Jump to content
bonienl

Dynamix WireGuard VPN

406 posts in this topic Last Reply

Recommended Posts

Every time i add a peer i have to reboot the server in order for wireguard to start working again, is this normal ?, After rebooting every thing works fine

including the new added peer.

 

Any advice would be appreciated

 

Thanks  

Share this post


Link to post

Feature suggestion (if it hasn't been suggested yet)

 

Re-order VPN peers the same way i can re-order VM's (hold click, drag & drop). 

Share this post


Link to post
On 9/11/2020 at 10:34 AM, ljm42 said:

Reboot Unraid. If the problem persists, upload your diagnostics, maybe there will be a clue in the logs

Rebooted and having same issue.  logs attached.  @ljm42 any ideas?

tower-diagnostics-20200914-2158.zip

Edited by tmchow

Share this post


Link to post

Am I the only person having problems with this plugin resetting "PostUp" & "PostDown" rules within imported configuration files? If the tunnels aren't modified after importing everything remains, but even updating IP or DNS entries results in any Post rules being cleared.

 

If not, it would be great if there's an option to modify those rules within the GUI or at least an option to preverse any that are imported. In my opinion it's a pretty big issue as I require them to modify iptables entries.

 

Cheers

Edited by Dataone

Share this post


Link to post

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Share this post


Link to post

Hello,

I just finished setting up wireguard and am having one quirk:

I have multiple docker containers that run on the host at different ports. One of them is tunneled through openVPN. When I turn the wireguard tunnel on, I can access unraid:port for the container (going through openvpn), but for some reason, all network traffic from the container through openvpn ceases. I have to turn wg off and down/up my container to get it to work again, but then I can't VPN into my network to use it. Has anyone run into this?

 

edit: figured it out: the my peers were set to tunneled vpn, not remote to lan. Not sure why that took down my containers, but all good now. 

Edited by cA1pLPfENhOfT9pMGzu2

Share this post


Link to post

Is it possible to stop the Unraid WebUI from listening on Wireguard interfaces? For one, since I use SSL - clients that don't have access to the LAN can't see the dashboard anyways; for two I'd like to be able to bind a dashboard docker to the HTTP port for clients that are connected via wireguard. Right now I believe the nginx server is bound to 0.0.0.0 - I'd like to change that to the fixed IP, if possible.

Share this post


Link to post
On 10/18/2020 at 3:56 AM, BKS said:

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Might be easier to determine what's wrong if you post a censored config file

Share this post


Link to post
On 10/20/2020 at 2:55 AM, Dataone said:

Might be easier to determine what's wrong if you post a censored config file

Same problem, but iOS client. The handshake just keeps on retrying. I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

 

Any help appreciated :)

 

Local server configuration

[Interface]

#Unraid VPN

PrivateKey=***=

Address=10.253.0.1

ListenPort=51820

PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'

PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

[Peer]
#Remote

PublicKey=****=

PresharedKey=****=

AllowedIPs=10.253.0.2

 

Remote peer configuration

[Interface]

#Remote

PrivateKey=***=

Address=10.253.0.2/32

DNS=192.168.0.1

[Peer]

#Unraid VPN

PresharedKey=***=
PublicKey=***=

Endpoint=*.*.*.*:51820

AllowedIPs=10.253.0.1/32, 192.168.0.0/24

Share this post


Link to post

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

 

I ask because my unraid server is in an office at a University - and I do not have access to the University router.

 

I am using ZeroTier and that works okay - but because there isn't 'direct' connection between my home- and University computer, ZeroTier use a relay/gateway that slows down the Internet speed.

Edited by Michael Kaaber

Share this post


Link to post
12 hours ago, Michael Kaaber said:

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

I would not expect the machine that is behind that router to be able to accept incoming connections (unless that router happens by chance to be setup so that incoming connection can be specified by the server using DNLA).

Share this post


Link to post

Anyone able to shed any light or offer any suggestions on my connectivity issue? :)

Share this post


Link to post

I'm tunneled into my network from accross the country and i'm having a weird issue trying to connect.

 

I have 2 unraid servers on this local network both setup with a separate tunnel connection because of this specific issue.

 

When i'm connected to server1tunnel i cannot access the deluge thinclient connection on server1, but i CAN access the deluge thinclient connection on server2. Same thing when connected to server2tunnel i cannot access the deluge thinclient connection on server2, but i CAN access it for server1.

What is weird is that i can access the webUI from either of the tunnel connections, its just the thinclient that does not work.

 

I've also noticed that i cannot use the PiHole as DNS server if i am connected to server1tunnel, but i can use it when using the server2tunnel (pihole is setup on server1).

 

i also have some weird server1 webUIs that do not work when im connected to the server1tunnel, like soulseek, pihole, and seemingly any docker using VNC to use dockers such as mkvtoolnix, krusader, etc.

 

I'm having none of these problems when on location at the local network so i must have something wrong with the tunnel setup.

 

Any ideas?

Share this post


Link to post

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

Edited by Armeros

Share this post


Link to post
1 hour ago, Armeros said:

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

FotY0Tb.gif

  • Like 1
  • Thanks 1

Share this post


Link to post

I've read this thread and some others with Wireguard topic and still searching for solution.

I have port forwarding and static route all setup on the router (Untangle).

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

wireguard.png

Share this post


Link to post
2 hours ago, yogy said:

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

 

You might try accessing your home network by IP address rather than by DNS name. 

Share this post


Link to post
2 hours ago, ljm42 said:

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

I don't think so. No special software and / or settings on that laptop. It's actually my laptop used also at work.  

2 hours ago, ljm42 said:

You might try accessing your home network by IP address rather than by DNS name. 

I did.

Share this post


Link to post

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

Share this post


Link to post
7 hours ago, yogy said:

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.


I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

Share this post


Link to post
On 10/21/2020 at 10:05 AM, page3 said:

The handshake just keeps on retrying.

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

On 10/21/2020 at 10:05 AM, page3 said:

I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

Share this post


Link to post
2 hours ago, ljm42 said:

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.

When I look at my config files they are exactly as you described.

2 hours ago, ljm42 said:

I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

Me neither. The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

Share this post


Link to post

Just posting an issue (and solution) I ran into today. I haven't read through all 16 pages of this thread to see if anyone else has experienced this, so I apologize if this has been covered before.

 

If my peer name has an ampersand (&) in it, my connection does not work. After removing the ampersand, my connection immediately started working again (using both the macOS and Android WireGuard clients).

 

Hopefully this helps someone else who might be pulling their hair out while wondering why their VPN connection stopped/never worked.

Edited by Guns McWar

Share this post


Link to post
On 11/6/2020 at 5:00 PM, ljm42 said:

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

Thanks for the suggestions. I went through the list but still no dice I'm afraid.

Unfortunately I really don't want to use bridge mode. It has caused problems with the UniFi USG router in the past and since segregating internet connection and routing the set-up has been working flawlessly. Additionally my modem/router has to hold open a VPN to tunnel through CGNAT and provide a fixed IP address. Here in the UK our fixed internet is so poor I finally gave up and now use 4G exclusively, crazy as I'm only 25 miles outside the M25.

Look like I need to have yet another go, starting from scratch. It really should work.

Share this post


Link to post
On 11/6/2020 at 8:24 PM, yogy said:

The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

I FOUND A SOLUTION!

yes, I'm answering to myself but hopefully others will find this useful.

If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution

This issue of broken local network routing appears to only happen in WireGuard for Windows.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.