Dynamix WireGuard VPN


bonienl

Recommended Posts

Ahh yeah sorry, didn't think to put it in there. 

 

Thanks ljm, I've just emailed Azire because I'm not sure they even offer port forwarding and I'm pretty new to all this so tbh its a little over my head at the moment lol. I've just been reading a few posts etc would I put this into the local endpoint field or am I way off? Cheers.

Link to comment

G'day Legends,

So i've been using OpenVPN built into the router for years and finally looked into Wireguard via Unraid and wow, plugin and usability is awesome. Fantastic write-up also @ljm42.

One problem i'm encountering though...

I guess I fall into the 'complex networks' category as I have VLANs and some dockers running via custom networks.

I've followed the quickstart guide , enabled host access to custom networks, set 'Local network uses NAT' to No and added a static route on the router (FreshTomato).

I can connect via my phone fine, but cannot access the dockers on the custom network, or devices on other VLANs like I could if on my LAN Wifi.

Do you have any other pearls of wisdom or troubleshooting steps?

 

Edit: for clarity, I can access everything else on my LAN fine

Static Routing.png

Edited by Boo-urns
Link to comment
56 minutes ago, bonienl said:

On your phone (client) you need to have AllowedIPs to include all your additional networks too, e.g.

 

AlloweIPs=192.168.3.0/24, 192.168.4.0/24, 192.168.5.0/24 ...

Thanks for the reply. I did notice that they weren't included in the client config after I looked. So I went to start from scratch in Unraid, reconfigured everything IAW the guide and now i'm not even getting a handshake.

 

Edit: NVM, I forgot WG needs to 'do something' to get a handshake. But, even with added 192.168.5.0/24 and the other ranges to the client config, back to square one. Still no access.

Edited by Boo-urns
New info
Link to comment

The GUI has no field to add the additional host networks for the peer(s). You need to do that manually on the peer itself.

 

Delete all tunnels and start from scratch (choose Remote access to LAN for the peer), this will generate a peer config similar like

Remote peer configuration
[Interface]
#My iPhone
PrivateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address=10.253.0.2/32

[Peer]
#My Unraid server
PublicKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint=www.mysite.com:51831
AllowedIPs=10.253.0.1/32, 192.168.1.0/24

 

Load this config on the peer and add manually the additional networks, like 192.168.2.0/24, 192.168.3.0.24, etc to the list of AllowedIPs using the WG app on the peer (do not delete the existing entries).

Link to comment
6 hours ago, bonienl said:

Delete all tunnels and start from scratch (choose Remote access to LAN for the peer), this will generate a peer config similar like


Remote peer configuration
[Interface]
#My iPhone
PrivateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address=10.253.0.2/32

[Peer]
#My Unraid server
PublicKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Endpoint=www.mysite.com:51831
AllowedIPs=10.253.0.1/32, 192.168.1.0/24

 

Load this config on the peer and add manually the additional networks, like 192.168.2.0/24, 192.168.3.0.24, etc to the list of AllowedIPs using the WG app on the peer (do not delete the existing entries).

OK so i've done exactly this. I have a LAN connection via WG and can access everything normally, except for VLANS and custom dockers.

eg I have a Shinobi docker running on VLAN5 (192.168.5.2) with all CCTV cams as well which timeout on WG. Additionally, DelugeVPN and Jackett (routed through DelugeVPN) are not accessible either.

All of the above are accessible normally via this PC (192.168.1.5).

Would there be any other specific routing required?

Link to comment

I too have multiple VLAN networks, which I use for docker containers and VMs. All of these networks (both IPv4 and IPv6) are reachable over WireGuard.

 

Couple of things I forgot to mention:

  1. WG configuration -> Local server uses NAT = No
  2. Docker configuration -> Host access to custom networks = Enabled
  3. The router needs a static route to forward the WG subnet (10.253.0.0/24) to the Unraid server (192.168.1.x)
  4. On the peer make a simplified AllowedIPs subnet, like 192.168.0.0/16 (this allows any 192.168.x.x address)

 

Link to comment
3 hours ago, bonienl said:
  1. WG configuration -> Local server uses NAT = No
  2. Docker configuration -> Host access to custom networks = Enabled
  3. The router needs a static route to forward the WG subnet (10.253.0.0/24) to the Unraid server (192.168.1.x)

I had these settings sorted already, including the static route. I've added the simplified AllowedIPs subnet on the client with no effect. Below is the static route set. Does anything glaring obvious stand out that i've done incorrectly? Unraid IP is 192.168.1.4.

 

On 4/3/2021 at 3:31 PM, Boo-urns said:

Static Routing.png

Unraid settings as follows:

image.thumb.png.203f8d121a712218a7bf03f629098859.png

image.thumb.png.c03dfd6c1e675f4e61bc8c91a97cb891.png

 

Thanks again for your help.

Link to comment

Hi,

 

I'm trying to setup a remote tunneled access server using IPv4 + IPv6 and a local DNS (pihole) server. I run through the advanced configuration and my clients are successfully tunneling through IPv4, but it seems there is no IPv6 access through the tunnel. Is this a bug or am I misconfiguring something?

 

My config is almost all default settings:

kS4aPXd.png

Edited by bearattack
Link to comment

I struggled getting this working, all of the settings looked good and I tried various fixes but just couldn't get that initial handshake.  It ended up being super easy (of course).  In my Port Forwarding rule I had it set to use TCP instead of UDP.  I switched it to UDP and that fixed it.  Of course the instructions to use UDP is right there on the config page but I just didn't pay enough attention.  But maybe someone else will struggle and come here and this will help them.

