[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
After dealing with unexplained problems related to using OpenVPN and PIA in my Transmission Jail I decided to switch to something else. I spent the last 5 days trying to troubleshoot the problem but got nowhere. After discussing my problems on Discord it was suggested I switch to a different VPN provider and I got suggested Mullvad. On the website of Mullvad they recommended the use of WireGuard instead of OpenVPN so I changed that also.

Prerequisites
This guide assumes you have a Transmission Jail running on the latest version of TrueNAS with your Jails at version 12.2-RELEASE-p2. It will most likely work on older versions also for FreeNAS 11.3 with Jails at either 11.3-RELEASE or 11.4-RELEASE.

If you're currently using OpenVPN with PIA you need to disable that which I will cover in the guide. If you don't have a VPN currently you can skip that part.

Make sure you have enabled to latest packages in your Jail. You can follow these two guides for that, depending if you're using a plugin or manual Jail.
Please note that the above guides are for FreeNAS 11. I still used the manual Jail guide this week but made sure to replace the version numbers with 12 whenever I encountered that and it seemed to have worked just fine.

Basic information
I am running my Jail with VNET and a static IP address. I haven't tested this with any other networking configuration so be aware of that.

I believe you need to enable the Berkeley Packet Filter if you're using DHCP but I'm not sure about that, maybe someone more knowledgeable can comment on that.

Making sure your Jail can create a VPN connection
In order for your Jail to create a VPN connection you need to enableallow_tun under the Custom Properties section. I've also disabled IPv6 in my Jail because I had problems with that while using OpenVPN. I don't know if this is nessacary for this setup, since I didn't change those settings I'm including them here in case you run into issues with that also.

Under:
  • Basic Properties: write in none at IPv6 Default Router
  • Jail Properties: enable allow_raw_sockets
  • Network Properties: select Disabled for ip6
  • Custom Properties: enable allow_tun
Disable and stop OpenVPN in the Jail
If you're currently using OpenVPN with PIA or another VPN provider you need to disable that. Also stop the OpenVPN service if it's currently running.

Code:
# sysrc openvpn_enable="NO"
# service openvpn stop

Alternatively you can edit /etc/rc.conf manually to set OpenVPN to disabled. Completely removing the OpenVPN package is an option also, but I kept it installed just in case.

Stop Transmission
Before we continue make sure to stop the Transmission daemon.

Code:
# service transmission stop

Get a Mullvad account and subscription
After you made your account on Mullvad and paid for some server time you can generate a configuration file for WireGuard.

Go to: https://mullvad.net/en/account/#/wireguard-config/
  1. I selected Linux
  2. Generate your key
  3. I selected a single country, city and server
  4. Opted for IPv4 only
  5. Left the custom port at default value that was filled in
  6. Download the configuration file
1610543848683.png


If you only selected a single server it should download a single plain text file, otherwise you will get an archive for each server. You need this later. Mine was very simple with this:

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx

After downloading the file you need to generate a random port you can use for port forwarding.

Go to: https://mullvad.net/en/account/#/ports and click on the + icon next to your newly generated key to get a new random port. This is what we will configure in Transmission later

1610546027602.png


Install WireGuard
For the most part I've used this guide for installing WireGuard so credits to go that author I just skipped some parts. To make sure this guide is complete I will include all the steps I've done here.

Installing the package

Code:
# pkg install wireguard

Create a PostDown script to restore the default nameserver
I noticed after stopping WireGuard I could no longer resolve hostnames. WireGuard enables its own DNS server after the VPN connection is established. I created a basic PostDown script to restore my own nameserver.

Code:
# touch /usr/local/etc/wireguard/postdown.sh
# chmod+x /usr/local/etc/wireguard/postdown.sh

Use your favorite editor to put contents below in the file. Normally I would be using my router's IP address. You can check what you have now by looking into /etc/resolv.conf and putting that in the script.

