LAN to LAN WireGuard


ljm42

Recommended Posts

It is possible to setup a LAN to LAN VPN connection between two Unraid systems running Wireguard. The steps below should work on simple networks, if yours is more complicated then you'll need to figure out how to adapt it. This assumes you already have at least one working WireGuard connection and are familiar with how it works.

 

First, gather the following information for your two networks. The names and numbers below are samples, you'll need to adjust for your situation:

Network1: 192.168.1.0/24
Router1:  192.168.1.1
Unraid1:  192.168.1.50
Endpoint1 DNS: network1.duckdns.org
Endpoint1 Port: 52001

Network2: 192.168.2.0/24
Router2:  192.168.2.1
Unraid2:  192.168.2.50
Endpoint2 DNS: network2.duckdns.org
Endpoint2 Port: 52002

VPN Tunnel: 10.252.100.0/24
Unraid1 tunnel IP: 10.252.100.1
Unraid2 tunnel IP: 10.252.100.2

A few things:

  • Note that Network1 and Network2 *have* to be different. For instance, you can't connect two networks that both use the 192.168.0.0/24 subnet.
  • You also need to pick a VPN Tunnel subnet that is not being used on either network, it must be unique.
  • You need to setup DDNS for both networks as well. LSIO has a nice Duck DNS docker you can use if needed.

 

 

On Unraid1:

  • Create a new Tunnel named "Network1-Network2". Don't add a peer to an existing tunnel, it is better if this is a separate tunnel so you can easily turn it off without affecting your other WireGuard connections.
  • Switch to Advanced Mode
  • Click "Generate Keypair". These are the private and public keys for Unraid1, you will need them later.
  • Set the "local tunnel network pool" to the "VPN Tunnel" you chose above
  • Set the "local tunnel address" to the "Unraid1 tunnel IP" from above
  • Set the "Local endpoint" to the "Endpoint1 DNS" and "Endpoint1 Port" defined above
  • Click Apply

image.thumb.png.66d7fa80667ee74ceeac7232ebb6e4e4.png

 

  • Click Add Peer
  • Name it "Unraid2"
  • Choose "LAN to LAN access"
  • Click "Generate Keypair". These are the private and public keys for Unraid2, you will need them later.
  • Click "Generate Key". This is the preshared key, you will need it later.
  • Set the "Peer tunnel address" to the "Unraid2 tunnel IP" defined above
  • Set the "Peer endpoint" to the "Endpoint2 DNS" and "Endpoint2 Port" defined above
  • Set "Peer allowed IPs" to the "VPN Tunnel" and "Network2" defined above, with a comma between. i.e. "10.252.100.0/24, 192.168.2.0/24"
  • Click Apply
  • Start the Tunnel

image.thumb.png.ec597bdaca1180b335c95b9e6e0e732d.png

 

On Router1:

  • If UPnP is disabled, setup a port forward for "Endpoint1 Port" (UDP) that points to "Unraid1"
  • Setup a static route for all of "Network2" that is routed through "Unraid1". Note that if your router asks for a subnetmask, 255.255.255.0 is the equivalent of /24.
  • Setup a second static route for "VPN Tunnel" that also is routed through "Unraid1".

image.png.53f858b17127675883734be842d8dd8d.png  image.png.da913228b80c7a4a1fbe97d5afdf09d0.png

 

 

On Unraid2:

  • Create a new Tunnel named "Network2-Network1".
  • Switch to Advanced Mode
  • Copy the private and public keys for Unraid2 that you determined above. Take care to use the correct keys or none of this will work.
  • Set the "local tunnel network pool" to the "VPN Tunnel" you chose above
  • Set the "local tunnel address" to the "Unraid2 tunnel IP" from above. 
  • Set the "Local endpoint" to the "Endpoint2 DNS" and "Endpoint2 Port" defined above
  • Click Apply

 

image.thumb.png.b3db6ab81544a9f589004cf9a3fc5e80.png
 

  • Click Add Peer
  • Name it "Unraid1"
  • Choose "LAN to LAN access"
  • Copy the private and public keys for Unraid1 that you determined above
  • Copy the preshared key from above
  • Set the "Peer tunnel address" to the "Unraid1 tunnel IP" defined above
  • Set the "Peer endpoint" to the "Endpoint1 DNS" and "Endpoint1 Port" defined above
  • Set "Peer allowed IPs" to the "VPN Tunnel" and "Network1" defined above, with a comma between. i.e. "10.252.100.0/24, 192.168.1.0/24"
  • Click Apply
  • Start the Tunnel

image.thumb.png.95943828c003868efd50dafc9d06f684.png

 

On Router2:

  • If UPnP is disabled, setup a port forward for "Endpoint2 Port" (UDP) that points to "Unraid2"
  • Setup a static route for all of "Network1" that is routed through "Unraid2". 
  • Setup a second static route for "VPN Tunnel" that also is routed through "Unraid2".

   image.png.e1b9bd5b42df64717bc8a2e1b6a3f263.png  image.png.af1d904c727f8865b85ea9e7faefb1b1.png


Hopefully :) at this point your tunnels will connect and devices on one network will be able to reach devices on the other network (by IP address at least, probably not by name)

 

Troubleshooting this will be tough, there is a lot of room for error. I don't have a lot of advice here, just double check that you are using the right values for Unraid1 vs Unraid2 and Network1 vs Network2, etc.

