Dynamix WireGuard VPN


bonienl

Recommended Posts

On 9/23/2021 at 2:51 PM, writablevulture said:

I have this working and I am pleased with it.

 

However, I am using Cloudflare with Nginx Proxy Manager to provide reverse proxy access to various services on my Unraid box without having to open ports for each of them in my router.

Is is possible to do the same with WireGuard so I can avoid forwarding its port in my router? Is this even desirable and would it give me any additional security?

 

Thanks!

 

To answer my own question see WireGuard quickstart. WireGuard doesn't seem to work with proxied connections.

Quote

If you are using Cloudflare for DDNS, be sure to configure the Cloudflare "Proxy status" to "DNS only" and not "Proxied".

 

  • Like 1
Link to comment
On 9/24/2021 at 3:08 PM, nomadhawk said:

I have a weird problem I have noticed about the plugin. when the server reboots I have to regen the key and redo the config to get it to connect again. it is odd. 

I can confirm that this happens to me too.

Every time the server gets rebooted I have to change the Peer Type setting and change it back again to make it work. I guess any change to the config fixes the problem. I don't have to reload the config on the client so it seems to be server side problem only.

Link to comment
On 9/24/2021 at 6:08 AM, nomadhawk said:

I have a weird problem I have noticed about the plugin. when the server reboots I have to regen the key and redo the config to get it to connect again. it is odd. 

 

4 hours ago, Celmar said:

I can confirm that this happens to me too.

Every time the server gets rebooted I have to change the Peer Type setting and change it back again to make it work. I guess any change to the config fixes the problem. I don't have to reload the config on the client so it seems to be server side problem only.

 

That is odd, can you post your diagnostics

 

Also, open a webterminal and type:

ls -al /etc/wireguard

then paste the results here. It should show that /etc/wireguard is loading from /boot/config/wireguard/

Link to comment
  • 2 weeks later...

Excuse me. I don't want to sound ignorant as i didn't read the whole thread. I just searched a bit through. But i can not find any hint about what to do with the routing when i have a router which isn't able to do custom routes. So i can not set up the static route which is needed for Wireguard to be fully functional and even the Docker container are reachable through Wireguard. The biggest bummer is that my DNS is a Docker container so when i'm connected to Wireguard i have no DNS etc. which is a big problem at the moment. Any suggestions?

Link to comment

Clearly not the best way. Should have noted that it is not a 100% DNS. It is just the dnsmasq from my Pihole Docker. But it is really annoying to loose any local "DNS-like" resolver if my homelab is build around this blabla.local domain. 

Other wise if i loose my Pihole Docker i not only loose my internal i also loose my resolver for the whole internet at home.

So my choice was just let Pihole run on a pi without any UPS and other thigs like automated backups etc. or let it run as a docker on my unraid. Which imho is the better choice of those two.

But again, the internal dnsmasq resolving of my "whatever".local domain is not working when connected to Wireguard. So what to do?

Go the only other way and set up the Pihole on a Pi again and loose all the benefits i get when i host Pihole as a Docker.

Is this really the only way?

Maybe i should learn to et up a Pihole cluster made of two Pi or something like that...

Edited by screwbox
Link to comment
  • 3 weeks later...

Hi,

 

I currently have a Deco M5 Router and Wireguard set up. I was running a few of my docker containers for awhile in bridge mode on the different ports of my Unraid server, but due to restructuring everything I set up custom networks and each of my docker container has its own set of IPs now.

 

Once I moved them over to their own IPs I was no longer able to access them once connected to my Wireguard VPN on any other device. After doing a bunch of digging I found the settings in the settings that say "Remark: docker containers on custom networks need static routing 10.253.0.0/24 to 192.168.68.114". My issue however is that my Router, Deco M5 doesn't support static routing and it has been a feature that has been asked for over a year but nothing has happened.

 

Is there any other way around this so I can access my LAN when connected remotely through WireGuard?

 

From https://forums.unraid.net/topic/84226-wireguard-quickstart/

With "Use NAT" = No and "Host access to custom networks" = enabled and static route 

 

  • server and dockers on bridge/host - accessible!
  • VMs and other systems on LAN - accessible!
  • dockers with custom IP - accessible!
  • (woohoo! the recommended setup for complex networks)

This seems to be the only one that allows for docker with custom IP but if I can't set a static route what should I do?

 

Thank you!

Edited by 97WaterPolo
Link to comment
  • 2 weeks later...

Hello, I have an issue that suddenly cropped up with zero changes to config on the Unraid 6.9.2 server and Windows 10 clients, but now results in SMB file transfers starting off fast, then drops off a cliff to 0 and eventually fails. I am remotely connecting to my server. The host for the server and my location is both on the same gigabit fiber ISP, and there had been no issues noticed in the last at least 6 months of using with many large file transfers per day. Previously, downloads from the server at >90MB/s, uploads to the server at >40MB/s (slower but stable, I never configured anything to throttle it, but it was always stable so I didn't think twice about it). Now the downloads are the same, but uploads peak at >90MB/s, but is unstable and risks dropping to 0 and failing. Downloads never seem to fail. I have tested this on both my Windows 10 desktop and my laptop via ethernet and wifi, same result. Nothing would have changed on the routers at both locations, as I am in control on both ends. Alternatively, I have tried using my OpenVPN docker for SMB file transfers, and that has been rock steady, but significantly slower than Wireguard (about 30% the peak speed of Wireguard). Any advice?

