tmchow Posted September 15, 2020 Share Posted September 15, 2020 (edited) On 9/11/2020 at 10:34 AM, ljm42 said: Reboot Unraid. If the problem persists, upload your diagnostics, maybe there will be a clue in the logs Rebooted and having same issue. logs attached. @ljm42 any ideas? tower-diagnostics-20200914-2158.zip Edited September 18, 2020 by tmchow Quote Link to comment
Dataone Posted October 15, 2020 Share Posted October 15, 2020 (edited) Am I the only person having problems with this plugin resetting "PostUp" & "PostDown" rules within imported configuration files? If the tunnels aren't modified after importing everything remains, but even updating IP or DNS entries results in any Post rules being cleared. If not, it would be great if there's an option to modify those rules within the GUI or at least an option to preverse any that are imported. In my opinion it's a pretty big issue as I require them to modify iptables entries. Cheers Edited October 15, 2020 by Dataone Quote Link to comment
BKS Posted October 17, 2020 Share Posted October 17, 2020 I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting. Quote Link to comment
cA1pLPfENhOfT9pMGzu2 Posted October 18, 2020 Share Posted October 18, 2020 (edited) Hello, I just finished setting up wireguard and am having one quirk: I have multiple docker containers that run on the host at different ports. One of them is tunneled through openVPN. When I turn the wireguard tunnel on, I can access unraid:port for the container (going through openvpn), but for some reason, all network traffic from the container through openvpn ceases. I have to turn wg off and down/up my container to get it to work again, but then I can't VPN into my network to use it. Has anyone run into this? edit: figured it out: the my peers were set to tunneled vpn, not remote to lan. Not sure why that took down my containers, but all good now. Edited October 19, 2020 by cA1pLPfENhOfT9pMGzu2 Quote Link to comment
Xaero Posted October 20, 2020 Share Posted October 20, 2020 Is it possible to stop the Unraid WebUI from listening on Wireguard interfaces? For one, since I use SSL - clients that don't have access to the LAN can't see the dashboard anyways; for two I'd like to be able to bind a dashboard docker to the HTTP port for clients that are connected via wireguard. Right now I believe the nginx server is bound to 0.0.0.0 - I'd like to change that to the fixed IP, if possible. Quote Link to comment
Dataone Posted October 20, 2020 Share Posted October 20, 2020 On 10/18/2020 at 3:56 AM, BKS said: I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting. Might be easier to determine what's wrong if you post a censored config file Quote Link to comment
page3 Posted October 21, 2020 Share Posted October 21, 2020 On 10/20/2020 at 2:55 AM, Dataone said: Might be easier to determine what's wrong if you post a censored config file Same problem, but iOS client. The handshake just keeps on retrying. I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG. Any help appreciated Local server configuration [Interface] #Unraid VPN PrivateKey=***= Address=10.253.0.1 ListenPort=51820 PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started' PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped' PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE [Peer] #Remote PublicKey=****= PresharedKey=****= AllowedIPs=10.253.0.2 Remote peer configuration [Interface] #Remote PrivateKey=***= Address=10.253.0.2/32 DNS=192.168.0.1 [Peer] #Unraid VPN PresharedKey=***= PublicKey=***= Endpoint=*.*.*.*:51820 AllowedIPs=10.253.0.1/32, 192.168.0.0/24 Quote Link to comment
Michael Kaaber Posted October 22, 2020 Share Posted October 22, 2020 (edited) Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to? I ask because my unraid server is in an office at a University - and I do not have access to the University router. I am using ZeroTier and that works okay - but because there isn't 'direct' connection between my home- and University computer, ZeroTier use a relay/gateway that slows down the Internet speed. Edited October 22, 2020 by Michael Kaaber Quote Link to comment
itimpi Posted October 22, 2020 Share Posted October 22, 2020 12 hours ago, Michael Kaaber said: Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to? I would not expect the machine that is behind that router to be able to accept incoming connections (unless that router happens by chance to be setup so that incoming connection can be specified by the server using DNLA). Quote Link to comment
page3 Posted October 28, 2020 Share Posted October 28, 2020 Anyone able to shed any light or offer any suggestions on my connectivity issue? Quote Link to comment
MammothJerk Posted October 30, 2020 Share Posted October 30, 2020 I'm tunneled into my network from accross the country and i'm having a weird issue trying to connect. I have 2 unraid servers on this local network both setup with a separate tunnel connection because of this specific issue. When i'm connected to server1tunnel i cannot access the deluge thinclient connection on server1, but i CAN access the deluge thinclient connection on server2. Same thing when connected to server2tunnel i cannot access the deluge thinclient connection on server2, but i CAN access it for server1. What is weird is that i can access the webUI from either of the tunnel connections, its just the thinclient that does not work. I've also noticed that i cannot use the PiHole as DNS server if i am connected to server1tunnel, but i can use it when using the server2tunnel (pihole is setup on server1). i also have some weird server1 webUIs that do not work when im connected to the server1tunnel, like soulseek, pihole, and seemingly any docker using VNC to use dockers such as mkvtoolnix, krusader, etc. I'm having none of these problems when on location at the local network so i must have something wrong with the tunnel setup. Any ideas? Quote Link to comment
Armeros Posted October 31, 2020 Share Posted October 31, 2020 (edited) Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files? If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon? Maybe deleting files from /etc/wireguard? see: https://wiki.archlinux.org/index.php/WireGuard Edited October 31, 2020 by Armeros Quote Link to comment
MammothJerk Posted October 31, 2020 Share Posted October 31, 2020 1 hour ago, Armeros said: Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files? If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon? Maybe deleting files from /etc/wireguard? see: https://wiki.archlinux.org/index.php/WireGuard 1 1 Quote Link to comment
yogy Posted November 5, 2020 Share Posted November 5, 2020 I've read this thread and some others with Wireguard topic and still searching for solution. I have port forwarding and static route all setup on the router (Untangle). I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers. When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers. Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me. Quote Link to comment
