Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

WireGuard - VPN Tunneled Access to a commercial VPN provider

Featured Replies

Note: this community guide is offered in the hope that it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.

 

This guide explains how to make an outgoing WireGuard VPN connection to a commercial VPN provider. If you are trying to access your Unraid network from a remote location, see the original WireGuard quickstart guide.

 

 

Commerical VPN Providers

Several commercial VPN providers support WireGuard, a few are listed below. No endorsement is implied, you need to research and determine which one meets your needs. Comment below if you are aware of others:

 

Avoid these providers, they require a customized WireGuard client and will not work with Unraid:

  • TunSafe (this seems to require a custom WireGuard client now)
  • Nord (see this)
  • PIA (see this, although with a lot of extra work it is possible. This definitely falls outside of what could be considered supported though. Also see this.)

 

Note that with the current state of WireGuard, VPN providers cannot guarantee the same amount of privacy as they can with OpenVPN. See:

  https://restoreprivacy.com/wireguard/ 

Typically the objections are not around security, but around the fact that it is harder for them to guarantee that they cannot track you.

 

 

Configuring “VPN tunneled access for docker” (New in 6.10.0-rc5! For older versions see the next post)

  • Download a config file from your preferred commercial VPN provider

  • On the Settings -> VPN Manager page, click the "Import Config" button and select the file on your hard drive. This will create a new tunnel specific to this provider.

  • The “Peer type of access” will default to “VPN tunneled access for docker”. There are no settings to change, except perhaps to give it a local name. Click Apply.

  • Note: You do not need to forward any ports through your router for this type of connection

  • Change the Inactive slider to Active

  • Take note the name of this tunnel, it will be wg0 or wg1 or wg2, etc. You'll need this later when setting up your containers

  • Also note that any DNS setting the Commercial VPN provides is not imported. Open their config file and see if there is a "DNS" entry, make note of the server they provided, you will use it below. If they didn't provide one, you may want to use Google's at 8.8.8.8.

 

Testing the tunnel

  • Note: The "VPN tunneled access for docker" tunnel includes a kill switch - if the tunnel drops then any containers using that tunnel will lose access to the Internet. 

  • Important! Prior to Unraid 6.11.2, you must take care to start the WireGuard tunnel *before* the Docker container in order for the kill switch to work. If the docker container is started first, it will use the server's default Internet connection.  That is no longer an issue for tunnels created/updated after installing Unraid 6.11.2.
     

  • Using Community Applications, install a Firefox Docker container

  • When setting up the container, set the “Network Type” to “Custom: wg2” (or whatever the name of the tunnel was in the previous step)

  • Switch to Advanced view and add your preferred DNS provider to the "Extra Parameters". i.e.:
      --dns=8.8.8.8
    (if you don't set this, the container may leak your ISP's DNS server)

  • The rest of the defaults should be fine, apply the changes and start the container

  • Launch Firefox and visit https://whatismyipaddress.com/ you should see that your IP address is in the country you selected when you signed up with the provider

  • Also visit https://www.dnsleaktest.com/ and run a test, confirm that it only finds IPs related to the DNS provider you specified.

  • Feel free to add more containers to this same tunnel, or create multiple tunnels if desired.

  • Replies 249
  • Views 179.4k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I also have this problem with Surfshark. Edit: I fixed it I googled for a while and figured out that this was an MTU issue. My rough understanding (correct me if I'm wrong) is that the VPN

  • Carlos Talbot
    Carlos Talbot

    Has anyone figured out how to route only a subset of docker containers through the VPN? This seems to be of interest for many of us but I haven't seen a step by step guide on how it would be implement

  • I've created a fork of the PIA scripts to simplify the install process on unRaid, it's still not as simple as importing a configuration, but the scripts now generate a file following the "wg#.conf" co

Posted Images

  • Author

Configuring “VPN tunneled access for system” (6.10.0-rc5 and later) or “VPN tunneled access” (6.10.0-rc4 and earlier)

  • Download a config file from your preferred commercial VPN provider
  • On the Settings -> VPN Manager page, click the "Import Config" button and select the file on your hard drive. This will create a new tunnel specific to this provider.
  • There are no settings to change, except perhaps to give it a name. Click Apply.
  • Note: You do not need to forward any ports through your router for this type of connection
  • Change the Inactive slider to Active
  • Now ALL of your Unraid traffic will go through the commercial VPN tunnel.  
    • You may need to disable the tunnel in order to check for plugin updates or perform other Unraid administrative tasks.
    • Since ALL traffic is routed through this tunnel, you cannot start a second tunnel while this one is enabled.
    • Note that currently Unraid will ignore any DNS server that is specified in the downloaded config file. Unraid's DNS should be set to something that will work whether the tunnel is up or down, such as 8.8.8.8 and 8.8.4.4

 

Testing the tunnel

  • Using Community Applications, install a Firefox Docker container
  • Accept all defaults
  • Launch Firefox and visit https://whatismyipaddress.com/ you should see that your IP address is in the country you selected when you signed up with the provider
  • 2 weeks later...

