mattbridges Posted October 13, 2020 Share Posted October 13, 2020 1 minute ago, trurl said: Peer type of access is set to only allow connections to the server. Thanks! Should it be remote access to lan or vpn tunneled access? Quote Link to comment
stetho Posted October 25, 2020 Share Posted October 25, 2020 Hi, Looking for a little bit of guidance for the correct options for my setup. Quick bit of background - I have on my home network an Ubuntu box called 'externaldocker' which runs Docker hosted services that I want to access externally. It also runs WireGuard as a peer. On Digital Ocean I have a cheap VPC running NGinX as a proxy and also WG. I have all my DNS for things like nextcloud.mydomain.com pointing to the DO machine, NGinX proxies set up to do - for example - proxy_pass http://192.168.205.2:1880; which passes the traffic over the WG tunnel to externaldocker and serves my pages to my browser. It works seamlessly and adds an extra layer of security and means I don't have to worry about my ISP's dynamic DNS. So getting to my problem - running NextCloud with all the other services on a machine with a 250Gb drive is a problem. I also have a 120Tb UnRAID server sitting on my network which seems a much more sensible home for NC and quite a few other services. So I've install the WG App on UnRAID but I cannot figure out how to configure it as a peer from the web interface. The documentation and the App are all worded to make UnRAID the server. I could set it up with UnRAID as the server and DO as the peer but that then introduces port forwarding and dynamic DNS to the equation and quite simply - I don't want to. I could also edit wg0.conf manually but I'd prefer to only go down that route if I know in advance that it works. Has anyone else set up UnRAID as a WG peer and can give my some pointers? Thanks Steve Quote Link to comment
Poncho Posted October 29, 2020 Share Posted October 29, 2020 Hi, I've followed the instructions over and over. I can connect to the VPN service but I'm either unable to access local addresses (LAN) or outside sites. I have the right port forward configuration to my UnRaid Server I have a noip ddns I'm selecting remote tunneled access Could you point me in the right direction? My LAN is 192.168.200.0/24 My UnRaid server has a fixed IP of 192.168.200.205 Thanks! Quote Link to comment
dja Posted November 23, 2020 Share Posted November 23, 2020 I have a FQDN that begins "45" and is a .com- but the GUI won't accept it...says invalid. Can this be addressed? I was able to manually edit the config file on the client side and it works, but would be nice if the GUI worked. Quote Link to comment
cA1pLPfENhOfT9pMGzu2 Posted November 30, 2020 Share Posted November 30, 2020 (edited) On 10/30/2020 at 4:32 AM, Poncho said: Hi, I've followed the instructions over and over. I can connect to the VPN service but I'm either unable to access local addresses (LAN) or outside sites. I have the right port forward configuration to my UnRaid Server I have a noip ddns I'm selecting remote tunneled access Could you point me in the right direction? My LAN is 192.168.200.0/24 My UnRaid server has a fixed IP of 192.168.200.205 Thanks! I have this same issue. I was able to get around the "no access to outside sites" by setting the DNS on the client. For me, that's a pihole on my network; however, I still cannot access a lot of internal addresses. I can access my router, my pihole, which is running on a different subnet on the router, and my unraid docker containers; however, VMs on unraid and other LAN services are unavailable. Edited November 30, 2020 by cA1pLPfENhOfT9pMGzu2 Quote Link to comment
Boldly_Goes Posted December 1, 2020 Share Posted December 1, 2020 Hey there, I'm having issues getting the WireGuard figured out as well. I have Unraid Server 1 (192.168.33.x) and Unraid Server 2 (192.168.1.x) and two different locations. I want to map a share from Server 2 on Server 1 so that I can run remote backups (back up Server 1 files TO a share on Server 2). I have WireGuard configured per the screenshot below AND the connection is good - handshake transmits data, if I hit the ping button I get a reply. So now what? If I try to map a share using Unassigned devices it can't find anything even when specifying the IP. Is there something else I'm supposed to do? Quote Link to comment