Code:
#!/usr/local/bin/bash

# Replace resolv.conf with original
echo "# Generated by resolvconf
search <local_domain>
nameserver <local_dns>" > /etc/resolv.conf

Create a WireGuard configuration file
We need to create a configuration file for WireGuard to use when you start the service

Code:
touch /usr/local/etc/wireguard/wg0.conf

Put the contents of the configuration file you downloaded from Mullvad in this file except we need to add a line for the PostDown script in the [Interface] section. Mine ended up looking like this:

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx
PostDown = /usr/local/etc/wireguard/postdown.sh

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx

Activate the WireGuard service
Type the following to lines to activate the WireGuard service on startup of the Jail and to point it to the right configuration file

Code:
# sysrc wireguard_interfaces="wg0"
# sysrc wireguard_enable="YES"

Start WireGuard
Now you can start WireGuard and should give you a similar output:

Code:
# service wireguard start

[#] wireguard-go wg0
INFO: (wg0) 2021/01/13 14:42:11 Starting wireguard-go version 0.0.20201118
[#] wg setconf wg0 /tmp/tmp.3EiiwRXA/sh-np.ycuyMB
[#] ifconfig wg0 inet 10.xxx.xxx.xxx/32 10.69.215.15 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 193.xxx.xxx.xxx -gateway 192.168.178.1
[+] Backgrounding route monitor

Check if you have a connection

Code:
# ping truenas.com

PING truenas.com (38.109.202.235): 56 data bytes
64 bytes from 38.109.202.235: icmp_seq=0 ttl=49 time=129.267 ms

Check if you're using the Mullvad DNS server, look at the line that starts with ;; SERVER

Code:
# drill truenas.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11097
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; truenas.com. IN      A

;; ANSWER SECTION:
truenas.com.    3552    IN      A       38.109.202.235

;; AUTHORITY SECTION:
truenas.com.    172752  IN      NS      ns2.ixsystems.com.
truenas.com.    172752  IN      NS      ns1.ixsystems.com.

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 193.xxx.xxx.xxx
;; WHEN: Wed Jan 13 14:45:36 2021
;; MSG SIZE  rcvd: 91

To get your new external IP address you can curl the Mullvad Connection check API

Code:
# curl https://am.i.mullvad.net/connected

You are connected to Mullvad (server <server_name>). Your IP address is 193.xxx.xxx.xxx

Configure IPFW to block internet traffic not going over WireGuard
To make sure Transmission can't connect to the internet when WireGuard goes down we will configure IPFW. I'm using the same IPFW rules from @dak180 that he uses for his Transmission Jail with PIA and OpenVPN.

Enable IPFW if that's not already the case.

Code:
# sysrc firewall_enable="YES"
# sysrc firewall_script="/etc/ipfw.rules"
# sysrc firewall_logging="YES"

Create the IPFW rules file.

Code:
# touch /etc/ipfw.rules

Use your favorite text editor to put the contents below in the IPFW rules file. Make sure to set the variables correctly to match the user Transmission is running under and your LAN subnet.

Code:
#!/usr/local/bin/bash
# Config

# Set rules command prefix
cmd="ipfw -q add"
vpn="wg0"
user="transmission"
localLan="192.168.178.0/24"

# Flush out the list before we begin
ipfw -q -f flush

# Allow all local traffic on the loopback interface
${cmd} 00001 allow all from any to any via lo0

# Allow any connection to/from VPN interface
${cmd} 00010 allow all from any to any via ${vpn}

# Allow connection to/from LAN by User
${cmd} 00101 allow all from me to ${localLan} uid ${user}
${cmd} 00102 allow all from ${localLan} to me uid ${user}

# Deny any User connection outside LAN that does not use VPN
${cmd} 00103 deny all from any to any uid ${user}

Start Transmission and configure the forwarded port
Start Transmission again

Code:
# service transmission start

Go to the Transmission Web UI and click on the wrench icon bottom left. Switch to the Network tab and enter the randomly forwarded port you got from Mullvad.
1610547963999.png

Alternatively you can change the port from the command line

Code:
transmission-remote -p <forwarded_port>

Or if you're using authorization for Transmission

Code:
transmission-remote --auth <user>:<password> -p <forwarded_port>

That should be it!

Optional: firewall logging per rule
If you're having issues with IPFW you can enable logging for a rule. For example you can change:

Code:
${cmd} 00103 deny all from any to any uid ${user}

To

Code:
${cmd} 00103 deny log all from any to any uid ${user}

If you get any hits on that rule it will be logged into /var/log/security on the TrueNAS root environment; not in your Jail! I believe this can be fixed so the logging will happen inside the Jail but I haven't figured that out yet.
 
