omv7:omv7_plugins:wireguard

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
omv7:omv7_plugins:wireguard [2024/01/27 19:17] – [Point to point. Standard tunnel.] chenteomv7:omv7_plugins:wireguard [2024/04/24 15:28] (current) – [Configuring a Client] chente
Line 1: Line 1:
 +{{indexmenu_n>8}}
 \\ \\
 <html><center><b>Wireguard Plugin For OMV7</b></center></html> <html><center><b>Wireguard Plugin For OMV7</b></center></html>
Line 19: Line 20:
       * You will be able to access all your shared folders and all the services you have configured on your local network as if you were there.       * You will be able to access all your shared folders and all the services you have configured on your local network as if you were there.
       * By default all client traffic will be forwarded through the VPN connection (it is configurable), providing privacy through the encrypted connection. You can be connected to a public Wi-Fi network and browse with the security that nobody sees what you do.       * By default all client traffic will be forwarded through the VPN connection (it is configurable), providing privacy through the encrypted connection. You can be connected to a public Wi-Fi network and browse with the security that nobody sees what you do.
-  * The Custom Config tab allows you to make configurations according to specific needs. You can implement any Wireguard network topology.+  * The Custom Config tab allows you to make configurations according to specific needs. You can use this tab if you need to connect the server to an external Wireguard VPN service, or you can implement any Wireguard network topology. 
     * The point-to-point connection allows the connection between two servers, communicating only with each other. For example to make remote backups.     * The point-to-point connection allows the connection between two servers, communicating only with each other. For example to make remote backups.
     * The site-to-site provides a connection between two networks so that any IP on a local network is able to communicate with any IP on another local network.     * The site-to-site provides a connection between two networks so that any IP on a local network is able to communicate with any IP on another local network.
Line 61: Line 62:
 {{ :omv6:omv6_plugins:wireguard4.jpg?direct&400|Wireguard Tunnels Create}} {{ :omv6:omv6_plugins:wireguard4.jpg?direct&400|Wireguard Tunnels Create}}
   * In the OMV GUI go to **Services** > **Wireguard** > **Tunnels** Press the **Create** button.    * In the OMV GUI go to **Services** > **Wireguard** > **Tunnels** Press the **Create** button. 
-  * In the dialog box enable the tunnel and fill in the fields: +  * **Basic Configuration** In the dialog box enable the tunnel and complete the following fields: 
     * **Name** You can name the tunnel to identify it later.      * **Name** You can name the tunnel to identify it later. 
     * **Network Adapter** Click on the **Network adapter** dropdown menu and choose your adapter.      * **Network Adapter** Click on the **Network adapter** dropdown menu and choose your adapter. 
Line 71: Line 72:
     * **Port** field, type the port you want to use for the connection, usually it is 51820.      * **Port** field, type the port you want to use for the connection, usually it is 51820. 
       * You can choose any available port, it must not be occupied on your system by any service or by another wireguard tunnel.        * You can choose any available port, it must not be occupied on your system by any service or by another wireguard tunnel. 
-      * Remember that you must open this port in the router and direct it to the IP of your server and with the same port. Use the UDP protocol. If you don't know how to do it, consult the manual of your router. +      * Remember that you must open this port in the router and direct it to the IP of your server and with the same port. Use the UDP protocol. If you don't know how to do it, consult the manual of your router. 
 +  * **Advanced configuration** The previous fields are essential to configure a tunnel, if you need other custom configurations they can be the following (If you don't need any of this, leave the default values):
     * **Configure iptables** By default this will generate the settings in iptables to allow traffic on your internal network from outside.     * **Configure iptables** By default this will generate the settings in iptables to allow traffic on your internal network from outside.
       * If for some reason you need the plugin not to configure iptables, you can do so by clearing this checkbox.       * If for some reason you need the plugin not to configure iptables, you can do so by clearing this checkbox.
Line 85: Line 87:
     * **Persistent keepalive** By default it is disabled. Set a value, such as 25, so that a hello is sent through the tunnel every 25 seconds.     * **Persistent keepalive** By default it is disabled. Set a value, such as 25, so that a hello is sent through the tunnel every 25 seconds.
       * Activate only if necessary for some reason. One of wireguard's security principles is to be silent on connections.       * Activate only if necessary for some reason. One of wireguard's security principles is to be silent on connections.
 +    * **Local IP** Allows you to establish a network range that can be chosen in the configuration of each client to divide the tunnel traffic on that client.
 +      * A common example could be ''192.168.1.0/24''
     * **MTU** By default it is disabled. Generally this equates to ''MTU=1420''. Set a value if you need to modify this parameter. wg-quick does not support values ​​below 1280. If you don't know your network parameters, the value 1380 should work fine in most cases. The upper limit is 9999.     * **MTU** By default it is disabled. Generally this equates to ''MTU=1420''. Set a value if you need to modify this parameter. wg-quick does not support values ​​below 1280. If you don't know your network parameters, the value 1380 should work fine in most cases. The upper limit is 9999.
       * If no value is set, wireguard will set it from the existing network configuration. Typically this value is 1500, so wireguard will automatically set ''MTU=1420'', since the length of the header used by wireguard is subtracted (the longest is 80 bytes for IPv6).       * If no value is set, wireguard will set it from the existing network configuration. Typically this value is 1500, so wireguard will automatically set ''MTU=1420'', since the length of the header used by wireguard is subtracted (the longest is 80 bytes for IPv6).
