Jump to content
bonienl

Dynamix WireGuard VPN

407 posts in this topic Last Reply

Recommended Posts

Posted (edited)
17 hours ago, HoLyCoW said:

I tried following the tutorial on the blog (https://unraid.net/blog/wireguard-on-unraid).

Please follow the quick start guide in the first two posts of this thread:

It contains a lot more information than the blog post.

 

17 hours ago, HoLyCoW said:

Also, I tend to access my unraid dashboard by going to domain.local, but when I'm connected via VPN, how should I connect to my dashboard? Should domain.local still work? Or do I have to connect to it via IP? Am I supposed to use my internal IP address? or the new IP address range that is being assigned via VPN? (I tried both, but nothing is working -- which is why I'm posting about this in the first place).

Try connecting using Unraid's normal IP address. If the browser fails while connecting to that IP address, then your connection isn't working yet, see the troubleshooting section of the guide.

 

If it fails after trying to redirect to "domain.local" then the problem is DNS. Getting "domain.local" to work from a remote (non-local) network is tough. You may have luck specifying your router's IP in the "peer dns" setting, but the better solution is to use a real domain name that any DNS server can resolve. i.e. use Unraid's built-in certificate so you get an xxxxxxx.unraid.net hostname that resolves to your internal IP address.

Edited by ljm42

Share this post


Link to post

Yes I block the right IP. I want to block 192.168.0.114 (I tried other Ip addresses too, no difference).
I think the 192.168.10.188 is the ip from your post earlier if I am not completely wrong(?).

192.168.0.1 is my Router
192.168.0.10 Unraid Server
192.168.0.114 IP to block

Share this post


Link to post
2 hours ago, PvD said:

Yes I block the right IP. I want to block 192.168.0.114 (I tried other Ip addresses too, no difference).
I think the 192.168.10.188 is the ip from your post earlier if I am not completely wrong(?).

Dang, thought I was onto something there :)

 

Assuming you are on the latest version of Unraid with the latest version of the plugin, I am out of ideas. It works for me, I don't understand why it isn't working for you.

Share this post


Link to post
On 7/26/2020 at 11:41 AM, itimpi said:

There is no problem using a dynamic dns entry for a client to server link so I am not sure why there should be a limitation on the server to server link.  I must admit I have not tried it myself though.   Perhaps there is some confusion between the address seen externally to your home LAN and the one seen internally after the WireGuard link has been established?

Hi - I tried a random .com and it seems ok so I guess you may be right as I was test setting up at one location.

 

Thanks

 

T

Share this post


Link to post
Dang, thought I was onto something there
 
Assuming you are on the latest version of Unraid with the latest version of the plugin, I am out of ideas. It works for me, I don't understand why it isn't working for you.

Okay thank you for your help. Then I need to find a solution which doesn’t involve the WireGuard Firewall.

Share this post


Link to post

Currently at work, connecting to my unRAID box using wireguard. I can access the box and shares fine. I can even access the dockers through the unRAID IP and the assigned ports.

 

Problem: I need to open some new ports for a new container on my home router

Problem 2: both the office router and home router are 192.168.1.254 and both serve as dhcp for the respective networks. These are my ISP routers and I cannot change the IP addresses as they tend to mess up the IPTV service.

 

How can I connect to the router at home? Using the http://192.168.1.254 connects me to this router instead of the one at home, as I would expect.

Share this post


Link to post
3 hours ago, NMGMarques said:

How can I connect to the router at home? Using the http://192.168.1.254 connects me to this router instead of the one at home, as I would expect.

One way out of this that I can think of probably isn't possible, and that would be to enable WAN management of the router and log in to it using the public IP.

 

Another way involves remote accessing a machine with a browser on that side of the network, VM or physical, with Teamviewer or something similar.

 

This setup is going to cause all kinds of issues the more you connect and work between them.

 

I just thought of another possibility. If you are running LE, maybe you could proxy the router interface?

Share this post


Link to post
2 hours ago, jonathanm said:

One way out of this that I can think of probably isn't possible, and that would be to enable WAN management of the router and log in to it using the public IP.

