Setting Up WireGuard® on Unraid


Recommended Posts

Thanks for the reply,
 
I've added a static route now on both configs -
STQICcK.png
 
Some improvements, but I still having some issues.
 
On the simple server -
I can now connect to the Unraid UI and to the pfsense UI. but I still can't access anything else on the network.
I've tried the firewall rules because of the firewall log:
 
I0OEbuu.png
(first one 192.168.0.31:8123 is the source, the 10.253.0.2 is the destination)
 
it looks like the remote device (the VPN peer) try to talk to the local service, but when the local service try to "take back" there's an issue.
 
on the complex server, it's basically the same + but I can't access the main UI as it forward automatically to the local domain (unraid.privateFQDN.org) and it stops there. dockers on the unraid server (using the IP address) connect perfectly.
 
 
Edit:
Found the fix the the issue, not sure why my config is causing it - but the scenario here is Asymmetric Routing.
The solution is to enable "Bypass firewall rules for traffic on the same interface" under System/Advanced/Firewall & NAT:
xJGqHNR.png
 
That fix both of the issues described above.

The gateway you created in pfsense for Unraid; what “interface” would that be? Can you share your gateway info for Unraid from pfSense, please?

016ef85772f11d99fc1d55ccc9346483.png
Link to comment
56 minutes ago, mark seaton said:

Ok I got access to my Unraid GUI remotely using remote access to server, but I don't see any of my shares on my server? am I missing some thing, do I need to port forward SMB or something as well?

 

If you chose "Remote access to server" then you need to connect to the server using the tunnel IP address as mentioned on the Wireguard settings page. You should see something like this:

 

image.png

 

So if the remote client is a Windows box you would go to the search bar and type:

  \\10.252.1.1

and Windows would use SMB to connect to that IP address. 

  • Like 1
Link to comment
17 hours ago, ljm42 said:

So if the remote client is a Windows box you would go to the search bar and type:

  \\10.252.1.1

and Windows would use SMB to connect to that IP address. 

So if my unraid server was 192.168.1.109 and a share on it was say movies then in windows i would use

 

\\192.168.1.109\movies

 

and I would have to do this for each of my shares on my Unraid box

 

I can also Map Network drive in windows correct?

 

is the reason for this because Wiregard is a silent VPN and does not allow SMB and NTF broadcasting?

 

Edited by mark seaton
Link to comment
9 minutes ago, mark seaton said:

So if my unraid server was 192.168.1.109 and a share on it was say movies then in windows i would use

 

\\192.168.1.109\movies

 

Is that the server's LAN address?

 

If you connected with "remote access to server", then you will not have access to the LAN IP address. You need to use the server's tunnel IP listed in the webgui

 

If you want to access the server's LAN address then choose "remote access to LAN" instead.

 

10 minutes ago, mark seaton said:

I can also Map Network drive in windows correct?

 

sure

 

10 minutes ago, mark seaton said:

is the reason for this because Wiregard is a silent VPN and does not allow SMB and NTF broadcasting?

 

It is related to DNS. See the "About DNS" portion of the first post here: https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

 

Link to comment
On 7/21/2021 at 2:01 PM, ljm42 said:

 

Is that the server's LAN address?

 

If you connected with "remote access to server", then you will not have access to the LAN IP address. You need to use the server's tunnel IP listed in the webgui

 

If you want to access the server's LAN address then choose "remote access to LAN" instead.

I changed the connection to "remote access to Lan" and I still cant connect to the shares on my unraid server which has a LAN ip of 192.168.1.109, what am i missing?

 

Here is a screen shot of my settings, the blanked out is my duckdns

image.thumb.png.f900538c143e563fc16f7246460ab0d5.png

Link to comment
26 minutes ago, mark seaton said:

I changed the connection to "remote access to Lan" and I still cant connect to the shares on my unraid server which has a LAN ip of 192.168.1.109, what am i missing?

How are you accessing the server? You'll want do it by IP address \\192.168.1.109

 

26 minutes ago, mark seaton said:

Here is a screen shot of my settings, the blanked out is my duckdns

In the lower right corner it says "handshake not received". I don't think you are making a connection. I'd recommend starting over and going through the quickstart guide a step at a time.

 

As mentioned elsewhere, troubleshooting WireGuard is very tough because it fails silently. And all of the info someone would need to help you is private so you can't really share it.  The second post of the quickstart guide has a list of things for you to check.

  • Like 1
Link to comment

Hi,

 

I am also having difficulties connecting to my SMB shares via WireGuard. I did setup everything according to the steps descriped on the site of unraid and I am able to connect to my unraid server and browse the webgui, both from the tunneled IP (10.253.0.1) as the Internal IP address (192.168.1.254).

