Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard - VPN Tunneled Access to a commercial VPN provider

Featured Replies

  • Author
On 3/12/2020 at 1:39 PM, sittingmongoose said:

I have wireguard working well.  I can connect to my unraid network, and access things like my router on that network.  I set it up for Remote Access to LAN.  HOWEVER, I cant access other computers on that network?  Like in windows, if I try to see network devices, I cant see my unraid server on there.  But I can see my local NAS and other devices.  AND when I am physically on my Unraid network, I can see the Unraid server in network devices.

It is unlikely that network discovery will work over the VPN connection, but you should be able to connect via IP address. 

 

The WireGuard quickstart thread is a better place for this conversation:
  https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

Currently you are in the thread that discusses making a connection to a commercial VPN provider.

 

  • Replies 249
  • Views 179.9k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I also have this problem with Surfshark. Edit: I fixed it I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN

  • Carlos Talbot
    Carlos Talbot

    Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implement

  • I've created a fork of the PIA scripts to simplify the install process on unRaid, it's still not as simple as importing a configuration, but the scripts now generate a file following the "wg#.conf" co

Posted Images

I guess I'm a little confused. By using the VPN Tunneled method, how do I set which dockers should use the VPN? There isn't a port number as far as I can tell, and I don't want every docker or the full Unraid server to be on the VPN.

  • Author
4 hours ago, thunderclap said:

I guess I'm a little confused. By using the VPN Tunneled method, how do I set which dockers should use the VPN? There isn't a port number as far as I can tell, and I don't want every docker or the full Unraid server to be on the VPN.

From the OP:

Quote

 

Now ALL of your Unraid traffic will go through the commercial VPN tunnel.  

  • In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

 

 

  • 4 months later...

Hi,

 

running 6.8.3 and recently went into Settings/VPN-Manager. I have a WG0 Tunnel already but i created WG1 out of curiosity....

The problem is that i cannot delete WG1 because the button to delete is not in the GUI for WG1 but it there for WG0.

Thanks, hopefully this can be fixed.

 

  • Author
On 8/11/2020 at 7:49 AM, xPliZit_xs said:

Hi,

 

running 6.8.3 and recently went into Settings/VPN-Manager. I have a WG0 Tunnel already but i created WG1 out of curiosity....

The problem is that i cannot delete WG1 because the button to delete is not in the GUI for WG1 but it there for WG0.

Thanks, hopefully this can be fixed.

 

Switch wg1 from basic to advanced, then the delete button for wg1 will appear.

Great that worked. Thanks!

Hi. I’ve got wireguard VPN to work and tested with a docker in Unraid. But, how do I get a VM to use the same VPN connection? Windows VM uses br0 which goes straight out to LAN. Also what happens if the VPN goes down? I’m hoping it kills all net connection. 
 

Thanks

Phil. 

On 1/8/2020 at 9:04 PM, Monkeysphere said:

Hi,

How do I go about adding the above to my Wireguard config? Same question with a killswitch. I'm using Mullvad which provides a killswitch in their config file but when I import the config the parser removes it.

 

The Mulvad config looks like this


[Interface]
PrivateKey = -hidden-
Address = 10.64.246.232/32,fc00:bbbb:bbbb:bb01::1:f6e7/128
DNS = 193.138.218.74
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

[Peer]
PublicKey = -hidden-
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 103.231.88.2:51820

Once imported it looks like this


[Interface]
PrivateKey= -hidden-
Address=10.64.246.232
PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'

[Peer]
PublicKey= -hidden-
Endpoint=103.231.88.2:51820
AllowedIPs=0.0.0.0/0,::0/0

Also note that unless I manually remove ,::0/0 from the allowed IPs the tunnel will not connect

Piggybacking on this. I am having the same exact issue with mullvad. It will start if I remove ,::0/0. This will forward all ipv4 connections but leaves all ipv6 exposed. This isn't an issue while running in the bridge network but for containers using the host container they will still use ipv6. Is there going to be a patch that allows us to forward both ipv4 and ipv6 soon?

I'm also using Mullvad and running into the same issue as Monkeysphere and notcarl

 

I also had a question, is it possible to have "Remote tunneled access" and "VPN tunneled access" at the same time? i always want my unraid box to connect to the internet via my VPN but i also wanna be able to connect to my LAN remotely, and also take advantage of the VPN.

Is this possible?

 

the "Remark: this must be the only peer in the tunnel and sole active tunnel when in use" on VPN tunneled access seem to indicate this is currently not possible, but would it be feasible to implement?

  • 1 month later...

im coming here because of:

 

Quote

Now ALL of your Unraid traffic will go through the commercial VPN tunnel.  

In the future it may be possible to restrict it so that only specific Dockers use the VPN tunnel.  Until then, you may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.

 

you can disable the full routing by adding 

Table = off

to the [Interface] Section!

