Setting Up WireGuard® on Unraid


Recommended Posts

  • 5 weeks later...
On 5/9/2022 at 1:48 AM, bombz said:

Quick question, 
Managed to get wireguard functional and connected successfully using remote tunneled access.
However, I cannot hit any of my services on other VLANs within my network. 
Is there an ability to talk between VLANs from the peer tunnel address?

10.253.*.* > tunnel address
I can access my server IP of the WG server without issue
However, any other systems on the same subnet as WG server I cannot ping.

 

VLANs
10.200.*.*

I don't see the WG client within my DHCP table on my gateway, but that's due to WG running inside of unraid I am pretty sure.
I am not sure if setting up a f/w rule to allow 10.253.*.* to other VLANs will work as the gateway is not seeing the 10.253.*.* client to begin with.

I am puzzled how to access other services (RDP) and even ping those systems while connected to WG


Thanks,

 

I'm also having issues when enabling VLANs on my Unraid setup.

 

I have 2 VLANS on my network:
192.168.1.0/24 (LAN)

192.168.2.0/24 (IoT VLAN)

 

I have WireGuard setup as a "Remote tunneled access".

 

When I DON'T have VLANs setup on Unraid, my WireGuard peers can connect to the internet and connect to anything on both the LAN / IoT VLAN.

ex.

WG peer > 192.168.1.X OK

WG peer > 192.168.3.X OK

 

When I DO have VLANs setup on Unraid, my WireGuard peers can connect to the internet but can only access the LAN. Anything on the IoT VLAN has no response.

ex.

WG peer > 192.168.1.X OK

WG peer > 192.168.3.X NO ACCESS

 

Is this a bug in the WireGuard plugin?

Edited by bearattack
double quoted by accident
Link to comment
  • 4 months later...

Hey all, I just switched from amd x470 to an intel b660 platform, everything else worked fine, but the wireguard vpn now doesn't activate anymore.

 

I deleted the tunnel and all peers, recreated a new tunnel, the tunnel can activate at this moment.

I add a peer, generate keys and click apply, suddenly the tunnel became inactive, clicking on the inactive toggle it goes to active and back to inactive right away, without any error message. Any idea what's the issue here? This is now unraid built in right? so there's no way I can uninstall reinstall plugin or something like that?

  • Upvote 1
Link to comment
On 10/28/2022 at 6:59 PM, binzhu1070 said:

Hey all, I just switched from amd x470 to an intel b660 platform, everything else worked fine, but the wireguard vpn now doesn't activate anymore.

 

I deleted the tunnel and all peers, recreated a new tunnel, the tunnel can activate at this moment.

I add a peer, generate keys and click apply, suddenly the tunnel became inactive, clicking on the inactive toggle it goes to active and back to inactive right away, without any error message. Any idea what's the issue here? This is now unraid built in right? so there's no way I can uninstall reinstall plugin or something like that?

 

I'm having the same issue. Did you get a resolution?

 

Can activate fine until I add a peer, then it becomes impossible to activate.

Link to comment
2 hours ago, banboosy said:

 

I'm having the same issue. Did you get a resolution?

 

Can activate fine until I add a peer, then it becomes impossible to activate.

 

no it's still not resolved. what's your cpu/mobo combo? I have intell i5 12600t Asrock b660m steel legend.

Edited by binzhu1070
Link to comment
  • 1 month later...

Hi. Following situation.

 

I would like to establish a VPN connection to a Speedport Smart 4 to run a Docker (a node) via VPN (public IP of my second place of residence)

 

I downloaded the VPN connection from Speedport and imported it into Unraid.


I selected "VPN tunneled access for docker".
connection is running.
Node starts.

 

Now the problem: I don't get a port release from the speed port.
No matter what I do, I don't get the port queried in the node.

 

Anyone an idea?

Link to comment

I see that the issue of getting Pihole to work through Wireguard was in the first page of comments. I'm having this issue now but somehow had it working before. I point my router to pihole to get a "whole network adblocking" which works well. But when I config a peer to use pihole's address it doesn't resolve and I loose internet on that remote peer. I have pihole in a container on a custom network on a VLAN. (to prevent the kernel panics)

 

Using Remote Tunneled Access I can not get this working. It's been 3 years since this has been an issue in this thread. Any resolutions? 

Link to comment

Hi everyone, i hope you are doing well.

Maybe this is a noob question, but i can't figure it out.

I setuped my tunnel, setuped my peer, everything works fine.

When i setup the "local tunnel firewall" to ALLOW and i enter the only ip i want it to access... it kinda works...

I'm testing using my cell phone on 5G and i connect, i can't access any ip other than the one i entered BUT it can always access the Unraid ip and all the services/dockers running on it....

I've not entered the Unraid ip in the local tunnel firewall.