Last edited:

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
If I made any mistakes in this guide or if things can be improved please let me know with a comment. I'm mostly a "trial and error" person since I don't have a very broad fundamental knowledge of networking and FreeBSD. The results seem to be good, after I made the switch to WireGuard and Mullvad my Transmission client started downloading and seeding at rates I haven't seen in months as shown in my networking graph.

Most importantly, no more errors in my Transmission and Security log files with the same IPFW rules.

1610550861562.png
 

JuanPotato_

Cadet
Joined
Apr 30, 2021
Messages
2
Thank you for making this guide! I'm trying to follow it but got stuck with wireguard. I'm trying to install wireguard in my jail but it fails because it wants to install wireguard-kmod. I am on 12.2-RELEASE-p6 for my jail

Code:
New packages to be INSTALLED:
    wireguard: 2,1
    wireguard-kmod: 0.0.20210415

Number of packages to be installed: 2

Proceed with this action? [y/N]: y
[transmission2] [1/2] Installing wireguard-kmod-0.0.20210415...
[transmission2] [1/2] Extracting wireguard-kmod-0.0.20210415:   0%
pkg: Fail to create temporary file: /boot/modules/.pkgtemp.if_wg.ko.WKCUYNluFomX:Read-only file system
[transmission2] [1/2] Extracting wireguard-kmod-0.0.20210415: 100%


Do you have any suggestions?
 

JuanPotato_

Cadet
Joined
Apr 30, 2021
Messages
2
I've fixed my issue and just wanted to write the steps for my setup
  1. Create new transmission plugin jail
  2. Set static ip
  3. Enable allow_tun
  4. Install `wireguard-tools` and `wireguard-go` NOT `wireguard` since that will try to install `wireguard-kmod`.
  5. Activate wireguard and config like you did
  6. Do ipfw like you did
  7. Adjust port like you did
Thank you again
 

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
Hi, thanks for your question and also the answer and I think I'm running into the same issue when I try to do an upgrade of my Jail.

I just ran pkg update and pkg upgrade and I see it wants to install wireguard-kmod

Code:
New packages to be INSTALLED:
        gsettings-desktop-schemas: 3.38.0
        libXv: 1.0.11_2,1
        libXvMC: 1.0.12
        llvm10: 10.0.1_5
        lua52: 5.2.4
        mesa-dri: 20.2.3_1
        pinentry-curses: 1.1.1
        wireguard-kmod: 0.0.20210415
        wireguard-tools: 1.0.20210315_4

I'm not to good with this stuff but it seems to me that "kmod" stands for kernel module. That's quite a big change to a package. I think I will have to uninstall my current wireguard stuff. Then upgrade my Jail and reinstall it using the packages you mentioned.

I found this on Reddit about the change:


The post says they reverted the change but obviously we're still getting the wireguard-kmod version when updating/installing. So what's the deal with that?
 
Last edited:

Joshua Parker Ruehlig

Hall of Famer
Joined
Dec 5, 2011
Messages
5,949
Thanks for this writeup @Mannekino!
All I had to do was enable VNET (on a very out of date verison of FreeNAS) and wireguard-go worked fine for me. I didn't need BPF, or even tun0 for some reason.

Were you able to access the transmission web-interface from LAN after enabling wireguard? I was having issues and this configuration helped me...
Code:
PostUp = route -q -n add -inet SERVER_IP -gateway ROUTER_IP
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4

The AllowedIPs makes wireguard only work for internet IPs. The route add was needed for some reason whenever I changed AllowedIPs from the default 0.0.0.0/0.

Also I didn't use a IPFW in my jail, I just did this with PFSense router. My rule was to block everything on the LAN_INTERFACE from the JAIL_IP except traffic to the mullvad SERVER_IP.
 
Last edited:

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
Yes, I was able to access the web interface just fine after implementing this VPN method. I didn't have to configure anything.
 

emk2203

Guru
Joined
Nov 11, 2012
Messages
573

Much appreciated write-up.

Some additions/observations, running this on the upcoming 13.0-RELEASE:

Setting up a transmission jail with Mullvad VPN (wireguard) on 13.0-RELEASE​

Starting with 13.0-RELEASE, the kernel module for wireguard is in TrueNAS. Using it has several advantages over the wireguard-go userland way.

Prerequisites
The use of a jail vs using the plugin is highly recommended. You don't want to be stuck with older releases in the plugin template for this new protocol, it's also more efficient to use the kernel module in 13.0-RELEASE.

