[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

[Back that NAS up]

What do you mean by allow "plug-in" to work?

I mean I connect wireguard and confirmed to be connected to mullvad, but can’t use rtorrent or transmission to actually do anything

 

[winnielinnie]

You'd have to make sure Transmission is using the wireguard interface, which is maybe configured in its web GUI options? (I only use qBittorrent.) And make sure the firewall rules (if you're using it) are correct.

Whether or not you're using port forwarding on your router shouldn't affect your torrent client's connection through the wireguard/Mullvad VPN.

If you run "wg show" in the jail, does it reveal the connection?

 

[Back that NAS up]

You'd have to make sure Transmission is using the wireguard interface, which is maybe configured in its web GUI options? (I only use qBittorrent.) And make sure the firewall rules (if you're using it) are correct.

Whether or not you're using port forwarding on your router shouldn't affect your torrent client's connection through the wireguard/Mullvad VPN.

If you run "wg show" in the jail, does it reveal the connection?

Here's what my 'wg show' shows...

 

[winnielinnie]

Here's what my 'wg show' shows...

Even though you hid the private key, I'd still delete the screenshot.

Regardless, it appears that wireguard (Mullvad VPN) is working properly in the jail, using the interface name "wg0".

So if "wg0" is generated based on a specific city/server from Mullvad's configs, and in your Mullvad account you likewise had them assign you a port for that city/server (usually starts with a "5XXXX"), then in your bittorrent client you force it to use only the "wg0" interface and the port assigned to you (for port forwarding.)

Just make sure you keep using the same Mullvad city/server, or else port forwarding will not work. Also make sure your torrent client is not configured to pick a "random" forwarded port each time.

If you ever need to change cities, you can release the assigned port from your account and have them assign you a new port for a different city/server; then likewise use a mullvad wireguard .conf that matches the city/server in your account, so that it will be used as the new "wg0". (So let's say mullvad-se8.conf was copied to wg0.conf, but now you want to use mullvad-us15.conf. You copy mullvad-us15.conf to replace the existing wg0.conf.)

EDIT: Even still, it's probably better to just pick a city/server and stick with it indefinitely. You can check Mullvad's Server Status page to determine which server you feel is the best for long-term use, without having to worry about changing anything in the near future.

 

[Back that NAS up]

Even though you hid the private key, I'd still delete the screenshot.

Regardless, it appears that wireguard (Mullvad VPN) is working properly in the jail, using the interface name "wg0".

So if "wg0" is generated based on a specific city/server from Mullvad's configs, and in your Mullvad account you likewise had them assign you a port for that city/server (usually starts with a "5XXXX"), then in your bittorrent client you force it to use only the "wg0" interface and the port assigned to you (for port forwarding.)

Just make sure you keep using the same Mullvad city/server, or else port forwarding will not work. Also make sure your torrent client is not configured to pick a "random" forwarded port each time.

If you ever need to change cities, you can release the assigned port from your account and have them assign you a new port for a different city/server; then likewise use a mullvad wireguard .conf that matches the city/server in your account, so that it will be used as the new "wg0". (So let's say mullvad-se8.conf was copied to wg0.conf, but now you want to use mullvad-us15.conf. You copy mullvad-us15.conf to replace the existing wg0.conf.)

EDIT: Even still, it's probably better to just pick a city/server and stick with it indefinitely. You can check Mullvad's Server Status page to determine which server you feel is the best for long-term use, without having to worry about changing anything in the near future.

@winnielinnie Hey I just wanted to thank you! I was connecting with Rtorrent (the latest app I was trying) and while the app portal worked, the settings would not save. just spun at 'saving' settings. So another clean install, this time qbittorrent. Unlike all the other apps I've used, qbittorrent asks for both a port and an interface. So I've added the port and interface and it works! Added the firewall and postdown scripts per @emk2203 in this thread, and I think I'm all good. Thanks!

 

[winnielinnie]

So I've added the port and interface and it works! Added the firewall and postdown scripts per @emk2203 in this thread, and I think I'm all good. Thanks!

