[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
The script needs to be run in the jail to work. I didn't test if there are commands which only work under Linux.
 
Joined
Oct 22, 2019
Messages
3,581
The script needs to be run in the jail to work. I didn't test if there are commands which only work under Linux.
I ran it in a jail, and it works with the wg-quick up/down commands. The script automatically creates a bunch of config files under /etc/wireguard/ named for each server/city that Mullvad provides.

Just pick your Mullvad server (for example, Sweden 25):

wg-quick up mullvad-se25

You can use that for autostart as well.

As far as only allowing connections through the VPN, that has to be done separately, with the previously mentioned firewall rules.
 
Last edited:

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
If you can switch servers easily, there's real added value to use the script. Guess I have to look more into it.
 
Joined
Oct 22, 2019
Messages
3,581
For me, the message is clear. Use the kernel module even if you have to switch to 13.0-BETA for it if the main purpose of the machine is media server and torrents.
Since the official TrueNAS Core 13 release is around the corner, I want to ask something for clarity:

After upgrading TrueNAS Core to 13.0-RELEASE, in order to transition from the userspace wireguard to the kmod version (for a specific jail), I'd need to "upgrade" my qbittorrent jail to "13.0-RELEASE", and then within the jail simply remove wireguard-go? From what I'm gathering, I don't need to install any additional packages since FreeBSD 13's kernel includes wireguard?

If this is the case, I can then continue to use the same services / configs / scripts / CLI tools, but the only difference is I removed wireguard-go and am now using the built-in module?
 
Last edited:
Joined
Oct 22, 2019
Messages
3,581
Enable IPFW if that's not already the case.

Code:
# sysrc firewall_enable="YES"
# sysrc firewall_script="/etc/ipfw.rules"
# sysrc firewall_logging="YES"
Wanted to mention that the above apparently no longer works, unless you replace firewall with ipfw.

I was scratching my head wondering why it wasn't working, and getting errors about the "firewall" service not existing.

Then when I changed it to the following, everything worked as intended. (Using the same rules in your original post, including allowing local connections.)

Code:
# sysrc ipfw_enable="YES"
# sysrc ipfw_script="/etc/ipfw.rules"
# sysrc ipfw_logging="YES"


I read online of others with a similar problem on FreeBSD, some posts were later 2021, and some in 2022.

Am I interpreting this incorrectly?



UPDATE: It works fine. User/keyboard/typing error. :tongue:
 
Last edited:

Volts

Patron
Joined
May 3, 2021
Messages
210
Code:
# sysrc ipfw_enable="YES"
# sysrc ipfw_script="/etc/ipfw.rules"
# sysrc ipfw_logging="YES"

I don't think so. Can you share some of those posts & references?

What version is the jail? uname -a.
What's in /etc/rc.conf and what's the output from ipfw list?

The script looks for firewall_enable:
Code:
# grep rcvar /etc/rc.d/ipfw
rcvar="firewall_enable"
 
Last edited:
Joined
Oct 22, 2019
Messages
3,581
You've got to be kidding me.

I wrote up a lengthy reply, with the requested info about my config and system/kernel info and output from ipfw list, but before I posted I wanted to generate the error I was getting and how the firewall wasn't working until I changed it to ipfw.

But then it works just fine! Me and my amazing self must have misspelled it or made a typo somewhere down the line. :oops:
 
Joined
Oct 22, 2019
Messages
3,581
Just to continue from above, I did a test where I ran...

Code:
sysrc thisisatypo_enable="YES"


...and it added it to my rc.conf without any issues. I had assumed that sysrc would do some sort of "check" to make sure that such a service exists in the first place before inserting a line into rc.conf.

I'm so used to systemd/systemctl on Linux. FreeBSD still feels new to me. o_O
 

Volts

Patron
Joined
May 3, 2021
Messages
210
That works great on my system, but I've been using the thisisatypo service for years. I hope to migrate away from it eventually.
 

glauco

Guru
Joined
Jan 30, 2017
Messages
524
Last edited:
Joined
Jan 27, 2020
Messages
577
After upgrading TrueNAS Core to 13.0-RELEASE, in order to transition from the userspace wireguard to the kmod version (for a specific jail), I'd need to "upgrade" my qbittorrent jail to "13.0-RELEASE", and then within the jail simply remove wireguard-go? From what I'm gathering, I don't need to install any additional packages since FreeBSD 13's kernel includes wireguard?

Sorry, didn't see the question answered? So how about it? Is it working right out of the box when migrating my jail?
 
Joined
Oct 22, 2019
Messages
3,581
Sorry, didn't see the question answered? So how about it? Is it working right out of the box when migrating my jail?

I was asking out of curiosity to make sure I understand what needs to be done after upgrading to TrueNAS Core 13.x (FreeBSD 13 series.)

I haven't upgraded yet, as I plan to wait until TrueNAS Core 13.0-U2 at least.
 
Joined
Oct 22, 2019
Messages
3,581
Another interesting issue has popped up.

Is there a way to restart the wireguard service (or even just reload the wireguard interface) when it goes down / disconnects?

I noticed in my jail, there was no connectivity with qBittorrent. Under qBittorrent's advanced options, I also noticed that the "interface" was blank, where it should show the wireguard interface. There was no wireguard interface to even choose if I wanted to.

The firewall was working as intended, in that no connections could go through anything other than the VPN.

However, the wireguard service did not restart itself, nor did the interface reload itself. This is the problem.

I had to manually restart the wireguard service for everything to be working again.

