Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

Mannekino

Senior Member
Joined
Nov 14, 2012
Messages
296
After dealing with unexplained problems related to using OpenVPN and PIA in my Transmission Jail I decided to switch to something else. I spent the last 5 days trying to troubleshoot the problem but got nowhere. After discussing my problems on Discord it was suggested I switch to a different VPN provider and I got suggested Mullvad. On the website of Mullvad they recommended the use of WireGuard instead of OpenVPN so I changed that also.

Prerequisites
This guide assumes you have a Transmission Jail running on the latest version of TrueNAS with your Jails at version 12.2-RELEASE-p2. It will most likely work on older versions also for FreeNAS 11.3 with Jails at either 11.3-RELEASE or 11.4-RELEASE.

If you're currently using OpenVPN with PIA you need to disable that which I will cover in the guide. If you don't have a VPN currently you can skip that part.

Make sure you have enabled to latest packages in your Jail. You can follow these two guides for that, depending if you're using a plugin or manual Jail.
Please note that the above guides are for FreeNAS 11. I still used the manual Jail guide this week but made sure to replace the version numbers with 12 whenever I encountered that and it seemed to have worked just fine.

Basic information
I am running my Jail with VNET and a static IP address. I haven't tested this with any other networking configuration so be aware of that.

I believe you need to enable the Berkeley Packet Filter if you're using DHCP but I'm not sure about that, maybe someone more knowledgeable can comment on that.

Making sure your Jail can create a VPN connection
In order for your Jail to create a VPN connection you need to enableallow_tun under the Custom Properties section. I've also disabled IPv6 in my Jail because I had problems with that while using OpenVPN. I don't know if this is nessacary for this setup, since I didn't change those settings I'm including them here in case you run into issues with that also.

Under:
  • Basic Properties: write in none at IPv6 Default Router
  • Jail Properties: enable allow_raw_sockets
  • Network Properties: select Disabled for ip6
  • Custom Properties: enable allow_tun
Disable and stop OpenVPN in the Jail
If you're currently using OpenVPN with PIA or another VPN provider you need to disable that. Also stop the OpenVPN service if it's currently running.

Code:
# sysrc openvpn_enable="NO"
# service openvpn stop

Alternatively you can edit /etc/rc.conf manually to set OpenVPN to disabled. Completely removing the OpenVPN package is an option also, but I kept it installed just in case.

Stop Transmission
Before we continue make sure to stop the Transmission daemon.

Code:
# service transmission stop

Get a Mullvad account and subscription
After you made your account on Mullvad and paid for some server time you can generate a configuration file for WireGuard.

Go to: https://mullvad.net/en/account/#/wireguard-config/
  1. I selected Linux
  2. Generate your key
  3. I selected a single country, city and server
  4. Opted for IPv4 only
  5. Left the custom port at default value that was filled in
  6. Download the configuration file
1610543848683.png


If you only selected a single server it should download a single plain text file, otherwise you will get an archive for each server. You need this later. Mine was very simple with this:

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx

After downloading the file you need to generate a random port you can use for port forwarding.

Go to: https://mullvad.net/en/account/#/ports and click on the + icon next to your newly generated key to get a new random port. This is what we will configure in Transmission later

1610546027602.png


Install WireGuard
For the most part I've used this guide for installing WireGuard so credits to go that author I just skipped some parts. To make sure this guide is complete I will include all the steps I've done here.

Installing the package

Code:
# pkg install wireguard

Create a PostDown script to restore the default nameserver
I noticed after stopping WireGuard I could no longer resolve hostnames. WireGuard enables its own DNS server after the VPN connection is established. I created a basic PostDown script to restore my own nameserver.

Code:
# touch /usr/local/etc/wireguard/postdown.sh
# chmod+x /usr/local/etc/wireguard/postdown.sh

Use your favorite editor to put contents below in the file. Normally I would be using my router's IP address. You can check what you have now by looking into /etc/resolv.conf and putting that in the script.

