Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Dynamix WireGuard VPN

Featured Replies

On 9/11/2020 at 10:34 AM, ljm42 said:

Reboot Unraid. If the problem persists, upload your diagnostics, maybe there will be a clue in the logs

Rebooted and having same issue.  logs attached.  @ljm42 any ideas?

tower-diagnostics-20200914-2158.zip

Edited by tmchow

  • 1 month later...
  • Replies 607
  • Views 212k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • With Unraid containers may have either fixed addresses or dynamic addresses when used on a custom (macvlan) network. To ensure that "any" container can be accessed by the host, I took the approac

  • This is my scenario. @bonienl Please correct anything erroneous in this post.  I am not a networking expert and am explaining things according to my understanding with my functioning WireGuard, router

  • LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.   This is

Posted Images

Am I the only person having problems with this plugin resetting "PostUp" & "PostDown" rules within imported configuration files? If the tunnels aren't modified after importing everything remains, but even updating IP or DNS entries results in any Post rules being cleared.

 

If not, it would be great if there's an option to modify those rules within the GUI or at least an option to preverse any that are imported. In my opinion it's a pretty big issue as I require them to modify iptables entries.

 

Cheers

Edited by Dataone

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Hello,

I just finished setting up wireguard and am having one quirk:

I have multiple docker containers that run on the host at different ports. One of them is tunneled through openVPN. When I turn the wireguard tunnel on, I can access unraid:port for the container (going through openvpn), but for some reason, all network traffic from the container through openvpn ceases. I have to turn wg off and down/up my container to get it to work again, but then I can't VPN into my network to use it. Has anyone run into this?

 

edit: figured it out: the my peers were set to tunneled vpn, not remote to lan. Not sure why that took down my containers, but all good now. 

Edited by cA1pLPfENhOfT9pMGzu2

Is it possible to stop the Unraid WebUI from listening on Wireguard interfaces? For one, since I use SSL - clients that don't have access to the LAN can't see the dashboard anyways; for two I'd like to be able to bind a dashboard docker to the HTTP port for clients that are connected via wireguard. Right now I believe the nginx server is bound to 0.0.0.0 - I'd like to change that to the fixed IP, if possible.

On 10/18/2020 at 3:56 AM, BKS said:

I installed this plugin via CA on my new unraid install. I set it up based on the blog post here. I create a peer with remote tunneled access and import it into a android client. I then enable the connection but on the logs it shows handshake initiation timeouts and I'm unable to ping from unraid. The port is appropriately forwarded to the VPN endpoint from my router side of things. Not sure where to go from here for troubleshooting.

Might be easier to determine what's wrong if you post a censored config file

On 10/20/2020 at 2:55 AM, Dataone said:

Might be easier to determine what's wrong if you post a censored config file

Same problem, but iOS client. The handshake just keeps on retrying. I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

 

Any help appreciated :)

 

Local server configuration

[Interface]

#Unraid VPN

PrivateKey=***=

Address=10.253.0.1

ListenPort=51820

PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'

PostUp=iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

PostDown=iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

[Peer]
#Remote

PublicKey=****=

PresharedKey=****=

AllowedIPs=10.253.0.2

 

Remote peer configuration

[Interface]

#Remote

PrivateKey=***=

Address=10.253.0.2/32

DNS=192.168.0.1

[Peer]

#Unraid VPN

PresharedKey=***=
PublicKey=***=

Endpoint=*.*.*.*:51820

AllowedIPs=10.253.0.1/32, 192.168.0.0/24

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

 

I ask because my unraid server is in an office at a University - and I do not have access to the University router.

 

I am using ZeroTier and that works okay - but because there isn't 'direct' connection between my home- and University computer, ZeroTier use a relay/gateway that slows down the Internet speed.

Edited by Michael Kaaber

12 hours ago, Michael Kaaber said:

Is it possible to setup a LAN to LAN WireGuard if one on the computer is behind a router that I don't have access to?