arich1055077 Posted January 28, 2021 Share Posted January 28, 2021 Hello all! I am having some issues getting Wireguard to work on my unraid server. I have been searching all kinds of wireguard threads and nothing I have done has helped. So, I want to make this clear that I don't think this is any kind of bug or error in the wireguard plug in. I think its more likely that there is some setting in my greater internet setup that's preventing this from working. (I think this because I tried setting up wireguard on a RasberryPi with pivpn a while ago and couldn't get that to work either). So, This will be a long and hopefully very detailed post about my whole internet setup in hopes that someone knows the magic thing I need to do to get this working. My internet provider is Century Link, and I have Fiber internet. So my internet hardware starts with an ONT (Optical Network Terminal). This is the box that turns the fiber optic cable into a normal RJ-45 ethernet cable. Then, the ONT is connected to a modem/router combo provided by century link that is setup in "transparent bridge" mode. Then, that is connected to my Linksys Velop router (parent node) There is also another Linksys Velop router (child node) in my system. Then that is where my unraid server resides. I followed the quick start guide to the letter and no luck. I have setup a duckdns account and have a subdomain and all that. I am able to ping that subdomain just fine. However, when I go to add a peer and create the config for a client device they never work. I tried creating one for my phone. I used the remote tunneled access but was not able to access the internet, the Lan, or my server. And in the vpn manager on unraid that peer profile continues to say "last handshake: not recieved" I have my port forwarded to my server from my linksys router. I am a novice at any of this networking stuff so I am sorry if I missed some part of the needed information. If you need more information about any of my server settings or router settings or anything else, please don't hesitate to ask. I have been trying for many hours to try getting this working and I can't figure out what to do next. All help would be awesome. Thank you in advance! Quote Link to comment
reppmic Posted February 1, 2021 Share Posted February 1, 2021 Sorry for double-post ... i posted it in dynamix wireguard topic but maybe somebody has an explanation here : Hi, i installed wireguard this week , all works fine but i noticed one thing: even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner. any ideas why? greetings Quote Link to comment
itimpi Posted February 1, 2021 Share Posted February 1, 2021 12 minutes ago, reppmic said: Sorry for double-post ... i posted it in dynamix wireguard topic but maybe somebody has an explanation here : Hi, i installed wireguard this week , all works fine but i noticed one thing: even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner. any ideas why? greetings I think you will find that is normal behavior on iOS. I have noticed in the past that the moment you try and activate any VPN (regardless of whether it connects successfully) the VPN symbol appears. You should be reporting this to Apple (if anyone) if you think this should be changed. Quote Link to comment
reppmic Posted February 1, 2021 Share Posted February 1, 2021 2 minutes ago, itimpi said: I think you will find that is normal behavior on iOS. I have noticed in the past that the moment you try and activate any VPN (regardless of whether it connects successfully) the VPN symbol appears. You should be reporting this to Apple (if anyone) if you think this should be changed. mhhh, but when i use openVPN or IPsec it has the normal behaviour. when port is closed or VPN server is offline the VPN did not start. Quote Link to comment
itimpi Posted February 1, 2021 Share Posted February 1, 2021 Just now, reppmic said: mhhh, but when i use openVPN or IPsec it has the normal behaviour. when port is closed or VPN server is offline the VPN did not start. I have had this behaviour with other VPN type connections from my iPad. In your case maybe it is something in the iOS WireGuard app. Certainly not anything that Unraid can do anything about. Quote Link to comment
Bullerwins Posted February 2, 2021 Share Posted February 2, 2021 Hi! new in unRaid. I want to set a VPN connection to be able to remotely access my unraid server, and also a commercial VPN (I'm using mullvad) to be able to make outgoing connections encrypted too. I don't know if this is possible or have been discussed before, but I haven't seen this case I think. I managed to setup a wireguard to be able to remotely connect to unraid and works fine. But I'm trying to also add the mullvad wireguard configuration and it doens't work. I don't even know the process needed. I my idea was having 2 wireguard configs, but when I add the Mullvad VPN setup my external Ip changes, so I have to change also the other VPN config. I have also opened in mullvad a port to use. But it doesn't work. I'm not even sure if the steps I'm doing are the correct ones for my purpose Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 2/2/2021 at 2:02 AM, Bullerwins said: Hi! new in unRaid. I want to set a VPN connection