Note: this community guide is offered in the hopethat it is helpful, but comes with no warranty/guarantee/etc. Follow at your own risk.
What can you do with WireGuard? Let's walk through each of the connection types:
- Remote access to server: Use your phone or computer to remotely access your Unraid server, including:
- Unraid administration via the webgui
- Access dockers, VMs, and network shares as though you were physically connected to the network
- Remote access to LAN: Builds on "Remote access to server", allowing you to access your entire LAN as well.
- Server to server access: Allows two Unraid servers to connect to each other.
- LAN to LAN access: Builds on "Server to server access", allowing two entire networks to communicate. (see this guide)
- Server hub & spoke access: Builds on "Remote access to server", except that all of the VPN clients can connect to each other as well. Note that all traffic passes through the server.
- LANhub & spoke access: Builds on "Server hub & spoke access", allowing you to access your entire LAN as well.
- VPN tunneled access: Route traffic for specific Dockers and VMs through a commercial WireGuard VPN provider (see this guide)
- Remote tunneled access:Securely access the Internet from untrusted networks by routing all of your traffic through the VPN and out Unraid's Internet connection
In this guide we will walk through how to setup WireGuard so that your trusted devices can VPN into your home network to access Unraid and the other systems on your network.
Prerequisites
- You must be running Unraid 6.8-6.9 with the Dynamix WireGuard plugin from Community Apps or Unraid 6.10+ (which has the plugin built in).
- Understand that giving someone VPN access to your LAN is just like giving them physical access to your LAN, except they have it 24x7 when you aren't around to supervise. Only give access to people and devices that you trust, and make certain that the configuration details (particularly the private keys) are not passed around insecurely. Regardless of the "connection type" you choose, assume that anyone who gets access to this configuration information will be able to get full access to your network.
- This guide works great for simple networks. But if you have Dockers with custom IPs or VMs with strict networking requirements, please see the "Complex Networks" section below.
- Unraid will automatically configure your WireGuard clients to connect to Unraid using your current public IP address, which will work until that IP address changes. To future-proof the setup, you can use Dynamic DNS instead. There are many ways to do this, probably the easiest is described in this 2 minute video from SpaceInvaderOne
- If your router has UPnPenabled, Unraid will be able to automatically forward the port for you. If not, you will need to know how to configure your router to forward a port.
- You will need to install WireGuard on a client system. It is available for many operating systems:
https://www.wireguard.com/install/
Android or iOS make good first systems, because you can get all the details via QR code.
Setting up the Unraid side of the VPN tunnel
- If UPnP is enabled on your router and you want to use it in Unraid, go to Settings -> Management Access and confirm "Use UPnP" is set to Yes
- On Unraid 6.8, go to Settings -> VPN Manager
- Give the VPN Tunnel a name, such as "MyHome VPN"
- Press "Generate Keypair". This will generate a set of public and private keys for Unraid. Take care not to inadvertently share the private key with anyone (such as in a screenshot like this)
- By default the local endpoint will be configured with your current public IP address. If you chose to setup DDNS earlier, change the IP address to the DDNS address.
- Unraid will recommend a port to use. You typically won't need to change this unless you already have WireGuard running elsewhere on your network.
- Hit Apply
- If Unraid detects that your router supports UPnP, it will automatically setup port forwarding for you:
If you see a note that says "configure your router for port forwarding..." you will need to login to your router and setup the port forward as directed by the note:
Some tips for setting up the port forward in your router:
- Both the external (source) and internal (target/local) ports should be the set to the value Unraid provides. If your router interface asks you to put in a range, use the same port for both the starting and ending values. Be sure to specify that it is a UDP port and not a TCP port.
- For the internal (target/local) address, use the IP address of your Unraid system shown in the note.
- Google can help you find instructions for your specific router, i.e. "how to port forward Asus RT-AC68U"
- Note that after hitting Apply, the public and private keys are removed from view. If you ever need to access them, click the "key" icon on the right hand side.
- Similarly, you can access other advanced setting by pressing the "down chevron" on the right hand side. They are beyond the scope of this guide, but you can turn on help to see what they do.
- In the upper right corner of the page, change the Inactive slider to Active to start WireGuard. You can optionally set the tunnel to Autostart when Unraid boots.