Make a default (clone) jail with the latest release (13.0-RELEASE-p7 for TrueNAS 13.0-RELEASE-BETA1). With a base jail, the later installation of the kernel module will fail since the base jail's foundation is r/o. The kernel module is in the base system and its installation in the jail shouldn't be necessary, but I still want to play it safe here and avoid any errors during the pkg install. If this works with a base jail and just installing wireguard-utils later in the jail, please let me know below.

Basic Properties
For jail properties, I used DHCP, which automatically checks VNET and BPF. As @Mannekino wrote, you need only VNET if you don't use DHCP.
Jail Properties
I have checked allow_set_hostname and allow_raw_sockets.
Network Properties
Make sure that the mac_prefix matches the needed rules. If not, the jail generation will fail, you get shown the allowed rules for mac_prefix and you can correct it accordingly. No big deal. If you are at it, you might disable IPv6 or deactivate it later (see below).
Custom Properties
You need to check allow_tun. Everything else was left unchanged.


Add three tunables to your system:

System / Tunables
  • if_wg_load; YES; LOADER
  • wireguard_enable; YES; RC
  • wireguard_interfaces; wg0; RC

This assures that your main system has the kernel module loaded and wireguard enabled at start, which the jail later uses. Maybe it's possible to skip the last two, didn't try that. The jail makes its own wg0 interface which isn't visible in the main system.

Add the mounts you need to the jail system at
Jails / Mount Points



Setup

Enter the jail from the command line with sudo iocage console <jailname> and do pkg update; pkg install transmission-daemon transmission-utils transmission-web wireguard for the needed software. While you are setting everything up, you could also install a nicer looking web theme for Transmission if the old one which wasn't changed for over a decade is not to your liking.

If needed, you can install now other software in the jail. I installed 7-zip for a post-download script to archive my torrent files.

Configuration
To avoid unnecessary complexity and possible leaks, do sysrc ipv6_activate_all_interfaces="NO" and switch off the IPv6 traffic in the jail.

For the Mullvad account and connection info, I refer to the original post here and your common sense. Mullvad's web pages look quite different now, though.

You should have something like

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32,fc00:bbbb:bbbb:xxxx:xxxx:xxxx:xxxx/128
DNS = 193.xxx.xxx.xxx

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx


now for the server you want to connect to.

After downloading the file, generate a random port you can use for port forwarding.

For the PostDown script to restore the default nameserver, I chose to use

Code:
# touch /usr/local/etc/wireguard/postdown.sh
# chmod+x !$
# vi !$

If you have months of torrenting and maybe a changed configuration for your main system, it might be better to have the contents of
Code:
#!/usr/local/bin/bash
resolvconf -u

since it restores the actual configuration.

Create a WireGuard configuration file
For the WireGuard configs, it remains the same, contents of the downloaded Mullvad server config plus an additional line for the postdown at the bottom:

Code:
touch /usr/local/etc/wireguard/wg0.conf
vi !$

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx
PostDown = /usr/local/etc/wireguard/postdown.sh

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx

Activate the WireGuard service
Code:
# sysrc wireguard_interfaces="wg0"
# sysrc wireguard_enable="YES"

Start WireGuard
Code:
# service wireguard restart

[#] ifconfig wg0 destroy
[#] resolvconf -d wg0
[#] /usr/local/etc/wireguard/postdown.sh
/usr/local/etc/rc.d/wireguard: WARNING: Can't unload if_wg module.
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.xxx.xxx.xxx/32 alias
[#] ifconfig wg0 inet6 fc00:bbbb:bbbb:xxxx:xxxx:xxxx:xxxx/128 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet6 ::/1 -interface wg0
[#] route -q -n add -inet6 8000::/1 -interface wg0
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n delete -inet xxx.xxx.xxx.xxx
[#] route -q -n add -inet xxx.xxx.xxx.xxx -gateway 192.168.88.1
[+] Backgrounding route monitor


For service wireguard start instead of restart, ignore the first four lines of output. They are shown here because of the warning with a service restart. The warning in row 4 is due to the fact that the jail cannot influence the main system. This is not an issue. The IPv6 stuff should be ignored, maybe if you set up the jail from the beginning with IPv6 inactive, they wouldn't happen.