I would not expect the machine that is behind that router to be able to accept incoming connections (unless that router happens by chance to be setup so that incoming connection can be specified by the server using DNLA).

Anyone able to shed any light or offer any suggestions on my connectivity issue? :)

I'm tunneled into my network from accross the country and i'm having a weird issue trying to connect.

 

I have 2 unraid servers on this local network both setup with a separate tunnel connection because of this specific issue.

 

When i'm connected to server1tunnel i cannot access the deluge thinclient connection on server1, but i CAN access the deluge thinclient connection on server2. Same thing when connected to server2tunnel i cannot access the deluge thinclient connection on server2, but i CAN access it for server1.

What is weird is that i can access the webUI from either of the tunnel connections, its just the thinclient that does not work.

 

I've also noticed that i cannot use the PiHole as DNS server if i am connected to server1tunnel, but i can use it when using the server2tunnel (pihole is setup on server1).

 

i also have some weird server1 webUIs that do not work when im connected to the server1tunnel, like soulseek, pihole, and seemingly any docker using VNC to use dockers such as mkvtoolnix, krusader, etc.

 

I'm having none of these problems when on location at the local network so i must have something wrong with the tunnel setup.

 

Any ideas?

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

Edited by Armeros

1 hour ago, Armeros said:

Is there a way to delete a tunnel from the addon? If I click on Add Tunnel button, or Import tunnel, can I delete it later? maybe modify manually some configuration files?

If I delete the addon and re-install it, the settings are still there. will the settings created using the addon still be active if I remove the addon?

Maybe deleting files from /etc/wireguard?
 

see:
https://wiki.archlinux.org/index.php/WireGuard

FotY0Tb.gif

I've read this thread and some others with Wireguard topic and still searching for solution.

I have port forwarding and static route all setup on the router (Untangle).

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

wireguard.png

2 hours ago, yogy said:

I can successfully connect with my Pixel3a mobile phone to the internet and I can also reach all devices on 192.168.1.0/24 network and unRAID docker containers.

When I connect with my Work laptop I have internet access but no access to devices on 192.168.1.0/24 network and unRAID docker containers.

Both devices are on the same "at work" network when establishing VPN connection. What am I missing here. It doesn't make any sense to me.

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

 

You might try accessing your home network by IP address rather than by DNS name. 

2 hours ago, ljm42 said:

Just a guess, but perhaps your work laptop has software that prevents WireGuard from changing the DNS Server?

I don't think so. No special software and / or settings on that laptop. It's actually my laptop used also at work.  

2 hours ago, ljm42 said:

You might try accessing your home network by IP address rather than by DNS name. 

I did.

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

7 hours ago, yogy said:

UPDATE to my previous post

 

On my "Work laptop" I now tried to establish a connection with Access to LAN peer type of access and could connect to all devices in my 192.168.1.0/24 network including Pi-hole (192.168.1.15) which is on br0. In other words Access to LAN works OK but Remote tunneled access only works partially (I get my "home" WAN IP but couldn't connect to any devices in my 192.168.1.0/24 LAN). 

 

Any thoughts or suggestions?

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.


I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

On 10/21/2020 at 10:05 AM, page3 said:

The handshake just keeps on retrying.

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

On 10/21/2020 at 10:05 AM, page3 said:

I have a UniFi USG with port forwarded as suggested in the blog. I do however have an upstream router (used as modem only) with its DMZ set to the UniFi USG.

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

2 hours ago, ljm42 said:

 

If you compare the two config files, the only difference should be with the AllowedIPs line. 

 

"Remote Access To LAN has an "AllowedIPs" line that looks something like this:
  AllowedIPs=10.252.0.1/32, 192.168.10.0/24
Where it allows the client to talk to the server in the VPN tunnel and the entire LAN.  All other traffic uses the client's normal network path and does not go through the tunnel.


"Remote tunneled access" sets AllowedIPs to this:
  AllowedIPs=0.0.0.0/0
which means 100% of the client's traffic is routed through the tunnel.