Link to comment
14 hours ago, bearattack said:

but it seems there is no IPv6 access

The WG configuration looks okay, for IPv6 to work everything in your network environment needs to understand IPv6 and set up properly. Start your investigation there, and no it is not a bug. IPv6 with WireGuard does work.

Link to comment

So I've been having an issue that with my novice experience, I don't know where to turn. My Unraid box is remote to me hosted at a buddy's place, so I've been transferring files to and from the server via SMB over Wireguard. Started using Wireguard with Unraid 6.8, but suddenly started having issues and still having issues into 6.9. I've been having SMB file transfer issues where the speed will suddenly drop to 0 and eventually drops out completely. This appears to only happen when I upload to the server, and not while downloading from the server. I have tried file transfers over OpenVPN and have not experienced the same issues. Both my location and the remote location has gigabit fiber, so the speed difference between Wireguard and OpenVPN is quite significant.

 

Running iperf3 over OpenVPN, I am getting speeds of around 200-300 mbps downloading from the server and 300-400 mbps uploading to the server. Running iperf3 over Wireguard, I am getting speeds of around 500-700 mbps downloading and uploading to and from the server.

 

File transfer speeds on Windows 10 can start off at about 60 MB/s up to around 90 MB/s, but will suddenly tumble down to around 2MB/s, and then eventually just ~200KB/s to 0. I don't exactly know what is causing these SMB dropouts, or what had changed. I do know that I have not changed the Wireguard config, and the transfers were rock solid before, but is no longer. There are no SMB dropouts with OpenVPN. I've also tried reinstalling Wireguard server from Unraid and reinstalling the Wireguard client from my Windows 10 tower and laptop, but same issues persist. I've also tried transfers to shares that bypasses the cache drive, same issues.

Link to comment

I updated today to the version 2021.04.12 and I dont get any handshake at all with all my peers i created. Anybody experiences the same problem as me?

 

Update: I asked a friend of mine and he has the same problem. Must be some kind of bug. Is there a way to get back to the previous version?

Edited by hundsboog
Link to comment
Posted (edited)
1 hour ago, hundsboog said:

I updated today to the version 2021.04.12 and I dont get any handshake at all with all my peers i created. Anybody experiences the same problem as me?

Everything is still working for me.

 

As a test I also recreated the configs and uploaded to my peers, all fine and working.

 

Version 2021.04.12 corrects language translation support, not directly related to WireGuard itself.

 

Switch to advanced mode and use the PING button to test reachability to the peer

(in my example I have both IPv4 and IPv6, but same principle with IPv4 only)

 

image.thumb.png.d55fe428712ece518f22164e8e7c4839.png

 

image.thumb.png.1baa1baf502feb7e93f0c72abcb5de85.png

Edited by bonienl
Link to comment
34 minutes ago, bonienl said:

Everything is still working for me.

 

As a test I also recreated the configs and uploaded to my peers, all fine and working.

 

Version 2021.04.12 corrects language translation support, not directly related to WireGuard itself.

 

Hi and thank you for your fast answer, @bonienl

 

Update: the german open source dyndns provider "ddnss.de" is down. Well that happened in the last 8 year only one time and felt accidentally  together when i updated the plug in. My bad, I just checked their homepage where nothing is claiming about that their service is down so I checked by pinging in the console of my linux machine my dyndns adress. 

 

 

 

 

 

 

Edited by hundsboog
sillyness
Link to comment

With so many peers failing at the same time, I would first check the router.

Is port forwarding still correct on the router. Perhaps your Unraid server got a different IP address which breaks forwarding.

Perhaps your router is using UPnP and lost the forwarding entries?

 

Link to comment

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

Link to comment

Hi - can anyone (maybe @bonienl/ @ljm42 ?) help or tell me if there is a PIA config file? At this point ALL I want is ALL the traffic to go through PIA.

a.k.a. "VPN Tunneled Access"

I had it working fine with the "Remote Access to LAN" and now I want to change it.

Any and all help will be greatly appreciated!

Thanks!

 

PS. If there is a better option for a VPN provider, I'm all ears for that too!

Edited by TechMed
PS note
Link to comment
On 4/16/2021 at 1:20 PM, Sissy said:

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

Ping.  Anyone?

Link to comment
33 minutes ago, TechMed said:

 Thank you @ljm42, I did read extensively here to try to find a good solution.

Might I ask which provider you use?

Maybe @bonienl as well?

PIA does not work, so I am looking for a new provider that truly works.

 

Thanks!!!

 

We have a thread specifically to discuss VPN Tunneled Access because it is quite different than all of the other modes:

https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access-to-a-commercial-vpn-provider/
I do not use it regularly, just for the initial tests.

 

Link to comment
  • 2 weeks later...

Hello everyone,

 

I have 2 NICs on my mainboard, currently working as bond0 with adaptive load balancing.

 

Is it possible to run the Wireguard VPN (unraid server as client) at eth0 and the "normal" local ethernet / internet at eth1?

 

I imported a working config file from my phone and my unraid server connected WG-server. 

 

(The Wireguard server is at my mom's house and there should my backups go with rsync / rclone)

 

Thanks!

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.