omv7:omv7_plugins:wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
omv7:omv7_plugins:wireguard [2024/02/17 17:36] – [Configuring a Client] chenteomv7:omv7_plugins:wireguard [2025/09/02 18:20] (current) – [Update DuckDNS IP. Receive notifications only when it changes and restart WireGuard automatically] chente
Line 1: Line 1:
 +{{indexmenu_n>8}}
 \\ \\
 <html><center><b>Wireguard Plugin For OMV7</b></center></html> <html><center><b>Wireguard Plugin For OMV7</b></center></html>
Line 19: Line 20:
       * You will be able to access all your shared folders and all the services you have configured on your local network as if you were there.       * You will be able to access all your shared folders and all the services you have configured on your local network as if you were there.
       * By default all client traffic will be forwarded through the VPN connection (it is configurable), providing privacy through the encrypted connection. You can be connected to a public Wi-Fi network and browse with the security that nobody sees what you do.       * By default all client traffic will be forwarded through the VPN connection (it is configurable), providing privacy through the encrypted connection. You can be connected to a public Wi-Fi network and browse with the security that nobody sees what you do.
-  * The Custom Config tab allows you to make configurations according to specific needs. You can implement any Wireguard network topology.+  * The Custom Config tab allows you to make configurations according to specific needs. You can use this tab if you need to connect the server to an external Wireguard VPN service, or you can implement any Wireguard network topology. 
     * The point-to-point connection allows the connection between two servers, communicating only with each other. For example to make remote backups.     * The point-to-point connection allows the connection between two servers, communicating only with each other. For example to make remote backups.
     * The site-to-site provides a connection between two networks so that any IP on a local network is able to communicate with any IP on another local network.     * The site-to-site provides a connection between two networks so that any IP on a local network is able to communicate with any IP on another local network.
Line 46: Line 47:
 In OMV7's GUI:\\ In OMV7's GUI:\\
 Under **System** > **Plugins**, find and highlight **openmediavault-wireguard 7.X**, and click the **install** button. Under **System** > **Plugins**, find and highlight **openmediavault-wireguard 7.X**, and click the **install** button.
 +
 +<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160; Note
 +</span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;">
 +If your system is based on an <b>Armbian</b> image, installing this plugin may break the existing Kernel.<br>
 +To solve it you must reinstall the Armbian Kernel once the plugin is installed and everything will work normally.
 +</tr></table></body></html>
  
 ---- ----
Line 61: Line 68:
 {{ :omv6:omv6_plugins:wireguard4.jpg?direct&400|Wireguard Tunnels Create}} {{ :omv6:omv6_plugins:wireguard4.jpg?direct&400|Wireguard Tunnels Create}}
   * In the OMV GUI go to **Services** > **Wireguard** > **Tunnels** Press the **Create** button.    * In the OMV GUI go to **Services** > **Wireguard** > **Tunnels** Press the **Create** button. 
 +    * Press the **Enable** button to enable the tunnel.
   * **Basic Configuration** In the dialog box enable the tunnel and complete the following fields:    * **Basic Configuration** In the dialog box enable the tunnel and complete the following fields: 
     * **Name** You can name the tunnel to identify it later.      * **Name** You can name the tunnel to identify it later. 
Line 147: Line 155:
   * Click **Save**. At this point, if you have already activated the tunnel and the client, the connection will be up and running.    * Click **Save**. At this point, if you have already activated the tunnel and the client, the connection will be up and running. 
   * By pressing the button **Client Config** you can see the client configuration file, you can copy and paste the text in a file to configure the connection in the client. If you do it this way, add the ending ".conf" to the created file. Treat this file like a password, it is the access key to your network. Once the connection is configured, it is advisable to delete this file for security.    * By pressing the button **Client Config** you can see the client configuration file, you can copy and paste the text in a file to configure the connection in the client. If you do it this way, add the ending ".conf" to the created file. Treat this file like a password, it is the access key to your network. Once the connection is configured, it is advisable to delete this file for security. 
-  * A QR will appear in the table (if the client is enabled), which you can scan from a smartphone to configure the connection without having to copy a file. If you need to send it you can take a photo. Treat this image as a password, it is the access key to your network. +  * A QR will appear in the table (if the client is enabled), which you can scan from a smartphone to configure the connection without having to copy a file. If you need to send it you can take a photo. Treat this image as a password, it is the access key to your network. Press the "Generate QR Codes" button to generate the images.
   * Use a different client configuration for each client. If you configure the same connection on several clients at the same time, they will not be able to connect simultaneously.   * Use a different client configuration for each client. If you configure the same connection on several clients at the same time, they will not be able to connect simultaneously.
  
Line 185: Line 193:
 ---- ----
  
-This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel.+This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel. Use this tab if you need to connect the server to an external (commercial) Wireguard VPN service.
  