 

Credits to https://shibumi.dev/posts/disable-routing-for-wireguard/

 

i deleted my tunnel, edited the conf file by adding the "Table=off" statement and import again.

 

Now i have a persistent Tunnel to my VPS, and can access this tunnel by selecting the interface like this:
 

# got my isp ip
curl ipinfo.io/ip 

# got my vps ip
curl --interface wg1 ipinfo.io/ip

 

  • 5 weeks later...
On 9/24/2020 at 3:06 PM, leo_poldX said:

im coming here because of:

 

 

you can disable the full routing by adding 


Table = off

to the [Interface] Section!

 

Credits to https://shibumi.dev/posts/disable-routing-for-wireguard/

 

i deleted my tunnel, edited the conf file by adding the "Table=off" statement and import again.

 

Now i have a persistent Tunnel to my VPS, and can access this tunnel by selecting the interface like this:
 


# got my isp ip
curl ipinfo.io/ip 

# got my vps ip
curl --interface wg1 ipinfo.io/ip

 

Can you use the “—interface wg1” in a docker to only route that docker trough the tunnel?

Is it possible to use Mullvad as a relay to connect to my server at work?

 

I have an unRAID server at my office at University of Copenhagen - I do not have access to the University router.

I have setup a 'VPN tunneled access' to Mullvad.

I works fine - I have installed the Firefox container and testet that I am connected the to Internet through Mullvad.

 

I have installed the Mullvad VPN on a Windows 10 laptop.

From the laptop I can connect to the same Mullvad server as the unRAID server at work is connected to.

 

From the laptop connected to Mullvad I have tried to connect to my server at work. Tried to ping the server local static address - Tried to ping the server tunnel ip etc. but there is no connection.

 

Is there a trick to make this work - maybe some port setup at Mullvad or maybe with another 'Peer type of access' on the server?

  • 2 months later...

These may be entry-level type of questions but I'm looking into learning a thing or two here, please bear with me :D

 

  • I want to tunnel into my unraid on my mobile device with WG setup from the other topic AND have my traffic routed through my commercial VPN account (TorGuard -- which also supports WG). By following this topic (hence Now ALL of your Unraid traffic will go through the commercial VPN tunnel.), and setting peer type of access to Remote tunneled access, does it mean that all traffic from my mobile will be guarded by Torguard?
  •  Is there any real difference from this method and the method of using the "-vpn" docker types from CA to protect my traffic? (aside of course from this tutorial not being a VPN protocol but WG protocol) -- I ask because I use most "-vpn" docker containers and those unavailable with native VPN I just use that privoxy --net=container:qbittorrent-vpn argument, and setting up the WG from this topic seems like a much easier setup than to configure every last container either as VPN or privoxy

Thanks, any support is really appreciated :)

Edited by timmyx

  • 3 weeks later...

I managed to install Mullvad as a VPN on unraid. But is there any way now to remotely connect to unraid server? as now everything goes through mullvad

  • 2 weeks later...
On 2/4/2021 at 4:09 AM, Bullerwins said:

I managed to install Mullvad as a VPN on unraid. But is there any way now to remotely connect to unraid server? as now everything goes through mullvad

Having this same issue.  Any way around this?

I'm in the exact same situation as the previous two posters @Bullerwins and @intoran

Successfully set up a "VPN tunneled access" Wireguard connection with a Mullvad server, but no handshake occurs when I create a tunnel to access remotely. I also attempted to remove the Mullvad tunnel and ONLY add the remote access tunnel, and I was unable to handshake from the Wireguard app on my phone.

If both are not currently possible could someone please confirm? I'm a novice to Unraid but the forums are excellent for support, which is really appreciated. I currently am subscribed to AT&T fiber which supposedly does not support UPnP, but I think I have correctly forwarded ports. I am attempting to use ZeroTier instead but I don't have any luck when I try accessing a service. Please let me know if there is any information from me that would help, or if anyone has alternatives. Thank you!

Edit: I'm running Unraid 6.9.0-rc2, in order to use nvidia-drivers plugin

Edited by KidsTheseDays
Repeat sentences and more info

  • Author

Hopefully folks are able to see this message in the webgui when setting up VPN tunneled access? 

image.png
 

Things won't work right if you start a second tunnel while "VPN tunneled access" is active.

Thanks for the response ljm42!

 

I actually figured out the issue, which of course was a simple user-error on my part. I was trying to forward ports from my router, when I should have opened a port with my VPN who provides a random number that I entered into the "Local endpoint:" field as  "hostname.dynamicdns.org:55555" with 55555 as an example of the provided port. I then removed and updated the tunnel on my mobile device client and voila, handshake successful and active, even when the server is already tunneled to my VPN.

 

This is such an excellent feature. My Unraid trial is expiring soon and I am happy to support its further development.

 

Edit: To clarify, this was setting up a "Remote tunnel access" peer to access services and files on the server, while using a separate "VPN tunneled access" peer for the server's internet access.

