How To Set Up WireGuard on unRAID

unRAID 6.8 is soon to be released and within it lies a game changer for all of us, including those new to the homelab to those of us with more "advanced" setups. I am, of course, talking about WireGuard.


This is a companion discussion topic for the original entry at https://engineerworkshop.com/blog/how-to-set-up-wireguard-on-unraid/

Thank you for a great article. I have been wanting to do this. I think I did everything correctly, but I’m not getting DNS assigned. After much troubleshooting, I can ping and attach to my unRaid server using IP but not name resolution. Same with external sites (I’m guessing as I can ping 1.1.1.1 and 8.8.8.8 but not attach to a web site as I do not know any ones IPs. Any suggestions?
Thanks
Joe

Hi Joe,

Good troubleshooting steps. I agree, it sounds like DNS is not getting assigned. Did you assign a Peer DNS server in the VPN Manager? (If not, assign it to something like 1.1.1.1). Let me know how that works out!

-TorqueWrench

Thanks - I did not see that option. Should I assign it my home router so I can get to stuff on my home net or an external? Also do I need then to export the config again and re-import it to the client.
Thanks
Joe

Yeah, unfortunately the Peer DNS setting only appears after you create the peer (and you have to look for it by clicking the drop down arrow). You typically shouldn’t have to set it. If I am indeed correct, that makes me wonder if your unRAID server’s DNS settings are also off. (Can you ping weather.com from the terminal in unRAID?)

It depends on if your router is also running a DNS server- a lot do. First though, I’d check to make sure that this is actually the problem and just set it to a common DNS like 1.1.1.1 or 8.8.8.8. You will have to export the config again and re-import to the client.

hey mate, another great write up! I have been wanting to test WireGuard on my Unraid box for a while now. So I went through the steps, and it looks like everything is fine but I never get a handshake on my Unraid box in WireGuard, so its not fully connected.

I have set up my dynamic dns, I can ping that and get my current WAN IP, I have set up a NAT rule to forward UDP 51820 to my unraid IP, set up my peer with keys etc, created the tunnel on my iPhone in the WireGuard app using the QR code method - it connects and says its active, however Unraid says “last handshake not received”, and on my iphone I can’t hit the unraid box or my LAN. Also pftop and the firewall logs show no packets at all hitting pfsense for port 51820 either.

Not sure what is happened to be honest … any ideas?

Hey Blade,

Great investigation steps so far. Post your configuration records (with security keys removed) and I’ll take a look!

-TorqueWrench

this was a very easy guide to follow, I opened the file using wireguard on Mac and it connects, and allows me to use my Unraid. however, when I am connected through wireguard, I do not have access to any other webpages even if its on the same WIFI. why can’t I use the web when connected to wireguard? please help

Hi @marc_Webb,

Sorry for the delayed response, I was out on vacation last week. This sounds like a DNS issue. Can you ping individual IP addresses (such as 1.1.1.1)?

Try updating the WireGuard client config file (the one you’re using on your Mac), to include DNS = 1.1.1.1 under the [Interface] block. An example is shown here.

I think that should do the trick for you, but let me know if it doesn’t.

-TorqueWrench

Did you ever figure this out? I’ve been pulling my hair over this. I could never get a handshake to complete. It tries 20 times and dies.

I see on my router that “LAN access over internet” occurred and then hits the Unraid server. Then nothing opens. Can’t ping any boxes on the LAN. Doesn’t work on mobile either. I’ve tried asking a friend to connect with his Wifi and he gets the same errors.

Pretty sure it’s some setting on the Unraid server…

HI @bakon333,

I don’t know what “LAN access over internet” means on your router- are you seeing that in a log somewhere? How are you determining that it’s hitting the Unraid server? (And you’re sure the WireGuard tunnel is active in Unraid right? I have to ask, since it’s really easy for it to be off, especially if you haven’t set WireGuard to autostart).

There’s some other things that can be kind of tricky to set up with a regular Linux WireGuard install, but those shouldn’t be an issue since Unraid handles those things (stuff like getting the keys messed up).

Port forwarding set up correctly? Share your rule if you don’t mind.

Are you trying to access your WireGuard connection from your home network? If so, you might need to set up hairpinning/NAT reflection, though that wouldn’t explain your friend’s problem…

Alright so it turned out to be a routing table issue in Unraid. I couldn’t edit or delete the routes (only add). I swapped eth0 for the 10Gbe interface and added eth1 (1Gbe) to the bridge. Cleared up some of the weird entries and now it works. (shrug) Thanks anyway!

1 Like

Glad to hear it! :+1:

having some issues getting remote tunneled access fully working.

I have the Unraid plugin installed,
wireguard installed on my Windows 10 machine.

When connection is active, i can access my unraid server, dockers, my whole server, via IP addresses, and local host name such as my server http://big-d/Dashboard

I have never been able to access any local server or docker via external address such as https://russelo.duckdns.org/ while inside my network. they only work externally. I believe this is due to my ISP router not supporting pinhole something-or-other… issue for another day / forum. (just providing network oddity info that may help) gonna do pfsense or something someday

While connected to wireguard. i can access my unraid sever as stated above.
I cannot access the internet. no google, no amazon. na-da
Also i cannot see any other devices in Windows 10 “Network” explorer, the wifi network Im currentoy connected to is set to Private in windows 10, network discovery should be on. It works at home. Im currently not home

firewall rule

(new users cant post 2 images in one post.)

Sorry if this is super basic but how does one setup Wireguard on Unraid with a Pihole container if I have two NICs. Currently have all my dockers on custom IP addresses

Hi @TRusselo,

Hairpinning/loopback might be a problem, but it’s not the full problem. Hairpinning/loopback would be an issue if you couldn’t access any of your self-hosted services via their public URL. That would explain you not being able to access your network when using a dynamic DNS.

The rest of your problems (specifically not being able to access the internet when connected via WireGuard) sounds like a DNS issue. Try specifying a peer DNS server in your peer/client configuration (try 1.1.1.1) and seeing if you can access a website then (don’t forget to redownload/update your local client/peer).

Let me know how that works for you and we can discuss options.

-TorqueWrench

Hi @stefan416,

Not a basic question at all. I’m not sure that the Dynamix/UnRaid WireGuard plugin actually provides configuration for setting up a tunnel on a NIC other than the main bridge (br0). Could you post a screenshot of your WireGuard settings in Unraid (DON’T SHOW your private keys)?

We’re looking for an interface option if there is one. If not, it might be worth reaching out to Dynamix on the Unraid forum.

Of course, if all you’re trying to do is use your Pihole DNS server with your WireGuard client, then the answer could be as simple as setting your peer/client DNS to the IP address of your Pihole Docker container…

Here is the config page of wireguard. When I connect from ou tside the network I can ping the device so it is connected. Im just not resolving anything. I followed the steps in the original guide but still couldnt get it working.

Even if I have two NIC what would be the best way to set the two up? Host mode as described or separate NIC?

In the config of Wireguard they dont seem to allow you to chose a second NIC.