 If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters. If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters.
Line 200: Line 208:
   * In the **Config** field write the configuration content of your tunnel following the Wireguard rules.   * In the **Config** field write the configuration content of your tunnel following the Wireguard rules.
     * You can see how to do it on the [[https://www.wireguard.com/#simple-network-interface|Wireguard]] website. Or use a template following the suggestion at the bottom of this section.     * You can see how to do it on the [[https://www.wireguard.com/#simple-network-interface|Wireguard]] website. Or use a template following the suggestion at the bottom of this section.
 +    * If you want to connect to a commercial VPN service, they will most likely provide you with the tunnel configuration template. In that case, simply copy and paste that template into the Config field.
     * If you need special topologies you can find them on the [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|procustodibus.com]] website.     * If you need special topologies you can find them on the [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|procustodibus.com]] website.
     * Note that the networks created by the plugin in the **Tunnel** and **Client** tabs are generated in the ''10.192.x.x'' network range. Therefore, choosing networks in this range may cause conflicts. In that case the service will not start and the plugin will throw an error.     * Note that the networks created by the plugin in the **Tunnel** and **Client** tabs are generated in the ''10.192.x.x'' network range. Therefore, choosing networks in this range may cause conflicts. In that case the service will not start and the plugin will throw an error.
Line 509: Line 518:
         * This will have installed the ''curl'' package on the system. Now select the task again and press the **Edit** button. Delete the ''apt install curl'' command you wrote earlier.         * This will have installed the ''curl'' package on the system. Now select the task again and press the **Edit** button. Delete the ''apt install curl'' command you wrote earlier.
   * Type the following command in the **Command** field of the dialog box.   * Type the following command in the **Command** field of the dialog box.
-<html><body><pre><code>echo url="https://www.duckdns.org/update?domains=MY_DOMAIN&token=MY_TOKEN&ip=" | curl -k -o /var/log/duck.log -K -</code></pre></body></html> +<html><body><pre><code>echo url="https://www.duckdns.org/update?domains=[MY_DOMAIN]&token=[MY_TOKEN]&ip=" | curl -k -o /var/log/duck.log -K -</code></pre></body></html> 
-  * Replace ''MY_DOMAIN'' with the subdomain you chose in "''MY_DOMAIN''.duckdns.org"+  * Replace ''[MY_DOMAIN]'' with the subdomain you chose in "''[MY_DOMAIN]''.duckdns.org"
-  * Replace ''MY_TOKEN'' with the token that has been assigned to your duckdns account.+  * Replace ''[MY_TOKEN]'' with the token that has been assigned to your duckdns account.
   * In the **Time of execution** field, choose the Hourly option.   * In the **Time of execution** field, choose the Hourly option.
     * This will run the command every hour. If your IP changes frequently you can change this to run for shorter periods of time. Every 5 minutes may be reasonable.     * This will run the command every hour. If your IP changes frequently you can change this to run for shorter periods of time. Every 5 minutes may be reasonable.
Line 525: Line 534:
 This task will create a log file at /var/log/duck.log. This task will create a log file at /var/log/duck.log.
 </tr></table></body></html> </tr></table></body></html>
 +
 +----
 +
 +=== Update DuckDNS IP. Receive notifications only when it changes and restart WireGuard automatically ===
 +
 +You can add this script to a scheduled task so that your public IP is updated, and you receive a notification only if it changes.
 +
 +Additionally, if you are using a WireGuard tunnel between two servers and the public IP changes on one of them, the tunnel may drop connections (because it will still try to reach the old IP). Restarting the service automatically allows the peer to establish a new //handshake//, updating the tunnel with the new IP.
 +
 +Example command:
 +
 +<html><body><pre><code>curl -s -k "https://www.duckdns.org/update?domains=[MY_DOMAIN]&token=[MY_TOKEN]&ip=&verbose=true" | grep -q UPDATED && echo "UPDATED PUBLIC IP IN DUCKDNS" && systemctl restart wg-quick@wgnet_[MY_TUNNEL]</code></pre></body></html>
 +
 +  * Replace ''[MY_DOMAIN]'' with the subdomain you chose in "''[MY_DOMAIN]''.duckdns.org" and ''[MY_TOKEN]'' with your token.
 +  * Replace ''[MY_TUNNEL]'' with the name you assigned to your tunnel in the WireGuard plugin.
 +  * Remember to enable notifications in OMV to receive an alert when the public IP changes.
 +  * Add a descriptive label to the scheduled task so you can easily identify it.
 +
 +Once created, simply copy the command into **Scheduled Tasks** and set the execution interval.
 +
 +Remember to install ''curl'' if it is not installed on your system (see previous point).
  
 ---- ----
Line 564: Line 594:
  
 ---- ----
 +
 +=== I can't access some of my containers. MacVLAN. ===
 +
 +If you have containers configured using a MacVLAN network interface, you won't be able to access them using Wireguard. Containers with this configuration can't communicate with the host, so Wireguard can't access them either. This is a limitation of the Linux kernel.
 +
 +There are workarounds, but they're beyond the scope of this document; please refer to the Docker documentation.
 +
 +----
 +
 +=== I can access my LAN, but I don't have internet access. ===
 +
 +We've received reports of some Mac clients where the network remains split even with ''AllowedIPs = 0.0.0.0/0'' set. This results in the client being unable to access the internet.
 +
 +Try adding a generic DNS to your Wireguard tunnel on the client. Something like ''DNS = 1.0.0.1'' or ''DNS = 8.8.8.8'' might work.
 +
 +----
 +
 +
 ===== Source Code ===== ===== Source Code =====
  
  • omv7/omv7_plugins/wireguard.1708191370.txt.gz
  • Last modified: 2024/02/17 17:36
  • by chente