deny" and "192.168.10.188/32" and it did what it was supposed to do. I tried with "192.168.10.188" (no "/32") and it worked correctly too.

 

Since you are saying the tunnel won't start, there may be a clue in your syslog. To make it easy to find, first remove the problematic setting and start the tunnel, just to prove that it works. Then add the firewall IP back and restart the tunnel showing it fails.  Then go to Tools -> Diagnostics and download the zip file, then upload the zip file to your next post.

Edited by ljm42
Link to comment
23 hours ago, ljm42 said:

I don't normally use the firewall feature, but I just tested it with "Rule: Deny" and "192.168.10.188/32" and it did what it was supposed to do. I tried with "192.168.10.188" (no "/32") and it worked correctly too.

 

Since you are saying the tunnel won't start, there may be a clue in your syslog. To make it easy to find, first remove the problematic setting and start the tunnel, just to prove that it works. Then add the firewall IP back and restart the tunnel showing it fails.  Then go to Tools -> Diagnostics and download the zip file, then upload the zip file to your next post.

Thank you for your help. Attached is the Diagnostics Zip.

pvd-unraid-diagnostics-20200729-2214.zip

Link to comment
1 hour ago, PvD said:

Thank you for your help. Attached is the Diagnostics Zip.

According to the syslog, the tunnel was started, then stopped, then started again:

Jul 29 22:14:10 PvD-Unraid wireguard: Tunnel WireGuard-wg1 started
### [PREVIOUS LINE REPEATED 1 TIMES] ###
Jul 29 22:14:28 PvD-Unraid wireguard: Tunnel WireGuard-wg1 stopped
Jul 29 22:14:29 PvD-Unraid wireguard: Tunnel WireGuard-wg1 started

 

So it looks like it is working correctly? Can you restate the problem? What went wrong with the final time it was started at 22:14:29?

Link to comment

I tried following the tutorial on the blog (https://unraid.net/blog/wireguard-on-unraid).

 

I am able to connect to my VPN, however, I lose my internet connection and cannot connect to the server or any other computer on the lan.

 

Also, I tend to access my unraid dashboard by going to domain.local, but when I'm connected via VPN, how should I connect to my dashboard? Should domain.local still work? Or do I have to connect to it via IP? Am I supposed to use my internal IP address? or the new IP address range that is being assigned via VPN? (I tried both, but nothing is working -- which is why I'm posting about this in the first place).

 

Attached is an image of my settings (domain name replaced). And I have the port forwarded in my router.

 

Can someone help me figure out what's going on? This is my first time trying to use WireGuard. I usually use a commercial VPN solution without issues.

image.png

Link to comment
21 hours ago, ljm42 said:

According to the syslog, the tunnel was started, then stopped, then started again:


Jul 29 22:14:10 PvD-Unraid wireguard: Tunnel WireGuard-wg1 started
### [PREVIOUS LINE REPEATED 1 TIMES] ###
Jul 29 22:14:28 PvD-Unraid wireguard: Tunnel WireGuard-wg1 stopped
Jul 29 22:14:29 PvD-Unraid wireguard: Tunnel WireGuard-wg1 started

 

So it looks like it is working correctly? Can you restate the problem? What went wrong with the final time it was started at 22:14:29?

I made a short video which hopefully shows my problem. The Syslog shows the start of the tunnel, but the Dashboard shows "Inactive" as State und the Switch won't accept the new state. Is there a way to start a Tunnel with the help of a Console command or another log file with more information?
 

 

Link to comment

The video is super helpful, thanks.

 

Are you sure you are trying to block the right IP address?  Your diagnostics show that Unraid has an IP of "192.168.0.10", why are you trying to block "192.168.10.188"? Perhaps you mean to block 192.168.0.188"?

Link to comment
17 hours ago, HoLyCoW said:

I tried following the tutorial on the blog (https://unraid.net/blog/wireguard-on-unraid).

Please follow the quick start guide in the first two posts of this thread:

It contains a lot more information than the blog post.

 

17 hours ago, HoLyCoW said:

Also, I tend to access my unraid dashboard by going to domain.local, but when I'm connected via VPN, how should I connect to my dashboard? Should domain.local still work? Or do I have to connect to it via IP? Am I supposed to use my internal IP address? or the new IP address range that is being assigned via VPN? (I tried both, but nothing is working -- which is why I'm posting about this in the first place).

Try connecting using Unraid's normal IP address. If the browser fails while connecting to that IP address, then your connection isn't working yet, see the troubleshooting section of the guide.

 

If it fails after trying to redirect to "domain.local" then the problem is DNS. Getting "domain.local" to work from a remote (non-local) network is tough. You may have luck specifying your router's IP in the "peer dns" setting, but the better solution is to use a real domain name that any DNS server can resolve. i.e. use Unraid's built-in certificate so you get an xxxxxxx.unraid.net hostname that resolves to your internal IP address.

Edited by ljm42
  • Thanks 1
Link to comment

Yes I block the right IP. I want to block 192.168.0.114 (I tried other Ip addresses too, no difference).
I think the 192.168.10.188 is the ip from your post earlier if I am not completely wrong(?).

192.168.0.1 is my Router
192.168.0.10 Unraid Server
192.168.0.114 IP to block

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.