Connect truenas to wireguard (Mullvad)

[ghostrider]

Hello,

This may seem like a question more appropriate for Wireguard than Truenas, but I'm posting it here just to see if there's any sort of special quirk on Truenas that needs to be configured beforehand that isn't directly related to Wireguard.

Having recently installed Truenas scale, I'm now in the process of routing all my Truenas traffic to my VPN provider, similar to what I do with all my other servers.
When I ssh to the system I see that the wireguard binaries are already present by default, however once Wireguard is configured and when I try to connect to Mullvad I see routes being pushed but I'm unable to ping or resolve anything.

~# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add X.X.X.X dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a wg0 -m 0 -x [#] wg set gw0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev gw0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] nft -f /dev/fd/63 [#] ip r a 192.168.1.0/24 via 172.16.2.1 (Added a static route to allow access to my LAN subnet)

When I filter ICMP with tcpdump, I see packets leaving the virtual wg interface, but I get no response (echo reply):

~# ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 13:25:15.023875 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 1, length 64 13:25:16.033189 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 2, length 64 13:25:17.057175 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 3, length 64 13:25:18.081177 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 4, length 64 13:25:19.105144 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 5, length 64 13:25:20.129130 gw0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 6, length 64 13:25:21.153174 gw0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 7, length 64 ^C --- 1.1.1.1 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6129ms

Upon closer inspection of the iptables rules, nothing strikes me as a blocking factor.

My Wireguard configuration looks like this:

[Interface] PrivateKey = (...) Address = X.X.X.X DNS = X.X.X.X PostUp = ip r a 192.168.1.0/24 via 172.16.2.1 PostDown = ip r d 192.168.1.0/24 [Peer] Presharedkey = (...) PublicKey = (...) Endpoint = 193.32.126.69:31173 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25


Does anyone have any idea what might be missing and how to route all truenas traffic through Wireguard?

 

[morganL]

Are you using the Wireguard App?

 

[ghostrider]

Sorry for the delay, not really, I'm using the wireguard binaries installed in the system.
The idea is to set this up system-wide as opposed to just in containers.

 

[morganL]

Sorry for the delay, not really, I'm using the wireguard binaries installed in the system.
The idea is to set this up system-wide as opposed to just in containers.

Not supported except through the wireguard App (wg-easy). But the wireguard App can enable a whole system to be WG accessible.

charts/charts/wg-easy at master · truenas/charts

TrueNAS SCALE Apps Catalogs & Charts. Contribute to truenas/charts development by creating an account on GitHub.

github.com

 

[sammael]

But the wireguard App can enable a whole system to be WG accessible.

@morganL Hi, could you please elaborate on this? Googling yields just guides how to use wg-easy to create your own tunnel, not how to connect via a provider (like mullvad). Thanks!

 

[morganL]

Don't know about Mullvad specifically... may require its own App?

Does it get packaged as a container?

 

[sammael]

Don't know about Mullvad specifically... may require its own App?

Does it get packaged as a container?

Yeah it has its own app, but you can also get just the wg.conf file with the keys and I know I could use the wireguard binaries on the system + cron job - was just looking for something more official (like installing the mullvad app on normal linux system), upon re-reading what you said I understood what you meant, first time I thought it's possible to set up wg-easy with a provider with the keys, but I get it now.

 

[morganL]

Yeah it has its own app, but you can also get just the wg.conf file with the keys and I know I could use the wireguard binaries on the system + cron job - was just looking for something more official (like installing the mullvad app on normal linux system), upon re-reading what you said I understood what you meant, first time I thought it's possible to set up wg-easy with a provider with the keys, but I get it now.

Every VPN solution is a bit different....they generally need to be packaged, rather than built from blocks.