When I look at my config files they are exactly as you described.

2 hours ago, ljm42 said:

I can't think of a reason why "Remote tunneled access" wouldn't be able to access the LAN. Possibly DNS related, where it can't reach the DNS server you are trying to send it, but if that were the issue then accessing the LAN by IP should work fine.

 

Have you setup static routes in your router? If you go to advanced mode you'll see a note that says something like this:

   Remark: docker containers on custom networks need static routing <WG tunnel>/24 to <unraid's IP>

 

Regardless of whether you are using docker containers on custom networks, it wouldn't hurt to setup a static route so devices on the LAN know how to reach the tunnel.

Me neither. The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

Just posting an issue (and solution) I ran into today. I haven't read through all 16 pages of this thread to see if anyone else has experienced this, so I apologize if this has been covered before.

 

If my peer name has an ampersand (&) in it, my connection does not work. After removing the ampersand, my connection immediately started working again (using both the macOS and Android WireGuard clients).

 

Hopefully this helps someone else who might be pulling their hair out while wondering why their VPN connection stopped/never worked.

Edited by Guns McWar

On 11/6/2020 at 5:00 PM, ljm42 said:

WireGuard fails silently. If there is no handshake then all you know is that the client isn't communicating with the server, you can't tell specifically what the problem is. You need to think through all the things that could be preventing the client from talking to the server. The second post in this thread has a list of things to check:
https://forums.unraid.net/topic/84226-wireguard-quickstart/?tab=comments#comment-780249

 

If none of the ideas above help, this could be the issue.

 

Rather than put the UniFi in the DMZ, I would put the ISP's device in Bridge Mode. This completely disables the router functionality and truly makes it just a modem. 

Thanks for the suggestions. I went through the list but still no dice I'm afraid.

Unfortunately I really don't want to use bridge mode. It has caused problems with the UniFi USG router in the past and since segregating internet connection and routing the set-up has been working flawlessly. Additionally my modem/router has to hold open a VPN to tunnel through CGNAT and provide a fixed IP address. Here in the UK our fixed internet is so poor I finally gave up and now use 4G exclusively, crazy as I'm only 25 miles outside the M25.

Look like I need to have yet another go, starting from scratch. It really should work.

On 11/6/2020 at 8:24 PM, yogy said:

The strange thing is that with exactly the same configuration it works on my mobile phone but not on the laptop accessing unRAID server from the same "work" network.

Static route is set, also port forwarding. If it wasn't the connection on my mobile phone wouldn't work. 

 

I appreciate your help though. Seems like I'll have to dig deeper.

I FOUND A SOLUTION!

yes, I'm answering to myself but hopefully others will find this useful.

If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution

This issue of broken local network routing appears to only happen in WireGuard for Windows.

On 11/10/2020 at 6:11 PM, yogy said:

I FOUND A SOLUTION!

yes, I'm answering to myself but hopefully others will find this useful.

If you are using Wireguard VPN app for Windows OS and try to connect to unRAID using Remote tunneled access here is a solution

This issue of broken local network routing appears to only happen in WireGuard for Windows.

You just saved my evening

I have been trying for ages now to setup WG to access my dockers on my VLAN

Local access works fine!

I suspect it is something i'm missing in pfSense!

Here are my unraid settings:

eth0.thumb.png.e0b99bb3d64611ddf1433e477ba879c2.png

 

docker.thumb.png.b7363debeba9669c69c7fb98fcc54c44.png

 

Tunnel.thumb.png.5f9dd1fac2b9d4222b8dbd1242401b0e.png

 

And pfSense setting:

gateway.png.d73a5419f14816f19e6df968dc3ed014.png

 

219675626_staticroute.png.f7c4b9ffca17f78c9168d5cde5abdfd7.png

 

Anyone see anything obvious i have missed? I've read thru a number of threads and just cant pin point my issue

Thanks

Edited by bdydrp

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.