Defining a Peer (client)
- Click "Add Peer"
- Give it a name, such as "MyAndroid"
- For the initial connection type, choose "Remote access to LAN". This will give your device access to Unraid and other items on your network(there are some caveats to this covered below)
- Click "Generate Keypair" to generate public and private keys for the client. The private key will be given to the client / peer, but take care not to share it with anyone else(such as in a screenshot like this)
- For an additional layer of security, click "Generate Key" to generate a preshared key. Again, this should only be shared with this client / peer.
- Click Apply.
- Note: Technically, the peer should generate these keys and not givethe private key to Unraid. You are welcome to do that, but it is less convenient as the config files Unraid generates will not be complete and you will have to finish configuring the clientmanually.
Configuring a Peer (client)
- Click the"eye" icon to view the peer configuration.If the button is not clickable, you need to apply or reset your unsaved changes first.
- If you are setting up a mobile device, choose the "Create from QR code" option in the mobile app and take a picture of the QR code. Give it a name and make the connection.The VPN tunnel starts almost instantaneously, once it is up you can open a browser and connect to Unraid or another system on your network. Be careful not to share screenshots of the QR code with anyone, or they will be able to use it to access your VPN.
- If you are setting up another type of device, download the file and transfer it to the remote computer via trusted email or dropbox, etc. Then unzip it and load the configuration into the client. Protect this file, anyone who has access to it will be able to access your VPN.
Complex Networks
The instructions above should work out of the box for simple networks. With "Use NAT" defaulted to Yes, all network traffic on Unraid uses Unraid's IP, and that works fine if you have a simple setup.
However, if you have Dockers with custom IPs or VMs with strict networking requirements, you'll need to make a few changes:
- In the WireGuard tunnel config, set "Use NAT" to No
- In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route:
- Destination Network: 10.253.0.0/24(aka 10.253.0.0 with subnet 255.255.255.0)
- Gateway / Next Hop: <IP address of your Unraid system>
- Distance: 1 (your router may not have this option)
- If you use pfSense, you may also need to check the box for "Static route filtering - bypass firewall rules for traffic on the same interface". See this.
- If you have Dockers with custom IPs then on the Docker settings page, set "Host access to custom networks" to "Enabled". see this:
https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801
There are some configurations you'll want to avoid, here is how a few key settings interact:
- With "Use NAT" = Yes and "Host access to custom networks" = disabled (static routeoptional)
server and dockers on bridge/host - accessible!
VMs and other systems on LAN - accessible!
dockers with custom IP - NOT accessible
(this is the "simple network" setup assumed by the guide above)
With "Use NAT" = Yes and "Host access to custom networks" = enabled (static route optional)
server and dockers on bridge/host - accessible!
VMs and other systems on LAN - NOT accessible
dockers with custom IP - NOT accessible
(avoid this config)
With "Use NAT" = No and no static route
server and dockers on bridge/host - accessible!
VMs and other systems on LAN - NOT accessible
dockers with custom IP - NOT accessible
(avoid this, if "Use NAT" = No, you really need to add a static route in your router)
With "Use NAT" = No and "Host access to custom networks" = disabled and static route
server and dockers on bridge/host - accessible!
VMs and other systems on LAN - accessible!
dockers with custom IP - NOT accessible
(You've come this far, just set "Host access to custom networks" to enabled you're set)
With "Use NAT" = No and "Host access to custom networks" = enabled and static route
server and dockers on bridge/host - accessible!
VMs and other systems on LAN - accessible!
dockers with custom IP - accessible!
(woohoo! the recommended setup for complex networks)
About DNS
Everything discussed so far should work if you access the devices by IP address or with a Fully Qualified Domain Name such as yourpersonalhash.unraid.net.
Short names such as "tower" probably won't work, nor any DNS entries managed by the router.
To get those to work over the tunnel, return to the VPN Manager page in Unraid, switch from Basic to Advanced mode, and add the IP address of your desired DNS server into the "Peer DNS Server" field (don't forget to put the updated config file on the client after saving it!) You may want to use the IP address of the router on the LAN you are connecting to, or you could use a globally available IP like 8.8.8.8
**"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.