Edited by KidsTheseDays
More info

On 2/24/2021 at 12:46 PM, KidsTheseDays said:

Thanks for the response ljm42!

 

I actually figured out the issue, which of course was a simple user-error on my part. I was trying to forward ports from my router, when I should have opened a port with my VPN who provides a random number that I entered into the "Local endpoint:" field as  "hostname.dynamicdns.org:55555" with 55555 as an example of the provided port. I then removed and updated the tunnel on my mobile device client and voila, handshake successful and active, even when the server is already tunneled to my VPN.

 

This is such an excellent feature. My Unraid trial is expiring soon and I am happy to support its further development.

 

Edit: To clarify, this was setting up a "Remote tunnel access" peer to access services and files on the server, while using a separate "VPN tunneled access" peer for the server's internet access.

Based on this I would be unable to achieve what I'm looking for since my VPN provider doesn't provide port forwarding.  At least for free.

  • 1 month later...

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

 

Edited by Sissy
Omitted a word due to an editing error.

  • Author
13 hours ago, Sissy said:

Dual-homed Unraid NAS (version 6.9.2) with WireGuard (plugin version 2021.04.12) tunnels on each of the two Ethernet adapters?

 

I have an Unraid NAS with two Ethernet adapters.  One adapter connects to a Verizon FIOS residential network segment (192.168.1.0/24) and the other connects to a Cox Business Services network segment (192.168.0.0/24).  

 

I would like to have WireGuard VPN tunnels on both of the Unraid NAS Ethernet adapters so that I can remotely tunnel  in on either network connection (think failure of a router, firewall, cable modem, ONT, etc.).  

 

I can't see a way to bind tunnel wg0 to eth 0 and tunnel wg1 to eth 1.  It appears that the WireGuard plugin attaches any tunnel created to the Ethernet adapter attached to the gateway with the lower metric. 

 

If a VPN tunnel is established on the Cox Business Services Ethernet adapter (eth 0), I want WireGuard to use the Cox gateway associated with that adapter.  If it comes in on the Verizon side, I want the Verizon gateway used.

 

Thanks in advance for any assistance.  

 

 

To clarify, you posted in the thread that explains how to connect to commercial VPN providers. Is that what you are trying to do? If you are trying to connect from outside your home into your Unraid system please post this question here:

 https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/

 

I don't know if the plugin supports your use case or not :) 

 

21 minutes ago, ljm42 said:

 

To clarify, you posted in the thread that explains how to connect to commercial VPN providers. Is that what you are trying to do?

 

Thank you.  Based on the title of the thread, "WIREGUARD - VPN TUNNELED ACCESS," it appeared to be about the topic I was interested in -- tunneled access to my networks via WireGuard.  I will repost my question at the link you provided.

 

  • ljm42 changed the title to WireGuard - VPN Tunneled Access to a commercial VPN provider
  • Author
2 hours ago, Sissy said:

Thank you.  Based on the title of the thread, "WIREGUARD - VPN TUNNELED ACCESS," it appeared to be about the topic I was interested in -- tunneled access to my networks via WireGuard.  I will repost my question at the link you provided.

Good point. "VPN Tunneled Access" is one of the options in the "Peer type of access" dropdown, so it made sense at the time :) I renamed the thread to make it more clear

Greetings - read every post here and found nothing regarding PIA. Since I have a good bit of time left with them I would really like to get it setup with them. However, I am open to other providers if there is more secure option!

 

Finally, @ljm42 posted:

On 2/22/2021 at 3:00 PM, ljm42 said:

Hopefully folks are able to see this message in the webgui when setting up VPN tunneled access? 

image.png
 

Things won't work right if you start a second tunnel while "VPN tunneled access" is active.

 

This may answer my second question. I am fine with all my traffic from this particular Unraid server (server01) going through PIA VPN. I would like to be able to remote IN to my LAN though. Do I just install WireGuard on another server (server02) for that Peer Connection? As always, all feedback/directions are greatly appreciated!

  • Author
On 4/16/2021 at 10:22 PM, TechMed said:

Greetings - read every post here and found nothing regarding PIA. Since I have a good bit of time left with them I would really like to get it setup with them. However, I am open to other providers if there is more secure option!

 

There shouldn't really need to be provider-specific instructions. If PIA lets you download a standard WireGuard config file then you should be able to import it as discussed in the first post of this thread. 

 

Note that if a provider requires you to use their own custom app rather than the standard WireGuard app, they won't work with Unraid as it uses the standard WireGuard app for linux.

 

If you can confirm that PIA works I'll add them to the list on the first post.

 

On 4/16/2021 at 10:22 PM, TechMed said:

I am fine with all my traffic from this particular Unraid server (server01) going through PIA VPN. I would like to be able to remote IN to my LAN though. Do I just install WireGuard on another server (server02) for that Peer Connection? 

 

That sounds reasonable

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.