Setting Up WireGuard® on Unraid


Recommended Posts

  • 2 weeks later...

Hi,

 

Looking for a little bit of guidance for the correct options for my setup. Quick bit of background - I have on my home network an Ubuntu box called 'externaldocker' which runs Docker hosted services that I want to access externally. It also runs WireGuard as a peer. On Digital Ocean I have a cheap VPC running NGinX as a proxy and also WG. I have all my DNS for things like nextcloud.mydomain.com pointing to the DO machine, NGinX proxies set up to do - for example - proxy_pass http://192.168.205.2:1880; which passes the traffic over the WG tunnel to externaldocker and serves my pages to my browser. It works seamlessly and adds an extra layer of security and means I don't have to worry about my ISP's dynamic DNS.

So getting to my problem - running NextCloud with all the other services on a machine with a 250Gb drive is a problem. I also have a 120Tb UnRAID server sitting on my network which seems a much more sensible home for NC and quite a few other services. So I've install the WG App on UnRAID but I cannot figure out how to configure it as a peer from the web interface. The documentation and the App are all worded to make UnRAID the server. I could set it up with UnRAID as the server and DO as the peer but that then introduces port forwarding and dynamic DNS to the equation and quite simply - I don't want to.

I could also edit wg0.conf manually but I'd prefer to only go down that route if I know in advance that it works. Has anyone else set up UnRAID as a WG peer and can give my some pointers?

Thanks

Steve

Link to comment

Hi, I've followed the instructions over and over.

 

I can connect to the VPN service but I'm either unable to access local addresses (LAN) or outside sites.

 

  1. I have the right port forward configuration to my UnRaid Server
  2. I have a noip ddns
  3. I'm selecting remote tunneled access

Could you point me in the right direction?

 

My LAN is 192.168.200.0/24

My UnRaid server has a fixed IP of 192.168.200.205

 

Thanks!

Link to comment
  • 4 weeks later...
On 10/30/2020 at 4:32 AM, Poncho said:

Hi, I've followed the instructions over and over.

 

I can connect to the VPN service but I'm either unable to access local addresses (LAN) or outside sites.

 

  1. I have the right port forward configuration to my UnRaid Server
  2. I have a noip ddns
  3. I'm selecting remote tunneled access

Could you point me in the right direction?

 

My LAN is 192.168.200.0/24

My UnRaid server has a fixed IP of 192.168.200.205

 

Thanks!

I have this same issue. I was able to get around the "no access to outside sites" by setting the DNS on the client. For me, that's a pihole on my network; however, I still cannot access a lot of internal addresses.

 

I can access my router, my pihole, which is running on a different subnet on the router, and my unraid docker containers; however, VMs on unraid and other LAN services are unavailable.

Edited by cA1pLPfENhOfT9pMGzu2
Link to comment

Hey there, I'm having issues getting the WireGuard figured out as well.  

 

I have Unraid Server 1 (192.168.33.x) and Unraid Server 2 (192.168.1.x) and two different locations.  I want to map a share from Server 2 on Server 1 so that I can run remote backups (back up Server 1 files TO a share on Server 2).

 

I have WireGuard configured per the screenshot below AND the connection is good - handshake transmits data, if I hit the ping button I get a reply.

 

So now what?  If I try to map a share using Unassigned devices it can't find anything even when specifying the IP.  Is there something else I'm supposed to do?

Wireguard.png

Link to comment
  • 1 month later...

Hello all! I am having some issues getting Wireguard to work on my unraid server. I have been searching all kinds of wireguard threads and nothing I have done has helped. So, I want to make this clear that I don't think this is any kind of bug or error in the wireguard plug in. I think its more likely that there is some setting in my greater internet setup that's preventing this from working. (I think this because I tried setting up wireguard on a RasberryPi with pivpn a while ago and couldn't get that to work either). 

 

So, This will be a long and hopefully very detailed post about my whole internet setup in hopes that someone knows the magic thing I need to do to get this working. 

 

My internet provider is Century Link, and I have Fiber internet. So my internet hardware starts with an ONT (Optical Network Terminal). This is the box that turns the fiber optic cable into a normal RJ-45 ethernet cable.

 

Then, the ONT is connected to a modem/router combo provided by century link that is setup in "transparent bridge" mode.

 

Then, that is connected to my Linksys Velop router (parent node)

 

There is also another Linksys Velop router (child node) in my system.

 

Then that is where my unraid server resides. 

 

I followed the quick start guide to the letter and no luck. I have setup a duckdns account and have a subdomain and all that. I am able to ping that subdomain just fine. 

 

However, when I go to add a peer and create the config for a client device they never work. I tried creating one for my phone. I used the remote tunneled access but was not able to access the internet, the Lan, or my server.  And in the  vpn manager on unraid that peer profile continues to say "last handshake: not recieved"

 

I have my port forwarded to my server from my linksys router. 

 

 

I am a novice at any of this networking stuff so I am sorry if I missed some part of the needed information. If you need more information about any of my server settings or router settings or anything else, please don't hesitate to ask. I have been trying for many hours to try getting this working and I can't figure out what to do next. All help would be awesome. Thank you in advance!