Hi guys,

 

Nordvpn was not mentioned up top. From what I'm seeing they are actively involved with WireGuard. Not sure if they are totally done testing.  From what they have developed to enable use with WireGuard I would personally trust them first. That's just my opinion. In all honesty not sure if any of this new development with WireGuard can be fully trusted right now. It does need people testing it to find out.

 

https://nordvpn.com/blog/nordlynx-protocol-wireguard/

  • Author
10 hours ago, Badboy said:

Nordvpn was not mentioned up top.

Am I wrong or does their implementation require you to use their NordLynx client? If so that won't work with the standard WireGuard client that we use. If you can provide a link that shows how to download a standard WireGuard config file, I'll link to that.

You are right, from the looks of it you have to use their NordLynx. I think at some point they may change this. I just thought it was interesting that they implemented additional security measures so it's usable to some Linux clients that want to try it.  As of now WireGuard will still have some security issues, which is understandable because it is still in development. Good to see a company like Nordvpn jump on board. It means the future looks bright for WireGuard.  Sorry, maybe a wasted post for this forum. I use Nordvpn myself so I just thought I would post the info.

TorGuard VPN also supports WireGuard: https://torguard.net/blog/what-is-wireguard-vpn/

 

Now if I could only figure out how to configure unraid to work with it, then I'd be golden. The steps above doesn't seem to work with TorGuard's import config by default unfortunately.

On 11/4/2019 at 8:24 PM, BoarAnt said:

TorGuard VPN also supports WireGuard: https://torguard.net/blog/what-is-wireguard-vpn/

 

Now if I could only figure out how to configure unraid to work with it, then I'd be golden. The steps above doesn't seem to work with TorGuard's import config by default unfortunately.

Yep, I am running into the same problem with TorGuard. Their config does not seem to work out-of-the-box.

  • Author
On 11/4/2019 at 5:24 PM, BoarAnt said:

TorGuard VPN also supports WireGuard: https://torguard.net/blog/what-is-wireguard-vpn/

 

Now if I could only figure out how to configure unraid to work with it, then I'd be golden. The steps above doesn't seem to work with TorGuard's import config by default unfortunately.

 

1 hour ago, Mantene said:

Yep, I am running into the same problem with TorGuard. Their config does not seem to work out-of-the-box.

 

Try getting a free config from TunSafe and comparing them to see what is different?

 

Also note the comment about DNS in the OP

So, here is a TunSafe config:

[Interface]
PrivateKey = ************************************
Address = 10.34.234.162/8
DNS = 1.1.1.1

[Peer]
PublicKey = ******************************************
Endpoint = 190.2.141.162:51840
AllowedIPs = 0.0.0.0/0
 

And here is the TorGuard config:

# TorGuard WireGuard Config
[Interface]
PrivateKey = *********************************************
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.29.1.64/24

[Peer]
PublicKey = **************************************************
AllowedIPs = 0.0.0.0/0
Endpoint = 159.65.247.35:443
PersistentKeepalive = 25

 

 

So, what is going on? Any ideas? 

Remove the "ListenPort" in the TorGuard config, it is not needed/used because the peer will always initiate the connection.

Thank you!

Unfortunately, that did not solve the problem. When I try to turn it on the active/inactive switch just keeps flashing on and off really fast!

Did you create a new (WG1) tunnel for this connection?

In other words do not add this as another peer to an existing tunnel (WG0)

 

Set all other tunnels inactive when using VPN tunneled access

Edited by bonienl

importing a conf file automatically creates wg1. And I made sure wg0 was turned off before trying this.

3 hours ago, Mantene said:

When I try to turn it on the active/inactive switch just keeps flashing on and off really fast!

Disable UPnP, see advanced settings.

10 hours ago, bonienl said:

Disable UPnP, see advanced settings.

I disabled UPnP globally under Settings > Management Access, switched back to VPN Manager, got the popup message saying "UPnP stated changed to OFF", verified that the Tunnel's "Local gateway uses UPnP" setting is No, and tried to activate the tunnel... It's still alternating between active/inactive quickly. :'(

 

Any other ideas? :)

1 hour ago, BoarAnt said:

Any other ideas?

I made an update, please try again.