 

Another way involves remote accessing a machine with a browser on that side of the network, VM or physical, with Teamviewer or something similar.

 

This setup is going to cause all kinds of issues the more you connect and work between them.

 

I just thought of another possibility. If you are running LE, maybe you could proxy the router interface?

Thanks for the insight. I'll consider a VM. But I have to activate virtualization on the machine as it seems it must be off since I can't get unRAID to install a Windows VM.

Share this post


Link to post

After getting my Wireguard tunnel up pretty quickly I’ve been trying for about a week to get to where I could access something else beyond the Unraid server GUI – especially hosts in other subnets on my network.  I’ve had no success whatsoever after that initial setup.  After seeing a bunch of replies to my Wireguard VPN client being dropped with TCP:SA – a symptom of asymmetric routing – I went to Reddit and asked about it in the Wireguard and pfSense groups.  Since everyone seems to agree that my pfSense setup looks right, I realized I should probably actually come here as it seems to be something about Wireguard on Unraid that I need to address.  I hope you can help.  A simple network is below.

 

I think this is how the communications are going if I try to access Server 2 at 192.168.60.10 from my Wireguard VPN client 10.20.30.2:

 

1.       VPN Client (10.20.30.2) wants to talk to Server 2 (192.168.60.1).

2.       It sends it to its default GW, which I take it is the Unraid Server 1 host interface (192.168.30.4)

3.       Unraid server 1 rewrites the source header and sends it to pfSense@192.168.30.1. pfSense.

4.       pfSense forwards the request to Server 2@192.168.60.10.

5.       Server 2 sees request from 10.20.30.2 and replies but pfSense drops it as TCP:SA

 

When I try to access the web GUI on Server 2 and run a capture on the VLAN30 pfSense interface I can see 10.20.30.2 talking to all sorts of stuff outside my firewall (dang chatty phone apps) but nothing going to Server 2. Nothing there. I can see Server 2 trying to respond on the VLAN60 pfSense interface, and the TCP:SA drops. FWIW, I can ping Server 2 via the Wireguard tunnel, and a traceroute shows 2 hops - the WG tunnel endpoint address of 10.20.30.1 and then Server 2 192.168.60.10.

 

If it is not some weirdness with pfSense allowing crosstalk between VLANs on that same physical interface without logging it then it must be something about the way Unraid and Wireguard are handling it. 

wireguard_upd_diagram.thumb.png.62cd9b7d7094c16b736ab4cf2e2c6cbf.png

Any help would be appreciated.

Share this post


Link to post

Following up on my previous post as I'm still troubleshooting.  With Wireguard implemented this way, is it effectively bridged as an additional IP network on the first/lowest physical interface?

Share this post


Link to post
Posted (edited)

I seem to be having trouble with a LAN-to-LAN config.  Both of my end-point systems are using 2 ethernet ports, one port to internet (br0) and the other to local (br1).  What my curiosity is, does WireGuard only bind to one adapter, such as br0, or is it a bridged style connection when communicating through Unraid.  I can't seem to find any further info other then the routing table shows the VPN network bond to wg0.

 

Any help is appreciated, thank you in advance.

 

EDIT:  I managed to answer my own question.  I found the wg0.conf in /boot/config/wireguard and found that wg0 is bound to adapter br0.  I changed that to br1 and I'm testing this.

Edited by ReidS
Update

Share this post


Link to post
On 7/27/2020 at 11:08 PM, PvD said:

I have the Problem that i can't activate a VPN tunnel if i add a IP under "Local tunnel firewall:" (Allow/Deny doesn't make a difference). 

If i leave this field clear, the tunnel starts as normal. I attached a Screenshot (The "IP" is obviously faked). 

Is this a known problem?

urWG1.PNG

Can confirm this problem.
In the moment i use a network in firewall the tunnel cant be started.
Do you have 2 network cards/links maybe?

Share this post


Link to post
Can confirm this problem.
In the moment i use a network in firewall the tunnel cant be started.
Do you have 2 network cards/links maybe?

