Dynamix WireGuard VPN


bonienl

504 posts in this topic Last Reply

Recommended Posts

On 1/23/2021 at 1:53 PM, hdlineage said:

After unraid reboots

wg1 will fail to start due to non existent WIREGUARD chain in iptables.

I have to manually add WIREGUARD chain to start the wg1 interface.

 

Great catch! Anyone using the "Local tunnel firewall" option will run into this. If you start a tunnel using the webgui it will look like it started, but when you refresh the page it will actually be stopped.

 

This can't be fixed by the plugin, it will be fixed in the 6.9.0 release of Unraid.

 

In the meantime, anyone having this issue can solve it by adding this to their /boot/config/go script and rebooting:

######
# this section should be removed after upgrading to Unraid 6.9
if ! iptables -S | grep -qom1 "WIREGUARD$"; then
  iptables -N WIREGUARD
  iptables -A FORWARD -j WIREGUARD
fi
if ! ip6tables -S | grep -qom1 "WIREGUARD$"; then
  ip6tables -N WIREGUARD
  ip6tables -A FORWARD -j WIREGUARD
fi
######

 

Link to post
  • Replies 503
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

With the release of Unraid 6.8 comes support for WireGuard VPN connections. At the moment the GUI part is offered as a separate plugin, but will be integrated into Unraid in the future. This appr

LAN hosts or docker containers/VMs with their own IP address, need a return path back to the WireGuard VPN tunnel which exists on the Unraid server to reach any remote destination.   This is

With Unraid containers may have either fixed addresses or dynamic addresses when used on a custom (macvlan) network. To ensure that "any" container can be accessed by the host, I took the approac

Posted Images

On 1/30/2021 at 8:43 PM, Aerodb said:

I have the issue with not getting a handshake. It seems a few people are having this issue. not sure why there isn't a clear fix for such a common issue. 

 

WireGuard fails silently. This is great for security, but it makes troubleshooting very difficult.

 

My best guess would be that your Local Endpoint does not resolve to your actual WAN IP, or else there is a problem with your port forward. But there could be other issues, I have tried to consolidate everything to the first two posts here: https://forums.unraid.net/topic/84226-wireguard-quickstart/

 

Link to post
  • 2 weeks later...
On 9/10/2020 at 2:15 PM, tmchow said:

I'm having issue adding a peer.  When I hit "apply" after specifying the peer's initial info, nothing happens. Lookiing at the chrome dev tools, this error is showing up:

 


An invalid form control with name='Address:1' is not focusable.

image.png.e0f04157fa10724aa5e6a2744aebab70.png

 

quick google search found this common issue:

https://stackoverflow.com/questions/22148080/an-invalid-form-control-with-name-is-not-focusable

 

I'm having the same issue as @tmchow, with the same error message in the browser console.  It is also being reported here

 

https://www.reddit.com/r/unRAID/comments/khl3s0/issue_adding_peer_to_wireguard/

 

I've tried several different browsers, and the "apply" button has no effect.  Is anyone else experiencing this?  This is with unraid 6.8.3 and plugin version 2020.07.10b.

Link to post
 
I'm having the same issue as@tmchow, with the same error message in the browser console.  It is also being reported here
 
https://www.reddit.com/r/unRAID/comments/khl3s0/issue_adding_peer_to_wireguard/
 
I've tried several different browsers, and the "apply" button has no effect.  Is anyone else experiencing this?  This is with unraid 6.8.3 and plugin version 2020.07.10b.

Do you by any chance have an ad blocker installed? If so make sure you disable it
Link to post

I think I got it working.  After expanding the existing peers and finding the "Address:1" element, it seems that one of the peers was  missing a "Peer tunnel address".  Not sure how that disappeared, but once I filled that in I was able to add new peers.

Link to post
On 2/17/2021 at 2:25 PM, warwickmm said:

I think I got it working.  After expanding the existing peers and finding the "Address:1" element, it seems that one of the peers was  missing a "Peer tunnel address".  Not sure how that disappeared, but once I filled that in I was able to add new peers.

 

Aha! Many thanks to you and @tmchow for reporting this issue with validation errors on hidden fields. I'm working on a fix for the next release.

Link to post

Hey all, sorry if this has already been reported, don't know how to search for this.

I have the issue that the wrong config is displayed for each peer. This happened when I deleted the peer before the one i am trying to view. The web page uses the list position in the web page to get the config. If you then delete the first one for example, the index of the second one becomes the first. And when I open this one, it shows the config for peer-Tower-wg0-1.conf  when in reality it should be peer-Tower-wg0-2.conf.

So, after deleting any one but the last peer, i can't use the gui any more as it's mismatched.

 

image.thumb.png.b3889aef4d6ebda12cac49577f6add57.png

Link to post

Can i have my settings checked please - Had to change router to setup static routing have been able to handshake and connect to unraid gui - but i am unable to access LAN

 

3rd attempt to put this in the right section

Static2.jpg

Wireguard3.jpg

Link to post
9 hours ago, brettm357 said:

Can i have my settings checked please - Had to change router to setup static routing have been able to handshake and connect to unraid gui - but i am unable to access LAN

It looks like you setup a static route just to 10.253.0.1, this should cover the entire 10.253.0.0/24 subnet

 

There are also some tips in the second post here, such as making sure you have bridging enabled:

 

Having said that, there are a lot of people having issues accessing their LAN currently. I'd recommend reading the last few pages of this thread and the quickstart thread.

Link to post
On 2/26/2021 at 2:27 AM, AngusBrown said:

The web page uses the list position in the web page to get the config. If you then delete the first one for example, the index of the second one becomes the first. And when I open this one, it shows the config for peer-Tower-wg0-1.conf  when in reality it should be peer-Tower-wg0-2.conf.