Link to comment
  • 3 weeks later...

Has anyone successfully gotten this to allow them to access VLANs that are setup outside of Unraid and on a separate firewall/router (e.g. pfSense)?

 

I can't seem to figure it out, and have had no luck searching.

 

My pfSense firewall/router setup:

    - LAN: 10.100.1.0/24
    - VLAN1: 10.100.10.0/24
    - VLAN2: 10.100.20.0/24
    
My Unraid box is on LAN with an IP of 10.100.1.3. I can ping devices on both VLANs from a terminal session in Unraid successfully.

 

I have also added the subnet 10.100.0.0/16 to my "Allowed IPs" list on my VPN devices.

 

I tried manually adding routes in Unraid for both VLANs on br0, and this got my pings to the VLANs from my VPN devices to respond with "destination host unreachable", instead of just timing out. However, it broke my ability to ping anything on the VLANs directly from an Unraid terminal session.

 

So, I think I might be on the right track, and that my issue is with routing, but I can't seem to figure out what I need to do to fix it. It would save me from having to change all of my VPN stuff over to pfSense, which I'm planning on doing if I can't get this to work.

Link to comment
On 11/10/2021 at 3:36 AM, bonienl said:

Unraid version 6.10 has WireGuard support natively built-in, the plugin is no longer required.

For confirmation, does this mean we should uninstall the plugin if we're running 6.10?

 

If so, does Fix Common Problems flag that?

 

I'm currently on 6.9.2, so I'm oblivious to any changes that may be coming. Sorry, don't keep up with the coming change log as maybe I should.

Link to comment
15 minutes ago, FreeMan said:

For confirmation, does this mean we should uninstall the plugin if we're running 6.10?

 

If so, does Fix Common Problems flag that?

 

I'm currently on 6.9.2, so I'm oblivious to any changes that may be coming. Sorry, don't keep up with the coming change log as maybe I should.

 

  • Thanks 1
Link to comment
  • 4 weeks later...

I installed the plugin, and when enabled, I can't even ping my UNRAID server on my local LAN. I can connect no problem, but when I am connected through my phone's data connection I can neither ping any local resources, nor access the Internet. I've tried uninstalling/reinstalling, and watched over a dozen different videos, and I'm pretty sure I've ran through just about every guide there is.

 

Router: 10.0.0.1 (TP Link ER-6120)

Unraid: 10.0.0.100

Internal LAN: 10.0.0.0/24

WireGuard LAN: 10.253.0.0/24

Public IP: myhost.duckdns.org (resolving properly)

NAT: Tried with NAT and without NAT (static route)

 

Please see the photos below:

t8GCZx7.png

 

fNEAId2.png

 

I even tried widening the suggest /24 subnet mask to a /16. Is there something incredibly silly that I am missing? 

 

$ ip route (UNRAID)

 

c98MFwe.png

 

Traceroute/Ping from 10.0.0.100 -> 10.253.0.1 complete without issue

Link to comment
  • 2 weeks later...

Hello, maybe my question is a stupid one but I got confused. My goal is to use a VPN commercial service to protect the outgoing traffic of some of my docker containers. I can't understand if the best way to accomplish it is using the built-in wireguard functions or use a docker container and route the traffic through it. Thank you in advance. 

Link to comment
  • 3 weeks later...
On 6/1/2021 at 3:07 AM, INTEL said:

Hi people.

I have a wierd problem with wireguard.

I just started my 5th unraid server (and therefor 5th wireguard setup). So it's a clean unraid install, only wireguard plugin installed.

I have forwarded port 51820 to my unraid server IP, and no matter what I do, I cannot access my server from outside. Looks like wireguard isn't working.

When adding a peer (remote access to lan) I get popup:

Peer update required
List of peers
wg0: peer 1 (test)
wg0: peer 2 (no name)

 

My port forwards are correct, other apps are working fine. I created openvpn on my router (Mikrotik) and it's working fine, but I would love to have wireguard as I'm using in on all my other servers.

Is there something I can do, check, anything realy?

 

I'm strugling with this for the last 5 days, eaven tryed replacing router ( I had edgerouter X, now Mikrotik)

I would appritiate any help - suggestion.

Thank you

 

I just encountered this problem today and haven't found a fix.  My existing peers work just fine, but when I add a new peer I get this error.

Link to comment
On 6/1/2021 at 2:07 AM, INTEL said:

Hi people.

I have a wierd problem with wireguard.

I just started my 5th unraid server (and therefor 5th wireguard setup). So it's a clean unraid install, only wireguard plugin installed.

I have forwarded port 51820 to my unraid server IP, and no matter what I do, I cannot access my server from outside. Looks like wireguard isn't working.

When adding a peer (remote access to lan) I get popup:

Peer update required
List of peers
wg0: peer 1 (test)
wg0: peer 2 (no name)

 

My port forwards are correct, other apps are working fine. I created openvpn on my router (Mikrotik) and it's working fine, but I would love to have wireguard as I'm using in on all my other servers.

