Setting Up WireGuard® on Unraid

[charredresistors]

Hello all,

 

I have been having a tough time getting internet access with Wireguard.

 

My Wireguard setup is as follows:

 

On my router I have a static route from the 10.253 network to the server IP. I also have port 51820 forwarded to the server.

 

When I turn on wireguard, I can access everything on my 192.xxx.x.x network, but cannot access the internet at large.

 

Here's showing that I have access to the router, and that the traceroute stops at the router. Any help would be appreciated.

 

[GNET]

Why is my allowed IPs showing 0.0.0.0/0 on the Peer configuration: AllowedIPs=0.0.0.0/0? VPN is connected but I can not browse the internet.

[Jobine]

Question...

Everything works good with my iphone with 5G ou LTE.

 

If I'm on the hotel wifi, nothing work.

 

Any idea ?

 

Thank,

[axipher]

4 hours ago, Jobine said:

Question...

Everything works good with my iphone with 5G ou LTE.

 

If I'm on the hotel wifi, nothing work.

 

Any idea ?

 

Thank,

 

I've had that too at local pools and sporting centers while on their Free WiFi.  Seems to be them blocking out-going connections on certain ports, I've had luck adding some different port mappings and switching between them, but it's a pain and normally I just revert back to my LTE.

[downdrown]

You folks just saved my day! I had the same issue with setting up VMs and PiHole in Docker, thanks a lot!

[ijuarez]

I just tried this and I got to give it up to whoever implemented this. It was easy and far all I had to do was port forward a port. 
 

very easy

[hathi_ndg]

How may I setup the built-in Wireguard VPN server feature so that my qbittorrent traffic goes through it and remains hidden from outside eyes? For the life of me I've been searching for weeks and can't find a clear answer  thanks so much for any help!

[trurl]

1 hour ago, hathi_ndg said:

traffic goes through it and remains hidden from outside eyes?

This requires a VPN service outside your network.

[sonic6]

Hi, it there a place to report a "bug" with wireguard?

 

if i add a IP to "Peer allowed IPs", it won't be shown in the downloadable config:

 

[Jobine]

On 1/26/2024 at 8:25 PM, axipher said:

 

I've had that too at local pools and sporting centers while on their Free WiFi.  Seems to be them blocking out-going connections on certain ports, I've had luck adding some different port mappings and switching between them, but it's a pain and normally I just revert back to my LTE.

I'm doing the same thing, but at the cottage the LTE isn't working well, so I'd like to connect via wifi.

[axipher]

On 5/3/2024 at 1:01 PM, Jobine said:

I'm doing the same thing, but at the cottage the LTE isn't working well, so I'd like to connect via wifi.

 

Sorry for the delay, I hadn't been to the local pool in a month.

 

To give a tiny update.  I have WireGuard on Unraid setup to use port 51821 as the main Local Endpoint port on my WAN IP address.

 

For testing, on my router, I have both external port 51821 forwarded to internal port 52821; AND external port 80 forwarded to internal port 52821.

 

I did the QR code based setup from the WireGuard App on my phone to install the profile and tested that to make sure it works.  Then edited the profile and changed the port from 51821 to 80 and tried again while on LTE and it worked.

 

Then at the pool where most other ports I've tried seemingly get blocked, this time the VPN worked fine since.

 

 

Now there are security concerns about using a well-known public port so I chose to ensure that Wireguard in this case is only being used for DNS to my local PiHole for ad-blocking and no network level access or tunnel is actually in place.  And on the majority of days where I don't need that specific VPN access, I leave that port forwarding rule disabled on my router.

 

 

 

I'm hoping someone else here can chime in any maybe offer a more elegant of safer solution.  I'm not an IT expert, so I have no idea how safe the WireGuard endpoint port is being in the more common range of ports that attackers will typically try to go after.

[emp83]

Hello, I need some help.

I've been struggling for some time to make wireguard work and I can't.

If I run wireguard in docker it works without problems.

It seems that the handshake it is ok but the unRAID does not send data.

 

Any help is appreciated.

Thank You

 

WireGuard log:

wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.253.0.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.253.0.2/32 dev wg0
[#] logger -t wireguard 'Tunnel WireGuard-wg0 started';/usr/local/emhttp/webGui/scripts/update_services
[#] iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE;iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o vhost0 -j MASQUERADE
[#] ip -4 route flush table 200
[#] ip -4 route add default via 10.253.0.1 dev wg0 table 200
[#] ip -4 route add 172.16.1.0/24 via 172.16.1.1 dev br0 table 200

wg-quick down wg0
[#] ip link delete dev wg0
[#] logger -t wireguard 'Tunnel WireGuard-wg0 stopped';/usr/local/emhttp/webGui/scripts/update_services
[#] iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE;iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o vhost0 -j MASQUERADE
[#] ip -4 route flush table 200
[#] ip -4 route add unreachable default table 200
[#] ip -4 route add 172.16.1.0/24 via 172.16.1.1 dev br0 table 200

 

Here is my configuration:

 

Edited September 11 by emp83

[JorgeB]

2 hours ago, emp83 said:

I've been struggling for some time to make wireguard work and I can't.

I would recommend using Tailscale instead, it runs on top of Wireguard and it's much easier to setup:

 

 

[emp83]

Tailscale it is working but it's a bit complicated, I also manage other friends' servers and they all have the same subnet

192.168.1.1. In Tailscale they are all connected at the same time and the same subnet is causing problems.

With WireGuard I can connect when I need to whoever I want.

[EDACerton]

4 hours ago, emp83 said:

Tailscale it is working but it's a bit complicated, I also manage other friends' servers and they all have the same subnet

192.168.1.1. In Tailscale they are all connected at the same time and the same subnet is causing problems.

With WireGuard I can connect when I need to whoever I want.

FYI, unless every friend needs to share their subnet, you can just connect using the Tailscale IPs, the local network doesn't matter.

[Espressomatic]

On 9/11/2024 at 9:00 PM, EDACerton said:

FYI, unless every friend needs to share their subnet, you can just connect using the Tailscale IPs

 

I set up Tailscale yesterday using your plugin without reading any guides, and it seems to be working with each of my systems - Unraid servers, Mac, iOS. I plan to hit up some guides and instructions next so I can make purposeful config changes.

 

Is there a process for accessing all resources using original/local subnet/IPs (and FQDN)? I don't really have any desire to look at Tailscale's own IP assignments and would love for access to resources at home to be transparent, no matter where I am or what device I'm connecting from (as they are/were before Tailscale here at home)