My current setup only features one Network Card with one Ethernet port.

Share this post


Link to post
How can I delete a wg interfaces?

there's no button in the interface.

You need to change the Tunnel view from „Basic“ to „Advanced“. The toggle is located Between the „Active“ and „Autostart“ toggle in the top Right corner of the Tunnel.

After that you will find the Delete Tunnel button in the Bottom Right corner of the Tunnel configuration.

Share this post


Link to post

Recently i decided i wanted to setup tunnels on my 2 local unraid boxes to route all of their traffic through my VPN provider but for now it does not seem to be possible.

It seems like you can only use EITHER the remote tunneled access OR the VPN tunneled access, you cannot use them both at the same time so im either unable to access my local network from remote OR my local unraid boxes will not go through the VPN.

 

Is there a way to enable both "VPN tunneled access" AND "Remote tunneled access" at the same time? or a function that works similarly?

Share this post


Link to post

 

On 10/13/2019 at 9:34 AM, bonienl said:

image.png.a7c586872b1589d9100c3648304d23c3.png

 

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.

 

This is achieved by adding the tunnel endpoint subnet to the gateway (router) which provides the regular access to remote destinations.

 

By default Unraid uses the 10.253.x.x/16 subnet for tunnel endpoint assignments. This subnet needs to be added to the router and points to the LAN (eth0) address of the Unraid server.

 

Below is an example of static routes added to a Ubiquiti router (other brands should offer something similar).

 

image.thumb.png.4df21f0ef2b3404e9b912d093a55c0bd.png

 

It is also needed to disable the "Local Server uses NAT" setting (switch on advanced view).

 

This solution finally worked for me to be able to access Dockers with custom IP addresses (much easier than VLAN setups, adding NICs, and is not limited to just one docker (i.e Pi-Hole) like the solution that replaces the default port 80 with Pi-Hole for pure DNS.

However, it was still a little hard to understand and follow how to configure this in my network -- and with an Edgerouter (ER-X). So I thought I'd go ahead and share the specifics in case anyone else could use some additional clarity and/or has an Edgerouter. After mucking around with my firewall rules and getting back out of the wrong rabbit holes, it really was fairly easy in the end.


Re-Cap of setting up WireGuard (in Unraid) for access to Docker containers with Custom IP Addresses (e.g. Pi-hole, Unifi, etc.):

First, in order to access Docker's that have a custom IP Address you need to disable NAT in the Wireguard VPN settings... as noted in the just-gotta-know-where-to-look on-screen documentation:

image.thumb.png.fd1a3ed3efe727c9fe99c94461268f30.png

 

So, once you disable NAT in the WireGuard Configuration (Settings -> VPN Manager), then Unraid provides the key details in a remark for you:

image.thumb.png.f513db3710c61792e10629effdbb8063.png

 

As noted also in the documentation comments and the remark you will need to configure a staic route on the router, but there is still an important missing detail from the on-screen info.  Luckily these have been outline in the "WireGuard quickstart" forum thread (linked here).  These details (along with the post quoted above) really helped with some additional details that made it more clear for me finally get my network properly configured -- and as it turns out is really very simple.  The "WireGuard quickstart" guide is actually a different forum thread, but I found this thread before I finally found my way over to that one (via more Google-Fu) . . . so it seems useful to provide these details here:

 

The quickstart guide (thread linked above) was updated as of February 20, 2020 with a section labeled "Complex Networks" and it provides the key details that were most helpful. 

 

How to Configure Static Route for WireGuard (on Unraid) in an EdgeRouter (ER-X):

The remaining element was to sort out how to correctly set up the static route in an Edgerouter (ER-X).... so for those that may find their way here and have an Edgerouter (or similar), here's the process:

 

1. On the Routes Tab, click to Add a new Static Route:
image.png.47e39ebbdfa8c141982b1d4f76f0a5dc.png
 

2. Enter the details that are provided by the Unraid UI (see screenshot above when NAT is disabled under VPN Management):
image.png.6f8dd4bc708fd7e87132db2f28ee7f09.png

 