The check list for functionality is taken unchanged from @Mannekino:



Check functionality
Check if you have a connection

Code:
# ping truenas.com

PING truenas.com (38.109.202.235): 56 data bytes
64 bytes from 38.109.202.235: icmp_seq=0 ttl=49 time=129.267 ms

Check if you're using the Mullvad DNS server, look at the line that starts with ;; SERVER

Code:
# drill truenas.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11097
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; truenas.com. IN      A

;; ANSWER SECTION:
truenas.com.    3552    IN      A       38.109.202.235

;; AUTHORITY SECTION:
truenas.com.    172752  IN      NS      ns2.ixsystems.com.
truenas.com.    172752  IN      NS      ns1.ixsystems.com.

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 193.xxx.xxx.xxx
;; WHEN: Wed Jan 13 14:45:36 2021
;; MSG SIZE  rcvd: 91

To get your new external IP address you can curl the Mullvad Connection check API

Code:
# curl https://am.i.mullvad.net/connected

You are connected to Mullvad (server <server_name>). Your IP address is 193.xxx.xxx.xxx

Configure IPFW to block internet traffic not going over WireGuard
To make sure Transmission can't connect to the internet when WireGuard goes down we use ipfw. Using the same IPFW rules from @dak180 that he uses for his Transmission Jail with PIA and OpenVPN.

Enable ipfw:

Code:
# sysrc firewall_enable="YES"
# sysrc firewall_script="/etc/ipfw.rules"
# sysrc firewall_logging="YES"

Create the IPFW rules file. It is assumed that transmission runs under the transmission user, match to different user if not true. You need to set your LAN subnet according to your setup. @Mannekino uses a AVM router, I use a Mikrotik router which make even the default setups different! Make sure to set the localLan correctly.

Code:
# touch /etc/ipfw.rules
# vi !$

Contents:
Code:
#!/usr/local/bin/bash
# Config

# Set rules command prefix
cmd="ipfw -q add"
vpn="wg0"
user="transmission"
localLan="192.168.xxx.0/24"

# Flush out the list before we begin
ipfw -q -f flush

# Allow all local traffic on the loopback interface
${cmd} 00001 allow all from any to any via lo0

# Allow any connection to/from VPN interface
${cmd} 00010 allow all from any to any via ${vpn}

# Allow connection to/from LAN by User
${cmd} 00101 allow all from me to ${localLan} uid ${user}
${cmd} 00102 allow all from ${localLan} to me uid ${user}

# Deny any User connection outside LAN that does not use VPN
${cmd} 00103 deny all from any to any uid ${user}




Configure Transmission, including the port given by Mullvad
Stop Transmission if it is running (important!)
Code:
# service transmission stop

For the initial setup, it is best to edit transmission's settings.json file. Everything is at one place, and you can also add neat things like watch directories there.
Code:
# vi /usr/local/etc/transmission/home/settings.json

If you have changed everything you need, close the file and start transmission with
Code:
# service transmission start

Code:
# sysrc transmission_enable="YES"
should be set now in the jail's /etc/rc.conf.
Make sure that you have mounted shares in the jail and your Download directory points to them! If they don't exist during startup, transmission falls back to a deeply hidden download directory. You can avoid this by forcing the default with sysrc transmission_download_dir="<your Download Directory"
You need either have user|pass authorization or that rpc-whitelist-enabled in settings.json is set to false.

Double-check the settings from the web interface as usual with the web address of http://<jail-ip>:9091.
Screenshot 2022-02-15 at 13-51-46 Transmission Web Interface.png


One final addition: Should you make substantial changes to your wireguard configuration in the jail like a credentials and port change, it is not enough to restart the jail. Since the module is actually living in the main system, you need to either reboot the main system or probably just unload/reload the kernel module, which I didn't try.
 
Last edited:

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
Damn, that's a pretty extensive addition to the original guide. I will be following this one when I decide to upgrade to 13.0. Thank you so much!
 
Joined
Jan 27, 2020
Messages
577
@Mannekino I understand the switch to Mullvad from PIA but I do not understand why you switch from openvpn to wireguard? Can you elaborate? Thanks!
 

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
I am not the one you addressed but I can give you my reasons:

  • Much faster, something from 75% to 120% faster
  • Less overhead. WG has 5%, OpenVPN 20%.
  • Less taxing on resources. With very weak clients, a definite plus.
  • Easy to set up.
I think WG is best suited for stuff like torrenting. OpenVPN if you need to tunnel through the Great Firewall of China or something similar.
 

