Setting Up WireGuard® on Unraid

This guest blog is by TorqueWrench of the Engineer's Workshop who has been using Unraid since 2017. He uses it as network-attached storage for various hardware and software development projects.

Unraid 6.8 was recently released and one of the main new features is a game changer for us all. From those of us new to homelabs to those of us with advanced setups, I am of course talking about WireGuard®.

What Is WireGuard?

In short, WireGuard is a lightweight VPN server/client embedded in the Linux kernel. What does that mean for you? It's fast.

Why Should You Implement WireGuard?

• Rapid VPN Deployment- If you're new to Unraid or haven't otherwise deployed a VPN, the biggest reason to implement WireGuard is that it's extremely fast to deploy. This stands in stark contrast to deploying the OpenVPN Docker container which, while certainly faster than deploying an OpenVPN server from scratch, still takes some effort. Even with all of the great guides available, you still have to know what you're doing. With WireGuard, we're talking 15 minutes tops, assuming you have the prerequisite dynamic DNS already set up (if not, add maybe another 30 minutes).
• Security- A VPN makes your remote laptop just another device on the network, just as if you were at home. In doing so, this allows you to access all of your network's resources locally. If you don't utilize a VPN, then you have to port forward to make your Unraid homelab's local resources available over the internet. Do this enough times and the firewall that separates your home network from the internet starts to look like swiss cheese with all of the holes you've punched through it with those port forwards.

VPNs allow you to minimize your network's attack surfaces to a single (very secure) port forward for the VPN server.

• Redundancy- As I have spoken about in the past, a VPN is an essential component of the Unattended Server Checklist. It allows you secure access to your homelab in the event that something happens and you need to remote in.
   

Other Niche Benefits of WireGuard

• Low overhead -> Better Battery Life- WireGuard, as described by its developer, isn't a chatty protocol. The client sends its request and then shuts up. It tries to avoid keep alive handshakes if they're not needed. As a result, when you're working on a laptop on wireless, your wireless card has a higher likelihood of being able to idle down which leads to better battery life. (An idle wifi card uses something like ~20 mW at idle but can easily climb to ~2W under load). Anecdotally, in my own testing, I am noticing about a 2-3 hour improvement in battery life when working remotely at a coffee shop on WireGuard compared to OpenVPN.
• Mosh-like Connectivity- This is part of my core stack for remote development. Mosh allows you to roam seamlessly between IP addresses and bad network connections. I've noticed that WireGuard gives many of the same benefits and when I have a poor network connection in a coffee shop (honestly, are there any coffee shops with good wifi connections?), with OpenVPN, I would continue working only to find my connection had been dropped and would be interrupted by OpenVPN attempting to reconnect. In contrast, WireGuard rapidly re-establishes connection without me even knowing. It even works across full IP address changes such as when I change hotspots from AT&T to T-Mobile.

Hopefully by now I've convinced you to implement WireGuard and you're ready to deploy the WireGuard plug-in on Unraid. Let's begin!

WireGuard Implementation on Unraid

Prerequisites:

Unraid Server Running Unraid 6.8+

Dynamic DNS Configured- This is outside of the scope of this guide, but thankfully it's relatively simple and available on most routers. You can find instructions by Googling, "<Your Router Name> + dynamic DNS" or implementing it directly in Unraid with the legendary SpaceInvader One's guide:

Setting Up The WireGuard VPN Server

1. In the Unraid webgui, go to Community Applications under the "Apps" tab and search for the "Dynamix WireGuard" plugin. Install it:

2. Go to Settings > VPN Manager:

3. In the tunnel VPN configuration, give the tunnel a name. Also specify your dynamic DNS name in the local endpoint section and generate your keys:

The purpose of this local endpoint information is to tell your client how to find your WireGuard VPN server in the vast world of the internet. That's why a dynamic DNS is used. It translates your home network's public IP address into a URL and keeps it updated any time your public IP address changes.

In my case, my blog is self-hosted (that is, this blog's web server sits on the same network as my Unraid server in my homelab) and therefore I will use my URL as the local endpoint.

Also, take note of the port specified (typically 51820). We'll need it to set up port forwarding on the firewall.

4. Set up port forwarding on the router/firewall. This will vary from router-to-router. I use pfSense which leads to the simple rule shown below:

All routers will have this ability (typically under advanced configuration), but if you need help with this step, let me know in the blog discussion thread comments below and I'll do my best to help you out.

5. In Settings --> VPN Manager, activate WireGuard by enabling "Active" and enabling "Autostart" so that it automatically starts on boot up.

Setting Up The WireGuard VPN Client:

6. Click on "Add Peer":

7. Set peer type to "Remote Tunneled Access". Generate the peer private/public key pair and generate the preshared key. Click apply:

Note: I am making a judgement call here with the "peer type of access" to use. My recommendation of "Remote tunneled access" does two things for us that I think most users will want:

• It gives access to the Unraid server as well as the LAN.
• It routes all of our internet traffic through the Unraid server (which gives us an additional layer of security instead of just routing our regular internet traffic through whatever our laptop's local connection happens to be). Call me paranoid, but I don't like doing my credit card transactions over a public wifi connection (even if the connection is relatively secure with https).

8. Click the eye next to your new peer listing:

9. This will present you with the configuration for your client. Click download:

10. To be able to use this configuration file, you'll need to download the WireGuard client available here and install it.

11. Add your configuration to the WireGuard client by clicking "Add Tunnel".

12. Click "activate" to test/use your new WireGuard tunnel:
 

That's it! You should now be up and running with WireGuard on Unraid.

If you run into any problems and need help troubleshooting, feel free to ask in the blog discussion thread in the forum (this is always a standing offer, by the way). If you've successfully implemented WireGuard, I'd love to hear how you're using it.

WireGuard is a registered trademark of Jason A. Donenfeld.