Line 131: Line 135:
 {{ :omv6:omv6_plugins:wireguard5.jpg?direct&400|Wireguard Clients Create}} {{ :omv6:omv6_plugins:wireguard5.jpg?direct&400|Wireguard Clients Create}}
   * In the OMV GUI go to **Services** > **Wireguard** > **Clients** Press the **Create** button.    * In the OMV GUI go to **Services** > **Wireguard** > **Clients** Press the **Create** button. 
-  * In the dialog box enable the client and fill in the data: +  * **Basic Configuration** These are the fields necessary to configure a client, in the dialog box enable the client and fill in the data: 
     * **Client number** It must not coincide with that of other clients.      * **Client number** It must not coincide with that of other clients. 
     * **Tunnel number** You must assign the client to one of the previously created tunnels.      * **Tunnel number** You must assign the client to one of the previously created tunnels. 
     * **Name** You can name the client to identify it later.     * **Name** You can name the client to identify it later.
-    * **Restrict** button. The default setting is to leave it unchecked, this will set AllowedIPs to 0.0.0.0/0 and all traffic will be routed through the tunnel. If you press it, only traffic directed to the wireguard network will be routed. To access the server services you must write the IP of the server, if the tunnel is number 1 the IP will be 10.192.1.254, if the tunnel is number 2 the IP will be 10.192.2.254... After that add '':'' and the service port. For example, to access Jellyfin it would be ''10.192.1.254:8096'' if it is tunnel number 1. You will not be able to access other services on your local network outside of your server. If you need that you must edit the client configuration and set the local network range in the AllowedIPs fieldFor example ''AllowedIPs = 192.168.1.0/24'' (adapt it to your case)+  * **Advanced Configuration** These are custom configuration options that are not necessary to configure a client except for special needs. If you don'need any of this, leave the default values.
     * **Persistent Keepalive** The default setting is to leave it blank. In some cases it may be necessary to set a value here to keep the connection active. A suitable value is usually 25 (Every 25 seconds the client will send a packet to the server).     * **Persistent Keepalive** The default setting is to leave it blank. In some cases it may be necessary to set a value here to keep the connection active. A suitable value is usually 25 (Every 25 seconds the client will send a packet to the server).
     * **DNS Servers** The default setting is to leave it blank. In some cases it may be necessary to establish a DNS server for the client to communicate correctly on the local network. The usual thing will be to establish the IP of the router. The menu will show the existing value in resolv.conf in case you want to copy it to the field on the right.     * **DNS Servers** The default setting is to leave it blank. In some cases it may be necessary to establish a DNS server for the client to communicate correctly on the local network. The usual thing will be to establish the IP of the router. The menu will show the existing value in resolv.conf in case you want to copy it to the field on the right.
-    * Click **Save**. At this point, if you have already activated the tunnel and the client, the connection will be up and running. +    * **Restrict** button. The default setting is to leave it unchecked, this will set AllowedIPs to ''0.0.0.0/0'' and all traffic will be routed through the tunnel. If you need to split the tunnel traffic on this client you can press the button to access the different options. Using either of these options will remove the value ''0.0.0.0/0'' from the AllowedIPs variable. The different options add values ​​regardless of whether the other options are active or not. 
 +      * **VPN** button. Pressing this button will remove the ''0.0.0.0/0'' network range from the AllowedIPs settings and add the network range that the plugin has set for this tunnel's VPN. 
 +      * **Local IP** button. Pressing this button will remove the network range ''0.0.0.0/0'' from the AllowedIPs settings and add the network range manually set in the tunnel settings to the Local IP field. 
 +      * **Additional subnet(s)** field. Allows you to manually add a network range to the AllowedIPs field on this client. 
 +  * Click **Save**. At this point, if you have already activated the tunnel and the client, the connection will be up and running. 
   * By pressing the button **Client Config** you can see the client configuration file, you can copy and paste the text in a file to configure the connection in the client. If you do it this way, add the ending ".conf" to the created file. Treat this file like a password, it is the access key to your network. Once the connection is configured, it is advisable to delete this file for security.    * By pressing the button **Client Config** you can see the client configuration file, you can copy and paste the text in a file to configure the connection in the client. If you do it this way, add the ending ".conf" to the created file. Treat this file like a password, it is the access key to your network. Once the connection is configured, it is advisable to delete this file for security. 
-  * A QR will appear in the table (if the client is enabled), which you can scan from a smartphone to configure the connection without having to copy a file. If you need to send it you can take a photo. Treat this image as a password, it is the access key to your network. +  * A QR will appear in the table (if the client is enabled), which you can scan from a smartphone to configure the connection without having to copy a file. If you need to send it you can take a photo. Treat this image as a password, it is the access key to your network (the first time the page loads after setup the QR code still does not appear, please reload the page or change tabs and come back to see the QR code).
   * Use a different client configuration for each client. If you configure the same connection on several clients at the same time, they will not be able to connect simultaneously.   * Use a different client configuration for each client. If you configure the same connection on several clients at the same time, they will not be able to connect simultaneously.
  