3. Save and Apply the changes to the EdgeRouter... the end result will look like this if you open it after saving:
image.png.a0b6af9ce3a5296cd86173df2961481c.png

 

4. And Finally, you need to ensure that Docker is correctly set to enable "Host Access to custom networks" in the Docker Settings (Settings -> Docker):

Which will result in this... Actual url to detailed instruction is just below:

image.thumb.png.ccb0ec7de62afca6b69bd8485c08f883.png

 

Note: The original details for this step are on Page 8 of this thread, but I found them from the link that is also on the "WireGuard quickstart" thread.... so I'm posting here again for continuity:

 

 


 

Edited by raerae1616

Share this post


Link to post

Basically i managed to setup Wireguard only as Remote tunneled access, any other options just not pinging.

But anyway, with this option i can access only my server and dockers.

Any chance to manage to access entire home network ?

Share this post


Link to post
2 hours ago, J05u said:

Basically i managed to setup Wireguard only as Remote tunneled access, any other options just not pinging.

But anyway, with this option i can access only my server and dockers.

Any chance to manage to access entire home network ?

Please don't double post

Share this post


Link to post

Hi,

I'm having some trouble getting WireGuard to work...

I've follow the guide, and when i connect to the WireGuard VPN from my Windows 10 on a Remote Network (My Unraid server is located at my work.) I can ping / access the Unraid IP, but nothing else on the remote network.

I chosen the "Remote access to LAN" option in the Peer settings.

It's not the first time i'm using Wireguard, i've had it working before, but ran into the same issue, and then started using OpenVPN, but it only allows to VPN connections, so i would like to get WireGuard working again, but i can't figure out whats wrong.

 

Does anyone have any ideas on what i should do to fix this...

I can access anything on my UnRaid server, but anything else on the network that has another ip adress i can't access....

Please help me out here, thanks in advance...

Share this post


Link to post

I'm having issue adding a peer.  When I hit "apply" after specifying the peer's initial info, nothing happens. Lookiing at the chrome dev tools, this error is showing up:

 

An invalid form control with name='Address:1' is not focusable.

image.png.e0f04157fa10724aa5e6a2744aebab70.png

 

quick google search found this common issue:

https://stackoverflow.com/questions/22148080/an-invalid-form-control-with-name-is-not-focusable

Edited by tmchow

Share this post


Link to post
5 hours ago, tmchow said:

I'm having issue adding a peer.  When I hit "apply" after specifying the peer's initial info, nothing happens. Lookiing at the chrome dev tools, this error is showing up:


An invalid form control with name='Address:1' is not focusable.

 

What version of the WireGuard plugin, on what version of Unraid?

 

Nobody else has run into this, so assuming everything is current, I'm thinking it is issue with your browser. Try creating a blank profile in Chrome to eliminate browser extensions as the cause.

Share this post


Link to post
What version of the WireGuard plugin, on what version of Unraid?
 
Nobody else has run into this, so assuming everything is current, I'm thinking it is issue with your browser. Try creating a blank profile in Chrome to eliminate browser extensions as the cause.

I’m on Unraid 6.8.3 and plug-in version 2020.07.10b

I’m on a chrome beta but been on it for awhile. I’ll try a different browser and incognito window to see if that changes anything.

Share this post


Link to post
5 hours ago, ljm42 said:

What version of the WireGuard plugin, on what version of Unraid?

 

Nobody else has run into this, so assuming everything is current, I'm thinking it is issue with your browser. Try creating a blank profile in Chrome to eliminate browser extensions as the cause.

I also just tried this on Firefox with no plugins and got similar behavior but the dev console reports a different error:

 

Firefox can’t establish a connection to the server at ws://192.168.1.161/sub/var

When trying in Chrome Incognito, I got same error as my non-chrome incognito window. I'm so confused.

Edited by tmchow

Share this post


Link to post
9 hours ago, tmchow said:

Firefox can’t establish a connection to the server at ws://192.168.1.161/sub/var

Reboot Unraid. If the problem persists, upload your diagnostics, maybe there will be a clue in the logs

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.