So, after deleting any one but the last peer, i can't use the gui any more as it's mismatched.

You are right!

 

As a workaround, after deleting a peer, make a change to any other peer and hit save. It will renumber the config files.

Link to post
On 3/5/2021 at 1:03 AM, ljm42 said:

It looks like you setup a static route just to 10.253.0.1, this should cover the entire 10.253.0.0/24 subnet

 

There are also some tips in the second post here, such as making sure you have bridging enabled:

 

Having said that, there are a lot of people having issues accessing their LAN currently. I'd recommend reading the last few pages of this thread and the quickstart thread.

So once changes was made can access unraid from outside network on my work computer - but no matter what i do i cannot access from my Android phone - any ideas im lost

Link to post

Update:

 

If i go into phone settings and add google as private dns - I can connect to unraid but loose internet access for web pages

Turn off private dns phone setting can then access web pages but cannot access unraid

Switch on wifi for work - can access web pages and unraid 

Link to post

Hi there all. Is it expected that adding a new peer to a tunnel will disable the tunnel when apply is pressed? I've ended up in a semi-locked out situation multiple times when adding a peer and hitting apply via another peer on an active tunnel.

Link to post
1 hour ago, Alexstrasza said:

Hi there all. Is it expected that adding a new peer to a tunnel will disable the tunnel when apply is pressed? I've ended up in a semi-locked out situation multiple times when adding a peer and hitting apply via another peer on an active tunnel.

 

The tunnel has to be restarted when you add a peer. If you are connected to the tunnel at the time you do this, it goes down but does not come back up. If this is a common thing you need to do I would recommend creating a backup tunnel that you connect to when modifying the main tunnel.

Link to post
1 hour ago, ljm42 said:

 

The tunnel has to be restarted when you add a peer. If you are connected to the tunnel at the time you do this, it goes down but does not come back up. If this is a common thing you need to do I would recommend creating a backup tunnel that you connect to when modifying the main tunnel.

 

That's what I've ended up doing, but why is it that the tunnel does not come back up even if "autostart" is on?

Link to post

Mistakenly attempted to add a new peer yesterday and the whole thing came crumbing down.

 

I removed the entire /boot/config/wireguard folder, uninstalled the plug-in and tried again. Now when I try to create my initial tunnel, the page just refreshes but no settings are saved. The /boot/config/wireguard folder is not made either.

 

What (and where) are the logs that would be relevant to troubleshooting this issue? I can post them pretty quick.

 

Edit: Figured out that some remaining iptables entries in the FORWARD rule and also the WIREGUARD chain all together was still lingering after the uninstall. So I deleted those two items and rebooted. Now it's working!!

Edited by xaositek
Added fix
Link to post

Hey WireGuard users! Big thanks to @bonienl, yesterday we released a huge update to the WireGuard plugin designed to detect and prevent as many configuration problems as we could. If you are having any problems, please update the plugin, then make a small change to your tunnel and hit Apply, this will trigger all of the new validation rules. Some issues have to be fixed before the changes will save, for others you'll want to enable Advanced mode and read the helpful remarks in the right column.

 

Also, if you are having trouble accessing dockers with custom IPs or other devices on your network, be sure to revisit the quickstart guide:
  https://forums.unraid.net/topic/84226-wireguard-quickstart/

The section on complex networks was completely rewritten to describe how certain settings conflict with each other.

 


2021.03.25b
This version resolves

  • the tunnel not restarting if changes were saved while connected through the tunnel
  • incorrect AllowedIPs setting for some peer configs
  • iptables not being updated after a reboot

This version adds

  • many safety guards to prevent invalid configurations
  • validation that the local endpoint url actually resolves to the external WAN IP
  • notification on specifically which peer configs were modified when changes were saved, so the user knows to update those clients
  • Like 1
  • Thanks 1
Link to post
1 minute ago, bonienl said:

Haha, I was a bit silent about this 9_9

 

Thanks for the write up

 

Take the glory!! It's awesome work and thank you to @ljm42 for calling it out! I've been using this daily since I stood up my second unRAID server and the craftsmanship is great. I updated and was able to reissue keys for my four devices in less than 10 minutes.

Link to post

Hey everyone. I got wireguard up and running the other day and everything looked good but I've just gone to access my nextcloud server which I've got proxied with nginx to my cloudflare domain with cloudflare ddns etc and I get the 522 errror (connection timed out). I've checked cloudflare and the ip address is updating correctly so I don't think thats a problem but obviously the traffic isn't getting back to the server. I've spent a few hours looking around and just read through the updated quickstart quide with complex networks. Its possible this falls into that but honestly its gone a little over my head. Any help would be amazing thanks.

Link to post
13 minutes ago, Zera said:

Hey everyone. I got wireguard up and running the other day and everything looked good but I've just gone to access my nextcloud server which I've got proxied with nginx to my cloudflare domain with cloudflare ddns etc and I get the 522 errror (connection timed out). I've checked cloudflare and the ip address is updating correctly so I don't think thats a problem but obviously the traffic isn't getting back to the server. I've spent a few hours looking around and just read through the updated quickstart quide with complex networks. Its possible this falls into that but honestly its gone a little over my head. Any help would be amazing thanks.

 

Your other thread mentioned Azire, does that mean you are using VPN Tunneled Access? We have a thread for that here:

 

Basically, all of your traffic is now going through the tunnel, so you need to update the DDNS to point to Azire, not your router. And that means Azire needs to handle port forwarding and not your router.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.