Is there something I can do, check, anything realy?

 

I'm strugling with this for the last 5 days, eaven tryed replacing router ( I had edgerouter X, now Mikrotik)

I would appritiate any help - suggestion.

Thank you

 

I am also getting this.  Did you ever find a solution?

Link to comment
  • 3 weeks later...

Once again, I fear I am out of my depth.  However, maybe you can help me to configure WIreguard as I need. I have followed some of the tutorials, and I can connect without issue. But I have some limitations that I think amount to my configuration abilities.

 

My goal is use my personal laptop while at work use Wireguard via my Unraid server. I would like to be able to use my laptop as if I was on my local LAN (my NAT/Router is a GoogleWifi/Nest. I previously had success with OpenVPN-AS docker. But I am less successful after starting with Wireguard. In particular, my local SMB shares, and access to locally hosted sites, such as a different Unraid installation (a different one that is not hosting Wireguard). Of course, also sending all web traffic through my home network as well.

 

For starters, I can successfully connect from my workplace with wireguard both with my cellphone (Android) and my laptop (window11).  My router has UDP 51820 forward to the Unraid Server with the Wireguard installation.

 

Perhaps I just don't understand the correct use case of some of the options/setting.

 

From watching a number of videos and the info graphic, I think I am correctly setting PEER TYPE OF ACCESS to "remote tunneled access".

 

My internal network is using 192.168.86.x if that helps.

 

As a for instance, when I am connect on my laptop from work, I cannot see any of my SMB network shares.  Also, my Plex server (running on the same machine as Wireguard) seems to be very flaky.  Sometimes working, sometimes not.  I cannot make a secure connection to my PlexServer without Wireguard.

 

Sorry if I am babbling.  Here are some pics of the Wireguard settings.

 

Wireguard.thumb.png.b45605036e8bbf139f0f7692eb667f78.pngWireguardPeer.thumb.PNG.daf23e0f7dd4ce9d3219ddeba689a9c5.PNG

Link to comment

My USB flash drive got corrupted, I restored backup on a new flash drive but my WireGuard won't Activate. Slider goes to off position when I click done or refresh the page.
Running command wg-quick up wg0

gives me:

Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

 

Any ideas?

Link to comment
  • 2 weeks later...

Good afternoon!

I want to implement a somewhat complicated scheme that is beyond my understanding. 

185027735_Screen2022-03-05at13_52_36.thumb.png.9e81e852809cdc3633ae216c43c976ed.png

I drew it in this picture (above). 


I have: 
1)Home network (green) with an unraid server, several devices on the LAN (pictured as laptops, although they are other servers and a bit IoT, lol) and a router that they are all connected to. 

2)A server on a hosted VPS (yellow) outside my city and country, which is used to protect traffic from mobile devices (red) that can (and constantly do) end up on untrusted networks. 
3)Mobile devices (which I mentioned above) (red) - laptop, phone, tablet that access the internet via guest wifi or mobile network. 
4)And external internet resources (blue) - any websites. I drew google there, but it's not necessarily him. These are all things I access through my ISP. 

 

Now I want to configure the VPN on Unraid so that the traffic flows like this:

223789532_Screen2022-03-05at13_58_50.thumb.png.78a475f591d7d7704efdc673fc0d1e0d.png

 

The mobile devices still access the Internet via a VPN that is on an external server. But at the same time, they access the home network 192.186.88.0/24, the server and the local devices. 

To do this, I need to make a connection where the server on the UNRAID connects to the front-end server via wireguard. (Or vice versa, the external server connects to unraid (it has a white address)).

 

But I don't understand how I can set up a connection through the Unraid GUI that would connect it as a client to an external server. I see the server-to-server and lan-to-lan options, but I always get "Data received: 0 B Data sent: 35.5 KB Last handshake: not received" when I try to enter the standard wg client credentials generated on the external server there. I haven't found any documentation about these functions, google didn't help.  Please help me.

 

Link to comment
  • 3 weeks later...

Has anyone else experienced almost unusable speeds with the Wireguard VPN? I'm not exaggerating when I say my connection drops to about 1% of my home network speed. 

 

PC home network, no VPN:, Google speed test: 

TwoUA6z.png

 

As soon as I enabled the Wireguard VPN, Same PC, Same speed test: 

LaazveQ.png

 

 

I don't understand what would cause this considering there is little in terms of configuration to make this work. 

Link to comment
On 9/22/2021 at 5:21 AM, ax77 said:

I've set up wireguard for a complex network but I'm unable to access my shinobicctv docker that is on a vlan.  The vlan has a subnet of 10.5.20.0/24.  I'm able to ping and tracert all ip addresses on the vlan through wireguard but can't access them via webgui.  I can access the router at 10.5.20.1 tough.  Any ideas?

@ax77 Hi ax77, i have the same problem as yours, everything works find except accessing to docker container's WebUI with customed ip (even i can ping it), so do you solve it now? would you mind sharing the way to solve it? Thanks.

Edited by JackieWu
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.