Setting Up WireGuard® on Unraid


Recommended Posts

28 minutes ago, uek2wooF said:

Ah ok.  Well it is easy to do on a laptop but sort of a pain on a phone.  It would be nice to customize it from the unraid gui.  Thanks.

Oops never mind.  I forgot I made a qrcode generator docker container.  I pasted the config in there, modified it, and generated a new qrcode for my phone to use.

Link to comment

So I went through the documentation here.

 

https://unraid.net/blog/wireguard-on-unraid

 

I am now trying to add an IOS client, and whenever I scan the QR code, it says invalid QR code, The Scanned QR Code is not valid WireGuard Configuration

 

not sure where to go from here, any ideas?

Link to comment
38 minutes ago, InfInIty said:

So I went through the documentation here.

 

https://unraid.net/blog/wireguard-on-unraid

 

I am now trying to add an IOS client, and whenever I scan the QR code, it says invalid QR code, The Scanned QR Code is not valid WireGuard Configuration

 

not sure where to go from here, any ideas?

Ok I got the connection imported.  IOS seems to think I am connected, but the unraid plugin does not see a handshake, and I have no access to anything on my network.

Link to comment

Does this not work if the Computer for setup is Windows 10 with PIA Wireguard setup already? I tried the tutorial and couldn't ever connect to the unRaid Server. (Yes, I tried to disable PIA WG...still no connection.) ( BTW, My duck dns was a subdomain, if that matters) Also, When this is set up properly, can I run my Docker Containers thru this VPN? I probably really don't understand what exactly this is for.

Log:

2021-03-19 12:17:44.303434: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Sending handshake initiation
2021-03-19 12:17:49.414848: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Handshake did not complete after 5 seconds, retrying (try 5)
2021-03-19 12:17:49.414848: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Sending handshake initiation
2021-03-19 12:17:54.493663: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Handshake did not complete after 5 seconds, retrying (try 6)
2021-03-19 12:17:54.493663: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Sending handshake initiation
2021-03-19 12:17:59.593883: [TUN] [peer-Tower-wg0-1] peer(hrSH…C2j8) - Handshake did not complete after 5 seconds, retrying (try 7)

Ok, so I figured out the client can't be on the same Network, tried with LTE and WG on my phone, still no success....

Edited by Fith
Link to comment
  • 3 weeks later...

I don't know if anybody is at the same situation as me, I have a UDM Pro and I use the vpn integrated l2tp to access to unraid, so I can use the firewall rules to block all port services on unraid and on my lan, If I use the wireguard vpn to access to unraid all the ports are exposed and I don't know how to block them, because the gw is unraid and the firewall rules of my router doesn't work. So my question is simple, there's any way to block all the ports on unRaid and only allow to connect the shared services SMB, NFS?

 

 

Link to comment
3 hours ago, trott said:

usually for wireguard, you only need to forwarder the wirguard port on UDM Pro to urnaid IP, all other port are still close to public

Hi, the point is allow to another users to connect to the shared folders and block the access to the docker services. With wireguard on unRaid I can't see the option.

Link to comment
6 hours ago, Jandrop said:

I don't know if anybody is at the same situation as me, I have a UDM Pro and I use the vpn integrated l2tp to access to unraid, so I can use the firewall rules to block all port services on unraid and on my lan, If I use the wireguard vpn to access to unraid all the ports are exposed and I don't know how to block them, because the gw is unraid and the firewall rules of my router doesn't work. So my question is simple, there's any way to block all the ports on unRaid and only allow to connect the shared services SMB, NFS?

 

 

 

The WireGuard solution is intended to give only "trusted" users access, any "outsiders" can't make access because they don't have the WG keys to establish the session.

 

Who is accessing your Unraid server over WireGuard? It sounds like you are setting up some "public" service.

 

Any device on your LAN which runs on its own unique IP address (this may include docker containers and VMs) can be allowed or denied access over WG (configurable in the GUI).

 

Link to comment
7 minutes ago, bonienl said:

 

The WireGuard solution is intended to give only "trusted" users access, any "outsiders" can't make access because they don't have the WG keys to establish the session.

 

Who is accessing your Unraid server over WireGuard? It sounds like you are setting up some "public" service.

 

Any device on your LAN which runs on its own unique IP address (this may include docker containers and VMs) can be allowed or denied access over WG (configurable in the GUI).

