Potential issues with Wireguard?

[DavidGarciaCat]

Hey, guys,

I have noticed two points when trying to use WireGuard with my Umbrel Home:

1. The configuration file points to umbrel.local:51820, meaning any external connection will never occur because that's an inaccessible endpoint if I'm not at home. It would be convenient to explain how we can create an out-home accessible endpoint so our devices can connect when we're in a hotel or anywhere else. Can the Cloudflare Tunnel App help here? But I saw we can only define TCP connections, not UDP.

2. WireGuard usually works with TCP/UDP protocols and port 51820. To prevent unexpected issues, maybe adding a note in the App description informing the user that they will need to open this port in their router/firewall would be convenient.

Cheers,

[al-lac]

Hey! I use the Nginx Proxy Manager to achieve this. You can also setup UDP connections there.

But i agree, there should be a note in the Wireguard App Description that provides some help on how to set this up.

[DavidGarciaCat]

Hey! I use the Nginx Proxy Manager to achieve this. You can also setup UDP connections there.

The issue is not about the Nginx Proxy Manager per see but the fact that if we scan the QR code or download the config file, the hostname targets a host in the same network. To be honest, I don't know if this may have an "easy fix".

So far, Cloudflare Tunnels are helping, so I am unsure if I want to use NPM at the moment. We shall see...

[al-lac]

Ah yeah totally true, sorry misread that. Will adapt the guide in the PR with a short guide that ports need to be opened on the router.

I just changed the hostname after downloading the config via the QR Code.

Guess to fix the QR Code you would need to access the wireguard web UI via a domain that resolves to your WAN IP.
Or an option in Umbrel to override the WG_HOST variable with a value the user provides.

[DavidGarciaCat]

Guess to fix the QR Code you would need to access the wireguard web UI via a domain that resolves to your WAN IP. Or an option in Umbrel to override the WG_HOST variable with a value the user provides.

In this case, it seems like we need to provide Umbrel Home's password + 2FA, otherwise we don't get access (somehow, makes sense, as WireGuard doesn't have a login/pass page)

Still, it won't work because I browse my UmbrelOS via IP address, and yet I get the hostname instead

[al-lac]

Yeah that actually checks out, now that I looked at the config again. It sets the WG_HOST variable to ${DEVICE_DOMAIN_NAME}, so it always will point to umbrel.local or whatever your device hostname is.

Only real fix here would be to make the WG_HOST value configurable by the user.

I created an issue already that would tackle this: getumbrel/umbrel#1949

For now I at least updated the description on the app.