Edited by ljm42
  • Like 1
  • Thanks 5
Link to comment
30 minutes ago, w^w said:

@ljm42thanks for this detailed info about LAN-LAN config. Based on your work I successfully configured Server-Server feature. Have one question, is it necessary to have two different ports (52001 on unraid1 and 52002 on unraid2) instead one?

Great! Glad you were able to get it working.

 

The ports can be the same or different, doesn't matter. I was just keeping with the theme of using a "1" in the Network1 items and a "2" in the Network2 items

Link to comment
  • 2 weeks later...
  • 1 month later...
  • 2 weeks later...

GUYS, please try to manually set MTU if you expiriencing issues, this is solved for me

 

Hi Guys,

 

unraid somehow seems to mess the LAN-LAN scenario up:

 

My Site:

192.168.178.0/24

192.168.178.100 unraid

 

remote site

192.168.179.0/24

192.168.179.100 ubuntu-box

 

wireguard unraid (My Site):

grafik.thumb.png.b7a0ad6b33b516fe3a15afe8e0dd22e6.png

 

wireguard ubuntu (Remote Site):

[Interface]
PrivateKey=redacted
Address=10.42.1.2/32
ListenPort=12345

[Peer]
PresharedKey=redacted
PublicKey=redacted
Endpoint=toelle.dyndns.info:12345
AllowedIPs=10.42.1.0/24, 192.168.178.0/24
PersistentKeepalive=120

 

ICMP (Ping):

 

end-client (remote-site) -> ubuntu-box -> wireguard -> unraid -> Router (my site)

OK

 

tracert:

Routenverfolgung zu FRITZ-NAS [192.168.178.1]
über maximal 30 Hops:

  1     *        5 ms     2 ms  fritz.box [192.168.179.1]
  2     2 ms     2 ms     2 ms  192.168.179.100
  3    14 ms    15 ms    16 ms  STORAGESERVER [10.42.1.1]
  4    17 ms    15 ms    16 ms  FRITZ-NAS [192.168.178.1]

Ablaufverfolgung beendet.

 

end-client (my site) -> unraid -> wireguard -> ubuntu-box -> Router (remote site)

OK

 

tracert:

Routenverfolgung zu FRITZ-NAS [192.168.179.1]
über maximal 30 Hops:

  1    <1 ms    <1 ms    <1 ms  fritz.box [192.168.178.1]
  2    <1 ms    <1 ms    <1 ms  storageserver.fritz.box [192.168.178.100]
  3    13 ms    12 ms    12 ms  10.42.1.2
  4    13 ms    13 ms    12 ms  FRITZ-NAS [192.168.179.1]

Ablaufverfolgung beendet.

 

Everything up to here is fine as it should be..

 

Now, when i try to open a webpage:

 

end-client (my site) -> router (remote site) OK!

end-client (remote site) -> router (my site) ERROR!

end client (remote site) -> Switch Management interface OK!

end client (remote site) -> Printer GUI OK!

end client (remote site) -> everything related to unraid ERROR!

 

tl;dr:

 

vpn established and running fine when just pinging stuff

access to webinterfaces from remote site not working (except the cases above..)

 

I am really confused right now.

 

I would like to debug the following access first, to get an understanding:

 

end-client (remote site) -> router (my site)

 

 

 

 

 

Edited by chrissi5120
Link to comment
  • 8 months later...
  • 3 months later...
  • 2 months later...

Hello!

 

I've been trying to setup a server to server access that from what i understand is like lan to lan but without the routing.

I followed the steps in the first post but i cannot get an handshake.

 

Heres what i configured (i will change keys later when i get this working)

 

 

Spoiler

Server 1:

 

srv1.thumb.jpg.f3565b60a330ffa4952a4ce429826713.jpg

 

Server 2:

 

srv2.thumb.jpg.8087153a36a600743eee27edfe5b2c8d.jpg

 

I have static IPs in both locations that i redacted for obvious reasons.

I forwarded port 51830 in both pfsenses.

