TrueNAS SCALE is just what I need, so thanks guys.
One question, does Wireguard via CLI work for anybody?
It works on my desktop PC but not on SCALE :(
My steps:
create /etc/wireguard/wg0.conf with following contents:
but no connection beyond my openWRT router:
I don't know much about iptables yet, maybe something is misconfiguered?
I did exactly the same steps on my manjaro desktop which is also connected to the openWRT router and it works flawless.
Did I miss something which has to be done different on TrueNAS SCALE?
One question, does Wireguard via CLI work for anybody?
It works on my desktop PC but not on SCALE :(
My steps:
create /etc/wireguard/wg0.conf with following contents:
Code:
[Interface] PrivateKey = ... Address = ... DNS = 193.138.218.74 [Peer] PublicKey = ... AllowedIPs = 0.0.0.0/0,::0/0 Endpoint = ...
wg-quick up wg0
Code:
truenas# wg show interface: wg0 public key: ... private key: ... listening port: 51548 fwmark: 0xca6c peer: ... endpoint: ... allowed ips: 0.0.0.0/0, ::/0 latest handshake: 48 minutes, 49 seconds ago transfer: 92 B received, 93.04 KiB sent
but no connection beyond my openWRT router:
Code:
truenas# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.430 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.433 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.436 ms ^C --- 192.168.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2027ms rtt min/avg/max/mdev = 0.430/0.433/0.436/0.002 ms
Code:
truenas# ping 9.9.9.9 PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data. ^C --- 9.9.9.9 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2028ms
I don't know much about iptables yet, maybe something is misconfiguered?
Code:
truenas# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination KUBE-ROUTER-INPUT all -- anywhere anywhere /* kube-router netpol - 4IA2OSFRMVNDXBVV */ KUBE-ROUTER-SERVICES all -- anywhere anywhere /* handle traffic to IPVS service IPs in custom chain */ match-set kube-router-service-ips dst KUBE-FIREWALL all -- anywhere anywhere ACCEPT tcp -- 192.168.1.101 anywhere tcp dpt:6443 ACCEPT tcp -- localhost anywhere tcp dpt:6443 ACCEPT tcp -- localhost anywhere tcp dpt:6443 DROP tcp -- anywhere anywhere tcp dpt:6443 Chain FORWARD (policy ACCEPT) target prot opt source destination KUBE-ROUTER-FORWARD all -- anywhere anywhere /* kube-router netpol - TEMCG2JMHZYE7H7T */ ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere /* allow outbound node port traffic on node interface with which node ip is associated */ ACCEPT all -- anywhere anywhere /* allow inbound traffic to pods */ ACCEPT all -- anywhere anywhere /* allow outbound traffic from pods */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-ROUTER-OUTPUT all -- anywhere anywhere /* kube-router netpol - VEAAIY32XVBHCSCY */ KUBE-FIREWALL all -- anywhere anywhere Chain KUBE-FIREWALL (2 references) target prot opt source destination DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 DROP all -- !loopback/8 loopback/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT Chain KUBE-KUBELET-CANARY (0 references) target prot opt source destination Chain KUBE-ROUTER-FORWARD (1 references) target prot opt source destination Chain KUBE-ROUTER-INPUT (1 references) target prot opt source destination RETURN all -- anywhere 10.96.0.0/12 /* allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ */ RETURN tcp -- anywhere anywhere /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767 RETURN udp -- anywhere anywhere /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767 Chain KUBE-ROUTER-OUTPUT (1 references) target prot opt source destination Chain KUBE-ROUTER-SERVICES (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere /* allow input traffic to ipvs services */ match-set kube-router-ipvs-services dst,dst ACCEPT icmp -- anywhere anywhere /* allow icmp echo requests to service IPs */ icmp echo-request ACCEPT icmp -- anywhere anywhere /* allow icmp destination unreachable messages to service IPs */ icmp destination-unreachable ACCEPT icmp -- anywhere anywhere /* allow icmp ttl exceeded messages to service IPs */ icmp time-exceeded REJECT all -- anywhere anywhere /* reject all unexpected traffic to service IPs */ ! match-set kube-router-local-ips dst reject-with icmp-port-unreachable
I did exactly the same steps on my manjaro desktop which is also connected to the openWRT router and it works flawless.
Did I miss something which has to be done different on TrueNAS SCALE?