to be able to remotely access my unraid server, and also a commercial VPN (I'm using mullvad) to be able to make outgoing connections encrypted too. I don't know if this is possible or have been discussed before, but I haven't seen this case I think. I managed to setup a wireguard to be able to remotely connect to unraid and works fine. But I'm trying to also add the mullvad wireguard configuration and it doens't work. I don't even know the process needed. I my idea was having 2 wireguard configs, but when I add the Mullvad VPN setup my external Ip changes, so I have to change also the other VPN config. I have also opened in mullvad a port to use. But it doesn't work. I'm not even sure if the steps I'm doing are the correct ones for my purpose The WireGuard Quickstart post is the best place to start when setting up WireGuard: https://forums.unraid.net/topic/84226-wireguard-quickstart/ Near the top is a mention of "VPN tunneled access", which links to a separate post to discuss using a commercial WireGuard VPN provider: https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access/ "VPN tunneled access" has several limitations, is more experimental at this point. 1 Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 2/1/2021 at 1:25 AM, reppmic said: even when i deactivate Wireguard or/and the open UDP Port on my router iOS „established“ a VPN connection (which is not working) but it shows „connected“ and the VPN Sign is in the upper right corner. It is unfortunate / misleading terminology on the client, not something that we control. What the client means is that the tunnel has started on the client's side and is waiting for something to happen. If the corresponding WireGuard tunnel on the Unraid side is also active/started and if DDNS/port forwards/etc are all setup correctly then the two ends will connect and the Unraid dashboard will show a "handshake" and data being transferred. Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 1/28/2021 at 1:18 PM, arich1055077 said: Then, that is connected to my Linksys Velop router (parent node) There is also another Linksys Velop router (child node) in my system. Are you Double-NAT'd? It is very difficult to get port forwarding to work in a Double-NAT situation. If you are sure that is not the case, then I need to mention that WireGuard is designed to fail silently, which is wonderful from a security perspective but it makes things very difficult to troubleshoot. I have tried to consolidate all of the troubleshooting ideas in the first two posts here: Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 11/30/2020 at 5:33 PM, Boldly_Goes said: I have WireGuard configured per the screenshot below AND the connection is good - handshake transmits data, if I hit the ping button I get a reply. So now what? If I try to map a share using Unassigned devices it can't find anything even when specifying the IP. Is there something else I'm supposed to do? "Remote tunneled access" is not the right connection type for this. Please turn on help or see the first post here: https://forums.unraid.net/topic/84226-wireguard-quickstart/ You want either "Server to Server" or "LAN to LAN". For full "LAN to LAN" support see https://forums.unraid.net/topic/88906-lan-to-lan-wireguard/ Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 11/22/2020 at 10:05 PM, dja said: I have a FQDN that begins "45" and is a .com- but the GUI won't accept it...says invalid. Can this be addressed? I was able to manually edit the config file on the client side and it works, but would be nice if the GUI worked. Sorry for the delay. I can't reproduce this though. Would you please PM me the FQDN you are trying to use and a screenshot of the error? 1 Quote Link to comment
ljm42 Posted February 3, 2021 Share Posted February 3, 2021 On 10/25/2020 at 4:51 AM, stetho said: So I've install the WG App on UnRAID but I cannot figure out how to configure it as a peer from the web interface. The documentation and the App are all worded to make UnRAID the server. I could set it up with UnRAID as the server and DO as the peer but that then introduces port forwarding and dynamic DNS to the equation and quite simply - I don't want to. I could also edit wg0.conf manually but I'd prefer to only go down that route if I know in advance that it works. Has anyone else set up UnRAID as a WG peer and can give my some pointers? We do tend to talk about servers and clients here because that is the easiest way to describe it. But in WireGuard there isn't really a concept of server or client, everybody is just a peer. Using the interface, I think the "server to server" access type will let you do what you want, just ignore the local endpoint field. This means that the remote side won't be able to start the connection, you'll need to do it from Unraid. If you don't want to use the interface to fill out the form you can create your own .conf file and import it instead (the import button is in the upper left corner of the interface) Quote Link to comment
