Dynamix WireGuard VPN


bonienl

Recommended Posts

  • 1 month later...

Am I the only person having problems with this plugin resetting "PostUp" & "PostDown" rules within imported configuration files? If the tunnels aren't modified after importing everything remains, but even updating IP or DNS entries results in any Post rules being cleared.

 

If not, it would be great if there's an option to modify those rules within the GUI or at least an option to preverse any that are imported. In my opinion it's a pretty big issue as I require them to modify iptables entries.

 

Cheers

Edited by Dataone
Link to comment

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Link to comment

Hello,

I just finished setting up wireguard and am having one quirk:

I have multiple docker containers that run on the host at different ports. One of them is tunneled through openVPN. When I turn the wireguard tunnel on, I can access unraid:port for the container (going through openvpn), but for some reason, all network traffic from the container through openvpn ceases. I have to turn wg off and down/up my container to get it to work again, but then I can't VPN into my network to use it. Has anyone run into this?

 

edit: figured it out: the my peers were set to tunneled vpn, not remote to lan. Not sure why that took down my containers, but all good now. 

Edited by cA1pLPfENhOfT9pMGzu2
Link to comment

Is it possible to stop the Unraid WebUI from listening on Wireguard interfaces? For one, since I use SSL - clients that don't have access to the LAN can't see the dashboard anyways; for two I'd like to be able to bind a dashboard docker to the HTTP port for clients that are connected via wireguard. Right now I believe the nginx server is bound to 0.0.0.0 - I'd like to change that to the fixed IP, if possible.

Link to comment
On 10/18/2020 at 3:56 AM, BKS said:

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Might be easier to determine what's wrong if you post a censored config file

Link to comment
On 10/20/2020 at 2:55 AM, Dataone said:

Might be easier to determine what's wrong if you post a censored config file

Same problem, but iOS client. The handshake just keeps on retrying. I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

 

Any help appreciated :)

 

Local server configuration

[Interface]

#Unraid VPN

PrivateKey=***=

Address=10.253.0.1

ListenPort=51820

PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'

PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

[Peer]
#Remote

PublicKey=****=

PresharedKey=****=

AllowedIPs=10.253.0.2

 

Remote peer configuration

[Interface]

#Remote

PrivateKey=***=

Address=10.253.0.2/32

DNS=192.168.0.1

[Peer]

#Unraid VPN

PresharedKey=***=
PublicKey=***=

Endpoint=*.*.*.*:51820

AllowedIPs=10.253.0.1/32, 192.168.0.0/24

Link to comment

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

 

I ask because my unraid server is in an office at a University - and I do not have access to the University router.

 

I am using ZeroTier and that works okay - but because there isn't 'direct' connection between my home- and University computer, ZeroTier use a relay/gateway that slows down the Internet speed.

Edited by Michael Kaaber
Link to comment
12 hours ago, Michael Kaaber said:

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

I would not expect the machine that is behind that router to be able to accept incoming connections (unless that router happens by chance to be setup so that incoming connection can be specified by the server using DNLA).

Link to comment

I'm tunneled into my network from accross the country and i'm having a weird issue trying to connect.

 

I have 2 unraid servers on this local network both setup with a separate tunnel connection because of this specific issue.

 

When i'm connected to server1tunnel i cannot access the deluge thinclient connection on server1, but i CAN access the deluge thinclient connection on server2. Same thing when connected to server2tunnel i cannot access the deluge thinclient connection on server2, but i CAN access it for server1.

What is weird is that i can access the webUI from either of the tunnel connections, its just the thinclient that does not work.

 

I've also noticed that i cannot use the PiHole as DNS server if i am connected to server1tunnel, but i can use it when using the server2tunnel (pihole is setup on server1).

 

i also have some weird server1 webUIs that do not work when im connected to the server1tunnel, like soulseek, pihole, and seemingly any docker using VNC to use dockers such as mkvtoolnix, krusader, etc.

 

I'm having none of these problems when on location at the local network so i must have something wrong with the tunnel setup.

 

Any ideas?

Link to comment

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

Edited by Armeros
Link to comment
1 hour ago, Armeros said:

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

FotY0Tb.gif

  • Like 1
  • Thanks 1
Link to comment

I've read this thread and some others with Wireguard topic and still searching for solution.

I have port forwarding and static route all setup on the router (Untangle).

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

wireguard.png

Link to comment
2 hours ago, yogy said:

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

 

You might try accessing your home network by IP address rather than by DNS name. 

Link to comment
2 hours ago, ljm42 said:

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

I don't think so. No special software and / or settings on that laptop. It's actually my laptop used also at work.  

2 hours ago, ljm42 said:

You might try accessing your home network by IP address rather than by DNS name. 

I did.

Link to comment

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

Link to comment
7 hours ago, yogy said:

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.


I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

Link to comment
On 10/21/2020 at 10:05 AM, page3 said:

The handshake just keeps on retrying.

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

On 10/21/2020 at 10:05 AM, page3 said:

I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

Link to comment
2 hours ago, ljm42 said:

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.

When I look at my config files they are exactly as you described.

2 hours ago, ljm42 said:

I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

Me neither. The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

Link to comment

Just posting an issue (and solution) I ran into today. I haven't read through all 16 pages of this thread to see if anyone else has experienced this, so I apologize if this has been covered before.

 

If my peer name has an ampersand (&) in it, my connection does not work. After removing the ampersand, my connection immediately started working again (using both the macOS and Android WireGuard clients).

 

Hopefully this helps someone else who might be pulling their hair out while wondering why their VPN connection stopped/never worked.

Edited by Guns McWar
  • Like 1
Link to comment
On 11/6/2020 at 5:00 PM, ljm42 said:

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

Thanks for the suggestions. I went through the list but still no dice I'm afraid.

Unfortunately I really don't want to use bridge mode. It has caused problems with the UniFi USG router in the past and since segregating internet connection and routing the set-up has been working flawlessly. Additionally my modem/router has to hold open a VPN to tunnel through CGNAT and provide a fixed IP address. Here in the UK our fixed internet is so poor I finally gave up and now use 4G exclusively, crazy as I'm only 25 miles outside the M25.

Look like I need to have yet another go, starting from scratch. It really should work.

  • Like 1
Link to comment
On 11/6/2020 at 8:24 PM, yogy said:

The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

I FOUND A SOLUTION!

yes, I'm answering to myself but hopefully others will find this useful.

If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution

This issue of broken local network routing appears to only happen in WireGuard for Windows.

  • Like 2
Link to comment
On 11/10/2020 at 6:11 PM, yogy said:

I FOUND A SOLUTION!

yes, I'm answering to myself but hopefully others will find this useful.

If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution

This issue of broken local network routing appears to only happen in WireGuard for Windows.

You just saved my evening

Link to comment

I have been trying for ages now to setup WG to access my dockers on my VLAN

Local access works fine!

I suspect it is something i'm missing in pfSense!

Here are my unraid settings:

eth0.thumb.png.e0b99bb3d64611ddf1433e477ba879c2.png

 

docker.thumb.png.b7363debeba9669c69c7fb98fcc54c44.png

 

Tunnel.thumb.png.5f9dd1fac2b9d4222b8dbd1242401b0e.png

 

And pfSense setting:

gateway.png.d73a5419f14816f19e6df968dc3ed014.png

 

219675626_staticroute.png.f7c4b9ffca17f78c9168d5cde5abdfd7.png

 

Anyone see anything obvious i have missed? I've read thru a number of threads and just cant pin point my issue

Thanks

Edited by bdydrp
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.