Just to let you know, starting in September 1st, 2022, qBittorrent will actively block connections through Mullvad's VPN servers.

 

[Back that NAS up]

Just to let you know, starting in September 1st, 2022, qBittorrent will actively block connections through Mullvad's VPN servers.

you had me for a sec :)

 

[Back that NAS up]

@winnielinnie hi WinnieLinnie another question for you. Oddly I had qBitTorrent working correctly, setup and working with my wireguard config yesterday, and today, poof, all my work is gone from that jail. Even nano and wget are now not installed.

The only thing I did which I could think maybe have done this is to try to update all my plugins.

Any setting or thing I need to watch out for? Or could it be the update?

 

[winnielinnie]

I've since abandoned "Plugins" on TrueNAS Core.

I manually create and maintain my own jails ("Basejails") using the "pkg" command to install, update, and remove packages, as well as clean the cache; and using iocage's "update", "fetch", and "upgrade" commands to bring the jail up to speed on the latest patch-level or OS base.

I really wish I could say why updating the "Plugin" would outright reset all your work.

I highly advise to switch over to the paradigm of manual jails, and pretend the "Plugins" menu doesn't even exist in TrueNAS's GUI.

I realize it's not as sexy or "appliance-y" to do it this way, but the direction in which TrueNAS is heading leaves us no choice.

 

[Back that NAS up]

I've since abandoned "Plugins" on TrueNAS Core.

I manually create and maintain my own jails ("Basejails") using the "pkg" command to install, update, and remove packages, as well as clean the cache; and using iocage's "update", "fetch", and "upgrade" commands to bring the jail up to speed on the latest patch-level or OS base.

I really wish I could say why updating the "Plugin" would outright reset all your work.

I highly advise to switch over to the paradigm of manual jails, and pretend the "Plugins" menu doesn't even exist in TrueNAS's GUI.

View attachment 57329

I realize it's not as sexy or "appliance-y" to do it this way, but the direction in which TrueNAS is heading leaves us no choice.

Yea I’m not unfamiliar as I actually built my Tautulli jail manually since the plug-in is currently outdated with old python pre-requisites. Just surprised that an update would overwrite data or apps in the jail unrelated to the app. Thanks!

 

[bedtimebird]

Is it bad form if I post an issue on here? I've followed the guides on page 1 closely (and a number of times) - but I am still experiencing an issue.

I cannot connect to the webUI for transmission when WireGuard is running.

My though is, it must be an issue with /usr/local/etc/wireguard/wg0.conf? I've tried adding more IPs to the [Peer] section - nothing. I've tried modifying the /usr/local/etc/wireguard/postdown.sh with my IP - nothing. I just can't seem to solve the issue.

If someone can please help - i would really appreciate it. I'll be monitoring and can provide additional setup details if required.

 

[glauco]

I cannot connect to the webUI for transmission when WireGuard is running.

You could try and add the IP address of where you're connecting from to the transmission settings.json file (example: "rpc-whitelist": "127.0.0.1,::1,192.168.0.*").
Make sure you stop transmission before editing the settings.json file.
P.s.: I read about rpc-whitelist here: https://help.ubuntu.com/community/TransmissionHowTo

 

[bedtimebird]

You could try and add the IP address of where you're connecting from to the transmission settings.json file (example: "rpc-whitelist": "127.0.0.1,::1,192.168.0.*").
Make sure you stop transmission before editing the settings.json file.
P.s.: I read about rpc-whitelist here: https://help.ubuntu.com/community/TransmissionHowTo

Thanks. I tried your solution and still the nothing.

I'm convinced that the issue lies with WireGuard because when I turn it off, I get access back to transmission web UI.

I get this issue when I 'service wireguard stop'

 

[glauco]

chmod 755 /usr/local/etc/wireguard/postdown.sh should fix that "Permission denied" error and perhaps solve your problem!

 

[winnielinnie]

I cannot connect to the webUI for transmission when WireGuard is running.