Link to comment

Sorry for double-post ... i posted it in dynamix wireguard topic but maybe somebody has an explanation here :

 

Hi, i installed wireguard this week , all works fine but i noticed one thing:

 

even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner.

 

any ideas why?

 

greetings

Link to comment
12 minutes ago, reppmic said:

Sorry for double-post ... i posted it in dynamix wireguard topic but maybe somebody has an explanation here :

 

Hi, i installed wireguard this week , all works fine but i noticed one thing:

 

even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner.

 

any ideas why?

 

greetings

I think you will find that is normal behavior  on iOS.   I have noticed in the past that the moment you try and activate any VPN (regardless of whether it connects successfully) the VPN symbol appears.  You should be reporting this to Apple (if anyone) if you think this should be changed.

Link to comment
2 minutes ago, itimpi said:

I think you will find that is normal behavior  on iOS.   I have noticed in the past that the moment you try and activate any VPN (regardless of whether it connects successfully) the VPN symbol appears.  You should be reporting this to Apple (if anyone) if you think this should be changed.

mhhh, but when i use openVPN or IPsec it has the normal behaviour.

when port is closed or VPN server is offline the VPN did not start.

Link to comment
Just now, reppmic said:

mhhh, but when i use openVPN or IPsec it has the normal behaviour.

when port is closed or VPN server is offline the VPN did not start.

 

I have had this behaviour with other VPN type connections from my iPad.   In your case maybe it is something in the iOS WireGuard app.  Certainly not anything that Unraid can do anything about.

Link to comment

Hi! new in unRaid. I want to set a VPN connection to be able to remotely access my unraid server, and also a commercial VPN (I'm using mullvad) to be able to make outgoing connections encrypted too. I don't know if this is possible or have been discussed before, but I haven't seen this case I think.

 

I managed to setup a wireguard to be able to remotely connect to unraid and works fine. But I'm trying to also add the mullvad wireguard configuration and it doens't work. I don't even know the process needed. I my idea was having 2 wireguard configs, but when I add the Mullvad VPN setup my external Ip changes, so I have to change also the other VPN config. I have also opened in mullvad a port to use. But it doesn't work.

I'm not even sure if the steps I'm doing are the correct ones for my purpose

Link to comment
On 2/2/2021 at 2:02 AM, Bullerwins said:

Hi! new in unRaid. I want to set a VPN connection to be able to remotely access my unraid server, and also a commercial VPN (I'm using mullvad) to be able to make outgoing connections encrypted too. I don't know if this is possible or have been discussed before, but I haven't seen this case I think.

 

I managed to setup a wireguard to be able to remotely connect to unraid and works fine. But I'm trying to also add the mullvad wireguard configuration and it doens't work. I don't even know the process needed. I my idea was having 2 wireguard configs, but when I add the Mullvad VPN setup my external Ip changes, so I have to change also the other VPN config. I have also opened in mullvad a port to use. But it doesn't work.

I'm not even sure if the steps I'm doing are the correct ones for my purpose

 

The WireGuard Quickstart post is the best place to start when setting up WireGuard:

  https://forums.unraid.net/topic/84226-wireguard-quickstart/

 

Near the top is a mention of "VPN tunneled access", which links to a separate post to discuss using a commercial WireGuard VPN provider:

  https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access/

 

"VPN tunneled access" has several limitations, is more experimental at this point.

 

 

 

 

  • Like 1
Link to comment
On 2/1/2021 at 1:25 AM, reppmic said:

even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner.

 

It is unfortunate / misleading terminology on the client, not something that we control. What the client means is that the tunnel has started on the client's side and is waiting for something to happen. 

 

If the corresponding WireGuard tunnel on the Unraid side is also active/started and if DDNS/port forwards/etc are all setup correctly then the two ends will connect and the Unraid dashboard will show a "handshake" and data being transferred.

Link to comment
On 1/28/2021 at 1:18 PM, arich1055077 said:

Then, that is connected to my Linksys Velop router (parent node)

There is also another Linksys Velop router (child node) in my system.

 

Are you Double-NAT'd? It is very difficult to get port forwarding to work in a Double-NAT situation.

 

If you are sure that is not the case, then I need to mention that WireGuard is designed to fail silently, which is wonderful from a security perspective but it makes things very difficult to troubleshoot.

 

I have tried to consolidate all of the troubleshooting ideas in the first two posts here:

 
 

Link to comment
On 11/30/2020 at 5:33 PM, Boldly_Goes said:

I have WireGuard configured per the screenshot below AND the connection is good - handshake transmits data, if I hit the ping button I get a reply.

 

So now what?  If I try to map a share using Unassigned devices it can't find anything even when specifying the IP.  Is there something else I'm supposed to do?