Code:
#!/usr/local/bin/bash

# Replace resolv.conf with original
echo "# Generated by resolvconf
search <local_domain>
nameserver <local_dns>" > /etc/resolv.conf

Create a WireGuard configuration file
We need to create a configuration file for WireGuard to use when you start the service

Code:
touch /usr/local/etc/wireguard/wg0.conf

Put the contents of the configuration file you downloaded from Mullvad in this file except we need to add a line for the PostDown script in the [Interface] section. Mine ended up looking like this:

Code:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx
PostDown = /usr/local/etc/wireguard/postdown.sh

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx

Activate the WireGuard service
Type the following to lines to activate the WireGuard service on startup of the Jail and to point it to the right configuration file

Code:
# sysrc wireguard_interfaces="wg0"
# sysrc wireguard_enable="YES"

Start WireGuard
Now you can start WireGuard and should give you a similar output:

Code:
# service wireguard start

[#] wireguard-go wg0
INFO: (wg0) 2021/01/13 14:42:11 Starting wireguard-go version 0.0.20201118
[#] wg setconf wg0 /tmp/tmp.3EiiwRXA/sh-np.ycuyMB
[#] ifconfig wg0 inet 10.xxx.xxx.xxx/32 10.69.215.15 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 193.xxx.xxx.xxx -gateway 192.168.178.1
[+] Backgrounding route monitor

Check if you have a connection

Code:
# ping truenas.com

PING truenas.com (38.109.202.235): 56 data bytes
64 bytes from 38.109.202.235: icmp_seq=0 ttl=49 time=129.267 ms

Check if you're using the Mullvad DNS server, look at the line that starts with ;; SERVER

Code:
# drill truenas.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11097
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; truenas.com. IN      A

;; ANSWER SECTION:
truenas.com.    3552    IN      A       38.109.202.235

;; AUTHORITY SECTION:
truenas.com.    172752  IN      NS      ns2.ixsystems.com.
truenas.com.    172752  IN      NS      ns1.ixsystems.com.

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 193.xxx.xxx.xxx
;; WHEN: Wed Jan 13 14:45:36 2021
;; MSG SIZE  rcvd: 91

To get your new external IP address you can curl the Mullvad Connection check API

Code:
# curl https://am.i.mullvad.net/connected

You are connected to Mullvad (server <server_name>). Your IP address is 193.xxx.xxx.xxx

Configure IPFW to block internet traffic not going over WireGuard
To make sure Transmission can't connect to the internet when WireGuard goes down we will configure IPFW. I'm using the same IPFW rules from @dak180 that he uses for his Transmission Jail with PIA and OpenVPN.

Enable IPFW if that's not already the case.

Code:
# sysrc firewall_enable="YES"
# sysrc firewall_script="/etc/ipfw.rules"
# sysrc firewall_logging="YES"

Create the IPFW rules file.

Code:
# touch /etc/ipfw.rules

Use your favorite text editor to put the contents below in the IPFW rules file. Make sure to set the variables correctly to match the user Transmission is running under and your LAN subnet.

Code:
#!/usr/local/bin/bash
# Config

# Set rules command prefix
cmd="ipfw -q add"
vpn="wg0"
user="transmission"
localLan="192.168.178.0/24"

# Flush out the list before we begin
ipfw -q -f flush

# Allow all local traffic on the loopback interface
${cmd} 00001 allow all from any to any via lo0

# Allow any connection to/from VPN interface
${cmd} 00010 allow all from any to any via ${vpn}

# Allow connection to/from LAN by User
${cmd} 00101 allow all from me to ${localLan} uid ${user}
${cmd} 00102 allow all from ${localLan} to me uid ${user}

# Deny any User connection outside LAN that does not use VPN
${cmd} 00103 deny all from any to any uid ${user}

Start Transmission and configure the forwarded port
Start Transmission again

Code:
# service transmission start

Go to the Transmission Web UI and click on the wrench icon bottom left. Switch to the Network tab and enter the randomly forwarded port you got from Mullvad.
1610547963999.png

Alternatively you can change the port from the command line

Code:
transmission-remote -p <forwarded_port>

Or if you're using authorization for Transmission

Code:
transmission-remote --auth <user>:<password> -p <forwarded_port>

That should be it!

Optional: firewall logging per rule
If you're having issues with IPFW you can enable logging for a rule. For example you can change:

Code:
${cmd} 00103 deny all from any to any uid ${user}

To

Code:
${cmd} 00103 deny log all from any to any uid ${user}

If you get any hits on that rule it will be logged into /var/log/security on the TrueNAS root environment; not in your Jail! I believe this can be fixed so the logging will happen inside the Jail but I haven't figured that out yet.
 
Last edited:

Mannekino

Senior Member
Joined
Nov 14, 2012
Messages
296
If I made any mistakes in this guide or if things can be improved please let me know with a comment. I'm mostly a "trial and error" person since I don't have a very broad fundamental knowledge of networking and FreeBSD. The results seem to be good, after I made the switch to WireGuard and Mullvad my Transmission client started downloading and seeding at rates I haven't seen in months as shown in my networking graph.

Most importantly, no more errors in my Transmission and Security log files with the same IPFW rules.

1610550861562.png
 
Top