I presume that it's doing that because the Wireguard server is the Unraid server and it can't block itself ?

Thanks for helping me out !

Link to comment
  • 2 weeks later...

A question about Wireguard peers.  I am used to using OpenVPN in the past and I only created one ovpn client file that I then used for all clients - for example, my iPhone, iPad and Windows PC.  In one of the videos that I watched regarding Wireguard on unRAID it says to create a separate peer for each client - so it sounds like that means a peer for my iPhone, a peer for my iPad and a peer for my Windows PC.

 

Is that really necessary?  Or can you just use one peer?

Link to comment

Do you need the Wireguard-Easy Docker installed to use the Wireguard VPN? 

 

The guides that I looked at said that you had to install it, I tried installing it but initially didn't now what to put in the WG_HOST name.  I went ahead and did the config in Settings/VPN and I got everything working.  Now when I try to put my DNS entry into the WG_HOST and start the docker it says

"docker: Error response from daemon: driver failed programming external connectivity on endpoint WireGuard-Easy (9b3bca05b051a8ffd94940486b8c4a91ea81b2c75a6905ef3b06aa95638174b4): Error starting userland proxy: listen udp4 0.0.0.0:51820: bind: address already in use."

 

So can I just delete the Wireguard-easy docker?

Link to comment
20 hours ago, wayner said:

Wireguard on unRAID it says to create a separate peer for each client

I installed WireGuard on a Raspberry Pi and the instructions were the same; generate a peer configuration for each peer device.  I think WireGuard in general want a different peer configuration for each client device. 

Edited by Hoopster
Link to comment
20 minutes ago, wayner said:

change the Wireguard config to be able to access dockers with a Custom:br0 network type.

It's not so much a change in the WireGuard configuration as it is the router configuration.  I have most of my docker containers on br0.3 (dedicated Docker VLAN) and I needed the static route (as explained in the Complex Networks section of the WireGuard Quickstart linked above) to be able to access the WebUIs of docker containers on br0.3 via WireGuard.

 

Here's what it looks like in my router config:

image.thumb.png.b5e7adf14285ad6d59ec47801159f35a.png

Edited by Hoopster
Link to comment

I am not successful in getting this working.  My unRAID server has an IP of 192.168.1.254.  My router is a Unifi USG.  Here is the static route that I created.

image.png.54dbe3dd07febd36a4ccb2d2cb732a86.png

On my iPhone I am not able to address a docker on this server with a br0 network setting that has an IP of 192.168.1.245.  From my phone via VPN I can access other IPs that are on my LAN so the core VPN functionality is working.

 

Here is my Wireguard Config:
image.thumb.png.06f15e4a3af4d08507ab6f98660b8e39.png

 

Any ideas on how to troubleshoot.

Link to comment

I think I may have found a potential issue - it appears that you have to change a docker setting - Host access to custom networks:.  Do I have to enable this?  It looks like right now I can't change this setting.  Is that because the dockers are running?  Do I have to shut down the dockers to change this setting?

Link to comment

I shut down the docker service.  Changed the setting to allow Host access to custom networks, but still it does not work.  Any advice on how to troubleshoot this?

 

edit - I eventually got everything working but I am not sure what did it.  I updated to unRAID 6.11.5 from an earlier version and I had to reboot a few times, and when I tried it I am able to access the br0 website from my phone while on the cell network and connected via VPN.

Edited by wayner
Link to comment

Hello all-

 

I've followed the guide here: https://unraid.net/de/blog/wireguard-on-unraid to set up Unraid and clients on both my Windows laptop (via generated .zip config) & Android phone (via generated QR config).

 

Have opened a UDP port in my Mikrotik router's firewall. I have a static IP so don't need to worry about dynamic DNS setup.

 

Have double-checked all settings on Unraid's Wireguard page- it all looks good to me.

 

However, when I try to click the Inactive switch to toggle to Active, it switches for a split second, then goes back to Inactive.

 

The same happened the first time I tried it, so I deleted the tunnel and input everything from scratch in case I messed something up. Before clicking the Add Peer button, when reentering everything, I tried clicking on the Inactive toggle and it stayed activated. It was only once I'd added the peer that it would not stay active.

 

Any ideas?

 

Edit: have found that this is a known error (possibly only with 6.11.1) and in case anyone else is looking for the fix, it's here:

 

Edited by -C-
Add fix
Link to comment
  • 3 weeks later...
3 hours ago, GreenEyedMonster said:

Hey everyone,

Ever since I updated from 6.9.5 to 6.11.5 my remote tunneled access stop working correctly.  I can see my server but I can NOT access the internet when connected to Wireguard.  It use to work perfectly... no idea what is happening now. Any ideas?

 

Try making any change to the WG config and hitting save, it may need to be updated.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.