ljm42 Posted November 5, 2020 Share Posted November 5, 2020 2 hours ago, yogy said: I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers. When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers. Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me. Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server? You might try accessing your home network by IP address rather than by DNS name. Quote Link to comment
yogy Posted November 5, 2020 Share Posted November 5, 2020 2 hours ago, ljm42 said: Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server? I don't think so. No special software and / or settings on that laptop. It's actually my laptop used also at work. 2 hours ago, ljm42 said: You might try accessing your home network by IP address rather than by DNS name. I did. Quote Link to comment
yogy Posted November 6, 2020 Share Posted November 6, 2020 UPDATE to my previous post On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). Any thoughts or suggestions? Quote Link to comment
ljm42 Posted November 6, 2020 Share Posted November 6, 2020 7 hours ago, yogy said: UPDATE to my previous post On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). Any thoughts or suggestions? If you compare the two config files, the only difference should be with the AllowedIPs line. "Remote Access To LAN has an "AllowedIPs" line that looks something like this: AllowedIPs=10.252.0.1/32, 192.168.10.0/24 Where it allows the client to talk to the server in the VPN tunnel and the entire LAN. All other traffic uses the client's normal network path and does not go through the tunnel. "Remote tunneled access" sets AllowedIPs to this: AllowedIPs=0.0.0.0/0 which means 100% of the client's traffic is routed through the tunnel. I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine. Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this: Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP> Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel. Quote Link to comment
ljm42 Posted November 6, 2020 Share Posted November 6, 2020 On 10/21/2020 at 10:05 AM, page3 said: The handshake just keeps on retrying. WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check: https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249 On 10/21/2020 at 10:05 AM, page3 said: I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG. If none of the ideas above help, this could be the issue. Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. Quote Link to comment
yogy Posted November 6, 2020 Share Posted November 6, 2020 2 hours ago, ljm42 said: If you compare the two config files, the only difference should be with the AllowedIPs line. "Remote Access To LAN has an "AllowedIPs" line that looks something like this: AllowedIPs=10.252.0.1/32, 192.168.10.0/24 Where it allows the client to talk to the server in the VPN tunnel and the entire LAN. All other traffic uses the client's normal network path and does not go through the tunnel. "Remote tunneled access" sets AllowedIPs to this: AllowedIPs=0.0.0.0/0 which means 100% of the client's traffic is routed through the tunnel. When I look at my config files they are exactly as you described. 2 hours ago, ljm42 said: I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine. Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this: Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP> Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel. Me neither. The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network. Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. I appreciate your help though. Seems like I'll have to dig deeper. Quote Link to comment
Guns McWar Posted November 10, 2020 Share Posted November 10, 2020 (edited) Just posting an issue (and solution) I ran into today. I haven't read through all 16 pages of this thread to see if anyone else has experienced this, so I apologize if this has been covered before. If my peer name has an ampersand (&) in it, my connection does not work. After removing the ampersand, my connection immediately started working again (using both the macOS and Android WireGuard clients). Hopefully this helps someone else who might be pulling their hair out while wondering why their VPN connection stopped/never worked. Edited November 10, 2020 by Guns McWar 1 Quote Link to comment
page3 Posted November 10, 2020 Share Posted November 10, 2020 On 11/6/2020 at 5:00 PM, ljm42 said: WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check: https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249 If none of the ideas above help, this could be the issue. Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. Thanks for the suggestions. I went through the list but still no dice I'm afraid. Unfortunately I really don't want to use bridge mode. It has caused problems with the UniFi USG router in the past and since segregating internet connection and routing the set-up has been working flawlessly. Additionally my modem/router has to hold open a VPN to tunnel through CGNAT and provide a fixed IP address. Here in the UK our fixed internet is so poor I finally gave up and now use 4G exclusively, crazy as I'm only 25 miles outside the M25. Look like I need to have yet another go, starting from scratch. It really should work. 1 Quote Link to comment
yogy Posted November 10, 2020 Share Posted November 10, 2020 On 11/6/2020 at 8:24 PM, yogy said: The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network. Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. I appreciate your help though. Seems like I'll have to dig deeper. I FOUND A SOLUTION! yes, I'm answering to myself but hopefully others will find this useful. If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution This issue of broken local network routing appears to only happen in WireGuard for Windows. 2 Quote Link to comment
Fedeöä Posted November 17, 2020 Share Posted November 17, 2020 On 11/10/2020 at 6:11 PM, yogy said: I FOUND A SOLUTION! yes, I'm answering to myself but hopefully others will find this useful. If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution This issue of broken local network routing appears to only happen in WireGuard for Windows. You just saved my evening Quote Link to comment
bdydrp Posted November 19, 2020 Share Posted November 19, 2020 (edited) I have been trying for ages now to setup WG to access my dockers on my VLAN Local access works fine! I suspect it is something i'm missing in pfSense! Here are my unraid settings: And pfSense setting: Anyone see anything obvious i have missed? I've read thru a number of threads and just cant pin point my issue Thanks Edited November 19, 2020 by bdydrp Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.