I searched around the web but could not really find a solution that works in FreeBSD that is intuitive for me. Would I need a script or even cron job to periodically check if the VPN works, and then restart the wireguard service if it's not working?
 
Joined
Jan 27, 2020
Messages
577
Another interesting issue has popped up.

Is there a way to restart the wireguard service (or even just reload the wireguard interface) when it goes down / disconnects?

I noticed in my jail, there was no connectivity with qBittorrent. Under qBittorrent's advanced options, I also noticed that the "interface" was blank, where it should show the wireguard interface. There was no wireguard interface to even choose if I wanted to.

The firewall was working as intended, in that no connections could go through anything other than the VPN.

However, the wireguard service did not restart itself, nor did the interface reload itself. This is the problem.

I had to manually restart the wireguard service for everything to be working again.

I searched around the web but could not really find a solution that works in FreeBSD that is intuitive for me. Would I need a script or even cron job to periodically check if the VPN works, and then restart the wireguard service if it's not working?
+1
It would really be appreciated, if someone with more knowledge could clear that up.
You can restart the module with this command, finding of @glauco: kldload /boot/modules/if_wg.ko

You can check status of the wireguard connection with wg show
 
Last edited:

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
Joined
Jun 27, 2022
Messages
23
Hi guys.

@Mannekino @emk2203 Thanks so much for the wisdom and help you guys put forth. It really helps the community grow and when looking for solutions.

I've recently setup TrueNas Core (running 13.0-U1.1 atm) about a month ago. Got a hang of some stuff, enough to get my SMB working, plex, sab, and *arr applications up and running. Where this thread comes in is torrent apps/plugins running in a jail with its own vpn.

I've tried no less than 15 different threads/guides, etc. I've uised OpenVPN and got so far and just hit a wall. So I switched to Mullvad and Wireguard also recognizing the benefits of doing so.

With wireguard I am able to connect. I can see my ip is now whatever config I chose. I can hit the Mullvad curl command and get a response that I am on their server and connected.

What I don't and havent yet solved for is that the app/website either doesn't work (transmission) or it works (rtorrent) but it errors when you feed it a torrent. I know I am connecting via vpn and all, but the application is not getting the vpn passed through i imagine. I've added the port I am forwarding, same port is forwarded in my router and I put it in transmission and rtorrent.

Can i show any logs that would help? What should I do next?

Also, curious about the .sh script @winnielinnie added to the thread. How would one go about running that? I still havent connected via SSH yet, so if needed, I need to be taught :). I have SSH'ed before, into android devices and servers, but it's been a while...

Thanks all.
 
Joined
Oct 22, 2019
Messages
3,581
I've added the port I am forwarding, same port is forwarded in my router and I put it in transmission and rtorrent.
Whatever configuration of port forwarding you have in your router is not used with Mullvad's port forwarding. You need to manage your forwarded ports and wireguard keys on your Mullvad account. You must also always use the same Mullvad server/city as that configured in your Mullvad's Port Forwarding config. (This is why you don't want to connect to random servers each time you fire up the wireguard connection.)



Also, curious about the .sh script @winnielinnie added to the thread. How would one go about running that? I still havent connected via SSH yet, so if needed, I need to be taught :). I have SSH'ed before, into android devices and servers, but it's been a while...
Whether via SSH or through the "Jail's Shell", it's a script provided by Mullvad themselves. You simply run the script inside of the Jail, and it will populate /etc/wireguard/ with a bunch of wg configs, based on your Mullvad account, appropriately named "mullvad-us18.conf", and so on, depending on the server/city.

You do need some prerequisites installed to use this script:
Code:
pkg install jq curl openresolv


Actually, the last one (openresolv) is only optional. I don't have it installed.

Then you can download and run the script based on their official instructions.
Code:
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh


You can separate the download and execution steps if you prefer to do things one step at a time.

(In fact, I keep a copy of mullvad-wg.sh in my jail root user's home folder. I can always download the "latest version" at any time in the future.)

It will prompt you for your Mullvad account number, and will automatically generate wireguard configs for you. You can then select which one you prefer (for example "mullvad-se8.conf"), and add it to your startup / service using the wg-quick up command (or modify the standard wireguard service.)

Or even just copy/rename one of the .conf files into a generic name, such as cp -v mullvad-se8.conf wg.conf

Then simply use this "adapter" for your bittorrent client and so on.

Using a "generic name" can help, since it means you do not need to change anything in your startup / services, but simply copy whatever city/server .conf you prefer and overwrite the generic "wg.conf" with the new one of your choice. :smile:


As for a "kill switch" or "only use the Mullvad VPN", see @emk2203 post above for simple firewall rules that essentially restricts internet-facing connections to the wireguard VPN. You can also specify to only use the wireguard interface with whatever client you use (in qBittorrent's settings for instance).
 
Last edited:
Joined
Jun 27, 2022
Messages
23
Whatever configuration of port forwarding you have in your router is not used with Mullvad's port forwarding. You need to manage your forwarded ports and wireguard keys on your Mullvad account. You must also always use the same Mullvad server/city as that configured in your Mullvad's Port Forwarding config. (This is why you don't want to connect to random servers each time you fire up the wireguard connection.)


@winnielinnie Super helpful. I will look into the script per your directions. As for port forward, yes always using mullvad to setup port to be attached to the same device and same city. I just thought that also needed forwarding in my router. I took it out. Will that all of a sudden allow plug-in to work?
 
Top