 

I just want to give access to the shared folders to my family, but I'm not interested in expose all the ports of my Unraid server. Right now they are using a vpn with l2tp and I have multiple firewall rules only to give access to smb and block the rest.

Link to comment

There are not many other ports open on Unraid, it is not a fully fledged server with many different services to run.

On the management access page you can further tell what management services to open or close.

Services like http/https, ssh and telnet are all protected by a login authentication.

 

Link to comment
35 minutes ago, bonienl said:

There are not many other ports open on Unraid, it is not a fully fledged server with many different services to run.

On the management access page you can further tell what management services to open or close.

Services like http/https, ssh and telnet are all protected by a login authentication.

 

Well, If you are a hard docker user like me, you will know that when you map a port this port is binded to the unraid ip, so I have mulple services like sonarr, radarr, gitlab, etc binded to the unraidip:portservice. I´m interested to block this ports if were possible. If not I can use the udm vpn.

Link to comment
  • 4 weeks later...

Hi,

Might be unrated - but maybe someone here can help.

 

I've tried using this plugin on 2 different unraid servers located on 2 different networks.

 

In both I get the same result - I can access the main unraid server, but nothing more (meaning, I can enter the IP on the unraid server and it works perfectly. nothing else in the network [such other servers] works).

 

Both servers are behind dedicated pfsense firewalls.

Both have the port forwarded as needed.

 

I've tried the Advance setup on one (NAT to false, Docker Host access to custom networks "enabled" and firewall rule):

HrfXWVb.png

 

Firewall rules I've tried, but seems to make no difference:

7L6DLAr.png

 

And here is the second one,  with the "basic" config:

O7FCsuS.png

 

Port forwarding for both looks mostly the same:

LclIdX9.png

 

Any ideas?

 

And thanks for the plugin! :)

Link to comment
5 hours ago, IpDo said:

I can access the main unraid server, but nothing more (meaning, I can enter the IP on the unraid server and it works perfectly. nothing else in the network [such other servers] works).

 

In your screenshot, next to "local server uses NAT" there is a remark that says "configure your router with a static route..." did you do that?  A static route is not a firewall rule, I'd remove those extra firewall rules unless you know for sure they are needed.

 

Probably best if you go through the WireGuard quickstart quide, it has a lot more detail including a section on "Complex networks" that explains how a few settings work together to give you access to your LAN:
 

 

Link to comment

Thanks for the reply,

 

I've added a static route now on both configs -

STQICcK.png

 

Some improvements, but I still having some issues.

 

On the simple server -

I can now connect to the Unraid UI and to the pfsense UI. but I still can't access anything else on the network.

I've tried the firewall rules because of the firewall log:

 

I0OEbuu.png

(first one 192.168.0.31:8123 is the source, the 10.253.0.2 is the destination)

 

it looks like the remote device (the VPN peer) try to talk to the local service, but when the local service try to "take back" there's an issue.

 

on the complex server, it's basically the same + but I can't access the main UI as it forward automatically to the local domain (unraid.privateFQDN.org) and it stops there. dockers on the unraid server (using the IP address) connect perfectly.

 

 

Edit:

Found the fix the the issue, not sure why my config is causing it - but the scenario here is Asymmetric Routing.

The solution is to enable "Bypass firewall rules for traffic on the same interface" under System/Advanced/Firewall & NAT:

xJGqHNR.png

 

That fix both of the issues described above.

Edited by IpDo
  • Like 3
Link to comment
  • 2 months later...
20 hours ago, mark seaton said:

I watched a few videos on setting this up with unraid, I have duckdns setup, the port forwarding in my edge X router but i don't see any shares in my network remotely, says i am connected but nothing shows

 

I'd recommend you go through the first two posts in the quickstart guide:

 

20 hours ago, mark seaton said:

i cant figure out how to remove all the old settings with wireguard.

 

Change the slider from basic to advanced, that will enable the Delete Tunnel button.

  • Thanks 1
Link to comment
On 7/17/2021 at 8:20 PM, ljm42 said:

 

I'd recommend you go through the first two posts in the quickstart guide:

Ok I got access to my Unraid GUI remotely using remote access to server, but I don't see any of my shares on my server? am I missing some thing, do I need to port forward SMB or something as well?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.