 

Whenever I try to connect to the SMB shares it simple gives me the message that it cant connect. I tried the following:

  1. Remote tunneling
  2. Remote access to server
  3. Remote access to LAN

Neither of these options give the direct access to the SMB shares of Unraid. I attached my current configuration, hopefully someone can help me out!

 

Thanks in advance!

 

WireGuard issue.png

Link to comment
3 hours ago, Rexl said:

Hi,

 

I am also having difficulties connecting to my SMB shares via WireGuard. I did setup everything according to the steps descriped on the site of unraid and I am able to connect to my unraid server and browse the webgui, both from the tunneled IP (10.253.0.1) as the Internal IP address (192.168.1.254).

 

Whenever I try to connect to the SMB shares it simple gives me the message that it cant connect. I tried the following:

  1. Remote tunneling
  2. Remote access to server
  3. Remote access to LAN

Neither of these options give the direct access to the SMB shares of Unraid. I attached my current configuration, hopefully someone can help me out!

 

Thanks in advance!

 

WireGuard issue.png

Got it to work with the help of this Reddit post: 

 

https://www.reddit.com/r/unRAID/comments/j676ce/wireguard_troubles_can_access_shares_from_phone/

 

Added the account reference via the account manager in Windows and everything worked like charm!

Link to comment
  • 2 months later...
  • 2 weeks later...

Hey folks - I got Wireguard set up but I noticed something strange. I am on the Version 6.9.2 of Unraid, and I added the Wireguard plugin (and ensured it was updated) - but my VPN icon is the older one. Not the Wireguard one. 

I set everything up and it appears to be working on, but found that part odd.

Screen Shot 2021-10-27 at 08.52.18.png

Link to comment
  • 4 weeks later...
29 minutes ago, SonOfTux said:

Can't install this on Unraid v6.10rc2. It's saying the max version is 6.9.9. Anyway this can be fixed? or is there a real incompatibility with v6.10 and later?

There is nothing needed to be installed as on 6.10.0.rc1 and later it is all built into the standard release.

  • Like 1
Link to comment
  • 3 weeks later...

so i did some light digging and came up light on answers - but i've been running this plugin happily for quite a while i JUST experienced an issue where i happened to be on a subnet that had the same range as my unraid server subnet - this seemed to break my wireguard plugin andi my dirty reddit and news traffic was exposed to whatever wifi network i was on 

 

i was curious how i would go about setting the wireguard plugin to operate on a totally unique vlan/subnet that i would set up on my ubiquiti gear - are there any guides/howtos/cheetsheeets/etc on this process ?? 

 

any help would be appreciated 

Link to comment

Thank you for putting up this guide, it was very clear and easy to follow. The only issue I am running into is that a laptop that I am setting up with Wireguard is unable to establish a network share while running the Wireguard connection. 

 

It's IP before connecting is a standard 192.168.x.x address, and then it gets a 10.253.0.x connection afterwards. I have port forwarding set up on the router, and from within the VPN Manager I can ping the endpoint, but I cannot map the share from the client PC. If I try to ping the server from the client side using the DNS server address it fails, though using the endpoint address does get a response. I have tried to map this using the server name, the DNS server, and the endpoint address but they all fail. I know this server works because I can connect using both my desktop connected directly to the router as well as my android phone that is running Wireguard. So overall I am just very confused where I am going wrong.

 

If needed I can provide screenshots of my setup if you think that would help.

Link to comment
On 7/26/2021 at 1:35 PM, Rexl said:

Got it to work with the help of this Reddit post: 

 

https://www.reddit.com/r/unRAID/comments/j676ce/wireguard_troubles_can_access_shares_from_phone/

 

Added the account reference via the account manager in Windows and everything worked like charm!

 

Sounds like this might be similar to the issue I am running into. I think I have tried to add the account in question when I originally was pulling my hair out trying to set this up months ago, and I have also done the signing in with different credentials setting with an account I know that works with no luck. Do you have any instructions that helped you?

 

Thanks!

Link to comment
On 7/24/2021 at 11:46 AM, mark seaton said:

I changed the connection to "remote access to Lan" and I still cant connect to the shares on my unraid server which has a LAN ip of 192.168.1.109, what am i missing?

 

Here is a screen shot of my settings, the blanked out is my duckdns

image.thumb.png.f900538c143e563fc16f7246460ab0d5.png

 

Did you ever manage to figure this one out? I am having a lot of the same issue

Link to comment
On 7/21/2021 at 4:01 PM, ljm42 said:

 

Is that the server's LAN address?

 

If you connected with "remote access to server", then you will not have access to the LAN IP address. You need to use the server's tunnel IP listed in the webgui

 

If you want to access the server's LAN address then choose "remote access to LAN" instead.