Line 148: Line 156:
  
   * By pressing the **Edit** button you can modify the parameters or disable the client. Select it previously.   * By pressing the **Edit** button you can modify the parameters or disable the client. Select it previously.
 +
 +<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160; Note
 +</span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;">
 +Any changes made must be implemented again on the client using the QR code or configuration file for the changes to be applied.
 +</tr></table></body></html>
  
 ---- ----
Line 173: Line 186:
 ---- ----
  
-This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel.+This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel. Use this tab if you need to connect the server to an external (commercial) Wireguard VPN service.
  
 If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters. If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters.
Line 188: Line 201:
   * In the **Config** field write the configuration content of your tunnel following the Wireguard rules.   * In the **Config** field write the configuration content of your tunnel following the Wireguard rules.
     * You can see how to do it on the [[https://www.wireguard.com/#simple-network-interface|Wireguard]] website. Or use a template following the suggestion at the bottom of this section.     * You can see how to do it on the [[https://www.wireguard.com/#simple-network-interface|Wireguard]] website. Or use a template following the suggestion at the bottom of this section.
 +    * If you want to connect to a commercial VPN service, they will most likely provide you with the tunnel configuration template. In that case, simply copy and paste that template into the Config field.
     * If you need special topologies you can find them on the [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|procustodibus.com]] website.     * If you need special topologies you can find them on the [[https://www.procustodibus.com/blog/2020/10/wireguard-topologies/|procustodibus.com]] website.
     * Note that the networks created by the plugin in the **Tunnel** and **Client** tabs are generated in the ''10.192.x.x'' network range. Therefore, choosing networks in this range may cause conflicts. In that case the service will not start and the plugin will throw an error.     * Note that the networks created by the plugin in the **Tunnel** and **Client** tabs are generated in the ''10.192.x.x'' network range. Therefore, choosing networks in this range may cause conflicts. In that case the service will not start and the plugin will throw an error.
  • omv7/omv7_plugins/wireguard.1706383043.txt.gz
  • Last modified: 2024/01/27 19:17
  • by chente