ljm42 Posted February 5, 2021 Share Posted February 5, 2021 On 11/22/2020 at 10:05 PM, dja said: I have a FQDN that begins "45" and is a .com- but the GUI won't accept it...says invalid. Can this be addressed? I was able to manually edit the config file on the client side and it works, but would be nice if the GUI worked. On 2/3/2021 at 12:06 PM, ljm42 said: Sorry for the delay. I can't reproduce this though. Would you please PM me the FQDN you are trying to use and a screenshot of the error? Thanks for the details @dja So the issue was capital letters, numbers are fine but the validation routine will only accept lowercase letters. I am working on a fix for the next release that will automatically change capital letters to lowercase. 1 Quote Link to comment
jmbrnt Posted February 20, 2021 Share Posted February 20, 2021 Bit of a weird issue for me. I started up Dynamix' Wireguard plugin, following the blogpost on Unraid.net. Worked perfectly with my Macbook, using the `Remote Tunneled Access` mode. Great. Then I went and added another peer (I wanted to use my phone too). After clicking 'Add peer' and generating the keys, I clicked Apply or whatever and... Lost access. No go at all. Can't even connect back to the server to undo what I did. Is that expected behavior? Note, I only generated new keys for the new peer, so I didn't expect to get locked out. Any suggestions welcomed - and thanks for building such a simple/great system! Quote Link to comment
itimpi Posted February 20, 2021 Share Posted February 20, 2021 16 minutes ago, jmbrnt said: Is that expected behavior? I think that at the moment any time you make a change the underlying service gets disabled and you need to re-enable it again. Means you cannot make a change remotely when connected via WireGuard unless you have an alternative way into the server. Whether it is intended to change this I have no idea. Quote Link to comment
jmbrnt Posted February 20, 2021 Share Posted February 20, 2021 1 minute ago, itimpi said: I think that at the moment any time you make a change the underlying service gets disabled and you need to re-enable it again. Means you cannot make a change remotely when connected via WireGuard unless you have an alternative way into the server. Whether it is intended to change this I have no idea. Ah well at least the symptom makes sense. Not so sure if the cause does. I could understand a restart or reload... cheers Quote Link to comment
uek2wooF Posted March 13, 2021 Share Posted March 13, 2021 I want something between "remote access to lan" and "remote tunneled access". Basically I just want to add another network route for the client through wg. I believe this should go in "peer allowed IPs" but unraid is putting that route on itself to the tunnel. I think this is a bug. If I download the config to the client and then edit it and add the net to "peer allowed IPs" everything works as expected. Quote Link to comment
ljm42 Posted March 14, 2021 Share Posted March 14, 2021 21 hours ago, uek2wooF said: I want something between "remote access to lan" and "remote tunneled access". Basically I just want to add another network route for the client through wg. I believe this should go in "peer allowed IPs" but unraid is putting that route on itself to the tunnel. I think this is a bug. If I download the config to the client and then edit it and add the net to "peer allowed IPs" everything works as expected. The WireGuard protocol has an "AllowedIPs" field in both the server's config file and the peer's config file. They are different. You can see the difference if you click the "eye" for the tunnel and compare it to the "eye" for the peer. We provide direct access to the server's "AllowedIPs" entry for that peer using the webgui. We vary the peer's "AllowedIPs" field based on the "peer type of access" field. If you want to customize that further you are welcome to do that after downloading the config, which it sounds like you have already done Quote Link to comment
uek2wooF Posted March 15, 2021 Share Posted March 15, 2021 6 hours ago, ljm42 said: We provide direct access to the server's "AllowedIPs" entry for that peer using the webgui. We vary the peer's "AllowedIPs" field based on the "peer type of access" field. If you want to customize that further you are welcome to do that after downloading the config, which it sounds like you have already done Ah ok. Well it is easy to do on a laptop but sort of a pain on a phone. It would be nice to customize it from the unraid gui. Thanks. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.