 

 

sure

 

 

It is related to DNS. See the "About DNS" portion of the first post here: https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

 

 

Thank you SO much! Connecting via the tunnel IP FINALLY fixed this. You are amazing

  • Like 1
Link to comment
On 10/27/2021 at 8:54 AM, Nexus said:

Hey folks - I got Wireguard set up but I noticed something strange. I am on the Version 6.9.2 of Unraid, and I added the Wireguard plugin (and ensured it was updated) - but my VPN icon is the older one. Not the Wireguard one. 

I set everything up and it appears to be working on, but found that part odd.

 

Sorry, I forget this thread exists, I tend to check this one more :)  https://forums.unraid.net/topic/84226-wireguard-quickstart/ 

 

 

Anyway, that is the correct icon. We were asked not to use the official Wireguard logo in the product.

Link to comment
On 12/11/2021 at 12:41 AM, SeattleBandit said:

so i did some light digging and came up light on answers - but i've been running this plugin happily for quite a while i JUST experienced an issue where i happened to be on a subnet that had the same range as my unraid server subnet - this seemed to break my wireguard plugin andi my dirty reddit and news traffic was exposed to whatever wifi network i was on 

 

i was curious how i would go about setting the wireguard plugin to operate on a totally unique vlan/subnet that i would set up on my ubiquiti gear - are there any guides/howtos/cheetsheeets/etc on this process ?? 

 

any help would be appreciated 

 

When doing IP networking, you have to ensure there are no IP address conflicts between any of the networks involved.

 

There are three networks to worry about:

  1. Your home network. A lot of home routers default to 192.168.0.0/24
  2. The Wireguard tunnel. On Unraid this defaults to 10.252.0.0/24 but you can easily change the "Local tunnel network pool" if there is a conflict.
  3. The remote network. This cannot use the same IP space as either of the first two networks.

Because a lot of home networks default to 192.168.0.0/24, your bet bet would be to change your home network to any other non-routable ip range:
  https://www.geeksforgeeks.org/non-routable-address-space/
Then the risk of matching another network is considerably lower.

 

So if you regularly connect with certain friends you could agree on something like this:

  • Larry uses 192.168.100.0/24
  • Moe uses 192.168.101.0/24
  • Curly uses 192.168.102.0/24

Then you can setup Wireguard tunnels between them without issue.

 

If there is a conflict between your home network and the remote network and you don't want to change the IPs at either place, then you can still use Wireguard to access your home server via the "remote access to server" option. With this option, you would connect to the server using its tunnel IP instead of its LAN IP. There is no way to make "Remote tunneled access" work when there are network conflicts like this.

  • Like 1
Link to comment
4 hours ago, ljm42 said:

There are three networks to worry about:

  1. Your home network. A lot of home routers default to 192.168.0.0/24
  2. The Wireguard tunnel. On Unraid this defaults to 10.252.0.0/24 but you can easily change the "Local tunnel network pool" if there is a conflict.
  3. The remote network. This cannot use the same IP space as either of the first two networks.

 

so there is no way to have the wireguard plugin set to use a VLAN instead of the servers primary subnet?

because changing my server to a new subnet would be a pita

Link to comment
10 minutes ago, SeattleBandit said:

so there is no way to have the wireguard plugin set to use a VLAN instead of the servers primary subnet?

because changing my server to a new subnet would be a pita

 

No, this does the basics. If you want to get complicated and add vlans and such, I'd recommend you add VPN to your router.

Link to comment
  • 2 months later...

Could someone help me with configuration. My goal is have my personal laptop use Wireguard via my Unraid server and and use a local IP address within my home network. Can I pull a local address within my house with this? My current configuration connects successfully.  I've follow a number of the easy write ups that I've seen between here and web searches. Perhaps I just don't understand the correct use case of this.

 

I internal network is using 192.168.86.x if that helps

Link to comment
  • 2 months later...
Posted (edited)

Quick question, 
Managed to get wireguard functional and connected successfully using remote tunneled access.
However, I cannot hit any of my services on other VLANs within my network. 
Is there an ability to talk between VLANs from the peer tunnel address?

10.253.*.* > tunnel address
I can access my server IP of the WG server without issue
However, any other systems on the same subnet as WG server I cannot ping.

 

VLANs
10.200.*.*

I don't see the WG client within my DHCP table on my gateway, but that's due to WG running inside of unraid I am pretty sure.
I am not sure if setting up a f/w rule to allow 10.253.*.* to other VLANs will work as the gateway is not seeing the 10.253.*.* client to begin with.

I am puzzled how to access other services (RDP) and even ping those systems while connected to WG


Thanks,

Edited by bombz
Link to comment
  • 2 weeks later...

Hi everyone I posted the same question but not in this forum I installed everything correct you as per guides but when I connect via Wi-Fi I have no problem surfing puts from off the net it freezes everything if I activate WG why?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.