UPNP is off. I updated the plugin. I imported the TorGuard conf. It still doesn't work, though the active switch no longer flashes. It switches to Active, but once you reload the  page or navigate away and then go back to vpn settings, it is off. Are there log files I can send you? Here is a screenshot of what the imported tunnel looks like.

 

torguard1.png

torguard2.png

I miss a couple of mandatory fields. These should be present in the config file generated by TorGuard

  1. Local private key - generated by TorGuard
  2. Peer public key - generated by TorGuard
  3. Peer endpoint - this is the URL of the TorGuard VPN access
  4. Peer allowed IPs - this should be 0.0.0.0/0

 

Here is a screenshot of my VPN connection

image.thumb.png.339df53fc7091cfcb8ab3401b575b71b.png

Edited by bonienl

As posted above, here is a comparison:

So, here is a TunSafe config:

[Interface]
PrivateKey = ************************************
Address = 10.34.234.162/8
DNS = 1.1.1.1

[Peer]
PublicKey = ******************************************
Endpoint = 190.2.141.162:51840
AllowedIPs = 0.0.0.0/0
 

And here is the TorGuard config:

# TorGuard WireGuard Config
[Interface]
PrivateKey = *********************************************
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.29.1.64/24

[Peer]
PublicKey = **************************************************
AllowedIPs = 0.0.0.0/0
Endpoint = 159.65.247.35:443
PersistentKeepalive = 25

 

 

Oh, and I removed the ListenPort from the TorGuard conf before importing it.

Edited by Mantene

The config files look alright, but in your screenshots there are missing mandatory fields.

Did you remove those fields or they are not populated after importing the config file?

 

What happens when all fields are filled in (see also my screenshot)?

7 hours ago, bonienl said:

The config files look alright, but in your screenshots there are missing mandatory fields.

Did you remove those fields or they are not populated after importing the config file?

 

What happens when all fields are filled in (see also my screenshot)?

Ok. So I did some experimenting last night and got it to work. 

 

This did not work:

# TorGuard WireGuard Config
[Interface]
PrivateKey = *********************************************
DNS = 1.1.1.1
Address = 10.29.1.64/24

[Peer]
PublicKey = **************************************************
AllowedIPs = 0.0.0.0/0
Endpoint = 159.65.247.35:443
PersistentKeepalive = 25

 

This worked:

[Interface]
PrivateKey = *********************************************
DNS = 1.1.1.1
Address = 10.29.1.64/24

[Peer]
PublicKey = **************************************************

Endpoint = 159.65.247.35:443
AllowedIPs = 0.0.0.0/0

 

 

Why?

9 hours ago, bonienl said:

The config files look alright, but in your screenshots there are missing mandatory fields.

Did you remove those fields or they are not populated after importing the config file?

 

What happens when all fields are filled in (see also my screenshot)?

To answer your question, no, those fields are not populated during the config file import.

Following Mantene's suggestion, I also got it to work tonight by removing the comment at the top and removing any empty lines between the [Interface] and [Peer] entries.

 

Importing the original config untouched

----------------------------------------------------------------------------------

# TorGuard WireGuard Config

[Interface]

PrivateKey = yyyyyyyyyyyyyyyyyyyyyy

ListenPort = 51820

DNS = 1.1.1.1

Address = 10.29.1.55/24

 

[Peer]

PublicKey = xxxxxxxxxxxxxxxxxxxxx

AllowedIPs = 0.0.0.0/0

Endpoint = 111.111.111.111:443

PersistentKeepalive = 25

----------------------------------------------------------------------------------

would give me 4 sections total:

ss1.thumb.png.000c09f50ffdd349389859250fbe781c.png

 

whereas the more compact version

----------------------------------------------------------------------------------

[Interface]

PrivateKey = yyyyyyyyyyyyyyyyyyyyyy

ListenPort = 51820

DNS = 1.1.1.1

Address = 10.29.1.55/24

[Peer]

PublicKey = xxxxxxxxxxxxxxxxxxxxx

AllowedIPs = 0.0.0.0/0

Endpoint = 111.111.111.111:443

PersistentKeepalive = 25

----------------------------------------------------------------------------------

would give me 2 sections:

ss2.thumb.png.7c4e02020d0d7834efed3864e5af204d.png

 

The 2nd version was connecting fine, so I think it's just the import config parser that's messing up the setup.

 

Thanks.

Edited by BoarAnt

22 minutes ago, BoarAnt said:

The 2nd version was connecting fine, so I think it's just the import config parser that's messing up the setup.

Yes, you are right. The import parser went wrong on the comment statement(s).

I have made an update with the fix.

 

Thanks.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.