Did you create the firewall rules from post #8?

It might be because you haven't yet allowed local connections to bypass the wireguard connection.

[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

After dealing with unexplained problems related to using OpenVPN and PIA in my Transmission Jail I decided to switch to something else. I spent the last 5 days trying to troubleshoot the problem but got nowhere. After discussing my problems on Discord it was suggested I switch to a different VPN...

www.truenas.com

Don't just copy the rules "as is". You must tailor them to your setup, subnet, etc.

 

[bedtimebird]

Thanks again for everyone's help. the chmod did help with the permission issue.
and i did follow the guide for the firewall rules in post #8. I actually lose the ability to connect to transmission BEFORE enabling the firewall. Not sure if that is a clue.

Current service start and stop for wireguard and transmission

 

[bedtimebird]

Maybe a crazy question - but because each service is working well independently - would it be possible to install each service in a separate jail - then force "Transmission Jail" to route all traffic through "WireGuard Jail"?

 

[glauco]

@bedtimebird
It looks like you installed wireguard-go, which, as the error in your screenshot shows, is not needed. In fact, it might be the reason why you're having issues.
Uninstall it (pkg delete wireguard-go) and see if it works.

would it be possible to install each service in a separate jail - then force "Transmission Jail" to route all traffic through "WireGuard Jail"?

I think it's possible, but I've never tried.
What I tried is set up pfSense so that traffic coming from specific LAN hosts gets routed through Mullvad, but for LAN hosts such as Qbittorrent that need ports forwarded to them from Mullvad, I prefer to keep it simpler and set up wireguard within their jails.

 

[winnielinnie]

I actually lose the ability to connect to transmission BEFORE enabling the firewall. Not sure if that is a clue.

Your firewall doesn't start automatically? Not sure what you mean by "before enabling the firewall".

It looks like you installed wireguard-go, which, as the error in your screenshot shows, is not needed. In fact, it might be the reason why you're having issues.
Uninstall it (pkg delete wireguard-go) and see if it works.

Not just to remove the wireguard-go package, but also enable the module in TrueNAS Core -> Tunables -> Add

Variable: if_wg_load
Value: YES
Type: loader

It will automatically load upon reboot of your TrueNAS server and be available for your jails.

To load it immediately (without having to reboot):
kldload if_wg

Once loaded, your jails can use the kernel module.

 

[SkippyTheMagnificent]

Apologies for piggy-backing on an old post. I'm faced with the same issue as BedTimeBird (but I'm trying to use qbittorrent as opposed to transmission), in that once I start up the wireguard service, I can no longer either SSH -OR- access the qBittorrent web GUI from any other host on the local subnet. For example, the qBittorrent Jail has an IP address of 10.0.1.39, but I can't SSH from 10.0.1.42 or access the qBittorrent Web GUI at http://10.0.1.39:8080 from 10.0.1.42. Like BedTimeBird, if I "service wireguard stop", then I CAN SSH and access the qBittorrent Web GUI. I'm pasting my ipfw.rules here to see if I might have that set up correctly:

#!/bin/sh # Config # Set rules command prefix cmd="ipfw -q add" vpn="wg0" user="qbittorrent" localLan="10.0.0.0/16" # Flush out the list before we begin ipfw -q -f flush # Allow all local traffic on the loopback interface ${cmd} 00001 allow all from any to any via lo0 # Allow any connection to/from VPN interface ${cmd} 00010 allow all from any to any via ${vpn} # Allow connection to/from LAN by User ${cmd} 00101 allow all from me to ${localLan} uid ${user} ${cmd} 00102 allow all from %{localLan} to me uid ${user} # Deny any User connection outside LAN that does not use VPN # ${cmd} 00103 deny all from any to any uid ${user}

I have also confirmed that the jail is using DHCP, VNET, BPF, allow_raw_sockets, allow_tun, ipv6 disabled, and IS using the host kernel modules. Anything else I need to look at?

Thanks in advance!