 

"Remote tunneled access" is not the right connection type for this. Please turn on help or see the first post here: https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

 

 

You want either "Server to Server" or "LAN to LAN". For full "LAN to LAN" support see https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/

 

Link to comment
On 11/22/2020 at 10:05 PM, dja said:

I have a FQDN that begins "45" and is a .com- but the GUI won't accept it...says invalid. Can this be addressed? I was able to manually edit the config file on the client side and it works, but would be nice if the GUI worked. 

 

Sorry for the delay. I can't reproduce this though. Would you please PM me the FQDN you are trying to use and a screenshot of the error?

  • Like 1
Link to comment
On 10/25/2020 at 4:51 AM, stetho said:

So I've install the WG App on UnRAID but I cannot figure out how to configure it as a peer from the web interface. The documentation and the App are all worded to make UnRAID the server. I could set it up with UnRAID as the server and DO as the peer but that then introduces port forwarding and dynamic DNS to the equation and quite simply - I don't want to.

I could also edit wg0.conf manually but I'd prefer to only go down that route if I know in advance that it works. Has anyone else set up UnRAID as a WG peer and can give my some pointers?

 

We do tend to talk about servers and clients here because that is the easiest way to describe it. But in WireGuard there isn't really a concept of server or client, everybody is just a peer.

 

Using the interface, I think the "server to server" access type will let you do what you want, just ignore the local endpoint field. This means that the remote side won't be able to start the connection, you'll need to do it from Unraid. 

 

If you don't want to use the interface to fill out the form you can create your own .conf file and import it instead (the import button is in the upper left corner of the interface)

 

Link to comment
On 11/22/2020 at 10:05 PM, dja said:

I have a FQDN that begins "45" and is a .com- but the GUI won't accept it...says invalid. Can this be addressed? I was able to manually edit the config file on the client side and it works, but would be nice if the GUI worked. 

 

On 2/3/2021 at 12:06 PM, ljm42 said:

Sorry for the delay. I can't reproduce this though. Would you please PM me the FQDN you are trying to use and a screenshot of the error?

 

Thanks for the details @dja

 

So the issue was capital letters, numbers are fine but the validation routine will only accept lowercase letters. I am working on a fix for the next release that will automatically change capital letters to lowercase.

  • Like 1
Link to comment
  • 2 weeks later...

Bit of a weird issue for me.

 

I started up Dynamix' Wireguard plugin, following the blogpost on Unraid.net. Worked perfectly with my Macbook, using the `Remote Tunneled Access` mode. Great.

 

Then I went and added another peer (I wanted to use my phone too). After clicking 'Add peer' and generating the keys, I clicked Apply or whatever and... Lost access. No go at all. Can't even connect back to the server to undo what I did.

 

Is that expected behavior? Note, I only generated new keys for the new peer, so I didn't expect to get locked out. Any suggestions welcomed - and thanks for building such a simple/great system!

 

 

Link to comment
16 minutes ago, jmbrnt said:

Is that expected behavior?

 

I think that at the moment any time you make a change the underlying service gets disabled and you need to re-enable it again.  Means you cannot make a change remotely when connected via WireGuard unless you have an alternative way into the server.

 

Whether it is intended to change this I have no idea.

 

Link to comment
1 minute ago, itimpi said:

 

I think that at the moment any time you make a change the underlying service gets disabled and you need to re-enable it again.  Means you cannot make a change remotely when connected via WireGuard unless you have an alternative way into the server.

 

Whether it is intended to change this I have no idea.

 

Ah well at least the symptom makes sense. Not so sure if the cause does. I could understand a restart or reload...
 

cheers 

Link to comment
  • 3 weeks later...

I want something between "remote access to lan" and "remote tunneled access".  Basically I just want to add another network route for the client through wg.  I believe this should go in "peer allowed IPs" but unraid is putting that route on itself to the tunnel.  I think this is a bug.

 

If I download the config to the client and then edit it and add the net to "peer allowed IPs" everything works as expected.

 

 

Link to comment
21 hours ago, uek2wooF said:

I want something between "remote access to lan" and "remote tunneled access".  Basically I just want to add another network route for the client through wg.  I believe this should go in "peer allowed IPs" but unraid is putting that route on itself to the tunnel.  I think this is a bug.

 

If I download the config to the client and then edit it and add the net to "peer allowed IPs" everything works as expected.

 

The WireGuard protocol has an "AllowedIPs" field in both the server's config file and the peer's config file. They are different.  You can see the difference if you click the "eye" for the tunnel and compare it to the "eye" for the peer.

 

We provide direct access to the server's "AllowedIPs" entry for that peer using the webgui. We vary the peer's "AllowedIPs" field based on the "peer type of access" field. If you want to customize that further you are welcome to do that after downloading the config, which it sounds like you have already done :) 

 

Link to comment
6 hours ago, ljm42 said:

 

We provide direct access to the server's "AllowedIPs" entry for that peer using the webgui. We vary the peer's "AllowedIPs" field based on the "peer type of access" field. If you want to customize that further you are welcome to do that after downloading the config, which it sounds like you have already done :) 

 

Ah ok.  Well it is easy to do on a laptop but sort of a pain on a phone.  It would be nice to customize it from the unraid gui.  Thanks.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.