Mannekino

Patron
Joined
Nov 14, 2012
Messages
332
@Mannekino I understand the switch to Mullvad from PIA but I do not understand why you switch from openvpn to wireguard? Can you elaborate? Thanks!

Unfortunately I can't remember exactly. But in my original post I linked to this thread where I detailed my issues with OpenVPN and PIA. I think it was a combination of both and I found OpenVPN a hassle to configure if I remember correctly.

 

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
Damn, that's a pretty extensive addition to the original guide. I will be following this one when I decide to upgrade to 13.0. Thank you so much!
You're welcome, I admit it's also a writeup for personal reasons, since it's easier for me to find this post here than something I write locally and bury it on one of several computers....
 
Joined
Jan 27, 2020
Messages
577
Starting with 13.0-RELEASE, the kernel module for wireguard is in TrueNAS. Using it has several advantages over the wireguard-go userland way.
I'm interested in what these advantages are? You know, before setting everything up in 12.2 only to have it re-done a few month later for 13...
 
Joined
Jan 27, 2020
Messages
577
Thanks to @Mannekino and @emk2203 for the great intel on how to set this up. I'd like to add for users on still on FreeBSD 12.2, if you happen to have set your packagesite to "latest" you need to specifically install pkg install wireguard-go, if you just go with the standard wireguard package it expects the kernel module from the host system.
 

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
I thought I had answered it already, but no. Was looking up who posted in the other thread and forgot to answer. Oh well...
I'm interested in what these advantages are? You know, before setting everything up in 12.2 only to have it re-done a few month later for 13...
A significant reduction in CPU utilization and a significant increase in transfer speed, on older hardware. This is my own finding, confirmed by @Volts over in the 13.0 BETA thread. Since I am running this on a puny HP microserver, important issues for my use case. Personally, I also think a kernel module is less likely to have security issues because it is closer to the kernel development and won't get abandoned or neglected over time.

If you want to look at the measured impact, there's a nice post here, results are truly spectacular:

On a nasty old Core2 Duo E7500 it's even more significant than that.

I've been using the kmod for a while, so I reinstalled and briefly tested wireguard-go again in a jail on 13.0 BETA. If you want science and better data I can be more diligent.

Downloading a 1000+ seed Ubuntu (lol) .torrent -
  • wireguard-go: peak download speeds of 3-5MB, and wireguard-go CPU utilization is 50%+ - more than qbittorrent itself
  • if_wg.ko: peak download speeds of 20MB+, but all CPU/user/system stats are lower. It's as though the wireguard-go CPU utilization is just erased from the system.
I bet most of the load is just bouncing in and out of user space. I suspect it would have much less impact on a faster CPU.

The if_wg.ko I built and the one in 13.0 BETA (which has debugging symbols) perform the same, so I'm happy using the provided one.

For me, the message is clear. Use the kernel module even if you have to switch to 13.0-BETA for it if the main purpose of the machine is media server and torrents.
 
Last edited:

Volts

Patron
Joined
May 3, 2021
Messages
210
The Wireguard kernel module is fasterererer and lighter than the userspace version. There's no reason it would be more secure than the userspace program, but it's also from Donenfeld's group.

13 is working really well for me. If you aren't using the machine for business/production, try 13.0-BETA.

If you're still using 12, try installing the wireguard-kmod package in a jail, then do this little kickflip to load it on the host:
  • Tasks -> Init/Shutdown Scripts
  • Description: Load wireguard kernel module from jail
  • Type: Command
  • Command: kldload /mnt/[POOLNAME]/iocage/jails/[JAILNAME]/root/boot/modules/if_wg.ko
  • When: Post Init
I haven't tested that with the wireguard-kmod package, but I expect it to work. I built wireguard in a jail and loaded the kernel module this way before the wireguard-kmod package existed. :smile:
 
Last edited:
Joined
Jan 27, 2020
Messages
577
Just a heads-up, mullvad changed their .conf files slightly (included ipv6 adresses it seems), this broke my wireguard connections. I had to update the according wireguard .conf files.
 
Joined
Oct 22, 2019
Messages
3,641
They also provide their own script to streamline the WireGuard configuration process. Their script prompts you for your account number.

It requires that you have wireguard-tools, curl, jq, and bash installed.
 
Last edited:
Top