For context, in both locations i have already a "remote access to LAN" setup with various clients and works fine (on a different port/tunnel obviously)

I cannot get a handshake, do you have any idea of what im doing wrong?

 

Link to comment
15 hours ago, exico said:

I cannot get a handshake, do you have any idea of what im doing wrong?

Nothing stands out, the config looks ok.

 

What are you doing to initiate the handshake? Typically the systems won't connect until you actually try sending data. Try using the Ping button next to the tunnel ip.

  • Thanks 1
Link to comment
13 hours ago, ljm42 said:

Nothing stands out, the config looks ok.

 

What are you doing to initiate the handshake? Typically the systems won't connect until you actually try sending data. Try using the Ping button next to the tunnel ip.

Im an idiot 😆

Ping replied, got an handshake. I forgot that wireguard does not initiate the connection until there is a request.

Gonna change the keys, thanks

Link to comment
6 hours ago, exico said:

Im an idiot 😆

Ping replied, got an handshake. I forgot that wireguard does not initiate the connection until there is a request.

Gonna change the keys, thanks

 

woot!  and yeah, good idea to change all the keys :) 

Link to comment
  • 1 month later...

Hello guys, 

 

I hope this topic isn't completely dead. I stumbled on this post and it's exactly what I'd like to do. I wanna link the LAN at my company with the one at my place. But I only have one unraid server at my place, so I decided to buy a Rasberry Pi 4. But now I'm struglling to understand (new to linux). 

 

Do I have to turn on only the tunnels or also connect the peers? If so, do I just do it through the command line in unraid?

 

Also, I seem to be struggling with one of two things. Either I can connect to the Rasberry's VPN server, but have no access to internet nor the local LAN?

Or I managet to conect the peer / tunnel, but then when trying to connect the other one on the same device, I get the error that the address is already in use. I can send the exact command lines tomorrow as I've turned it off now. 

 

Anyone encounter this?

 

Cheers,

Daniel. 

Link to comment
1 hour ago, iltisdaniel said:

But I only have one unraid server at my place, so I decided to buy a Rasberry Pi 4. But now I'm struglling to understand (new to linux). 

 

The Unraid webgui hides the complexity of managing Wireguard config files. But since you don't have Unraid on the other end you'll need to actually understand how they work.  Unfortunately, LAN to LAN is probably the most complicated of all the options :) 

 

Your best bet to start would be to leave Unraid out of the equation, and work on getting one of your other clients to connect to the Raspberry Pi. You'll need to read the manuals or find guides elsewhere to do that.  Once you understand how that works then you should be able to apply your knowledge to this guide and get LAN to LAN working between Unraid and the Raspberry Pi.

Link to comment

That's actually what I started working on. I'm trying to get my laptop to connect to the rasberry at work and once I finish that and get it working, i'll see if I can connect the LAN.

I'm still somewhat confused whether the two tunnels (in the LAN (RASPI) to LAN (Unraid) connection do the job, or if you also have to connect both peers. 

 

Sorry. Noob.

 

Daniel. 

Link to comment
  • 3 months later...

Is a Server-to-Server configuration mandatory to get a Lan-to-Lan connection or does ist also work with Server-Client ?

I'm asking because i have already established an server-client connection. From the Clientside i can access everything on the Server Lan.

The other way around i can only access Lan devices from my unraid server (on which Wireguard Server is installed). Other devices from server-lan cant connect to client-lan.

 

So just to get in the right direction of troubleshooting, is this a routing problem or is a server to server connection required?

Link to comment

Maybe this network drawing helps.

 

So, 192.168.8.0 (client) can connect to 192.168.3.0 (server) but not the other way around.

Since the client is an LTE Router (Gl-AP 1300, Openwrt) its not that easy to let it work as a server. (Carrier-grad NAT for IPv4) Also beeing new to Openwrt doesnt really help.

 

I set folllowing static routes on the VLAN router: - DestIP 192.168.8.0/24 GW 192.168.3.100

                                                                          - DestIP 10.253.0.0/24 GW 192.168.3.100

 

The routes for Unraid where set automaticlly and are:  - 192.168.8.0/24   wg0

                                                                                  - 10.253.0.3         wg0

I did not set any routes on the LTE Router.

 

Allowed IPs on -Client Side  0.0.0.0/0

                       -Server Side 10.253.0.3, 192.168.8.0/24

 

I did not touch any Firewall settings.

Connection.JPG

Link to comment

Update:

 

I narrowed it down to the VLAN Router. Somehow it doesn't route correct. I set a route directly on my windows pc and can now connect to the devices on the .8.0 net.

So for anyone reading this, a Server to Server connection is not mandatory if you want to connect devices from between all networks.

Link to comment
  • 6 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.