[Guide] How to configure a Transmission Jail to use WireGuard with Mullvad

Volts

Patron
Joined
May 3, 2021
Messages
210
What's the output of ifconfig and ipfw list and netstat -rn in the jail, first while NOT connected, then while connected?
 
Joined
Mar 10, 2023
Messages
9
Sorry... was busy most of the day yesterday and couldn't post sooner.

Wireguard OFF:

root@qbittorrent:/home/r # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=0<> metric 0 mtu 33160 groups: pflog epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 52:eb:f6:5b:ca:e6 hwaddr 02:cd:16:8d:f4:0b inet 10.0.1.39 netmask 0xffffff00 broadcast 10.0.1.255 groups: epair media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=1<PERFORMNUD> root@qbittorrent:/home/r # ipfw list 00001 allow ip from any to any via lo0 00010 allow ip from any to any via wg0 00101 allow ip from me to 10.0.0.0/16 uid qbittorrent 65535 allow ip from any to any root@qbittorrent:/home/r # netstat -rn Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.0.1.39.22 10.0.1.31.58020 ESTABLISHED tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN tcp46 0 0 *.8080 *.* LISTEN tcp6 0 0 fe80::1%lo0.17689 *.* LISTEN tcp6 0 0 ::1.17689 *.* LISTEN tcp4 0 0 172.20.201.134.17689 *.* LISTEN tcp4 0 0 10.0.1.39.17689 *.* LISTEN tcp4 0 0 127.0.0.1.17689 *.* LISTEN udp4 0 0 10.0.1.39.29877 *.* udp6 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp6 0 0 fe80::1%lo0.17689 *.* udp6 0 0 ::1.17689 *.* udp4 0 0 172.20.201.134.17689 *.* udp4 0 0 10.0.1.39.17689 *.* udp4 0 0 127.0.0.1.17689 *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr fffff8012af79100 stream 0 0 0 fffff8004509d100 0 0 fffff8004509d100 stream 0 0 0 fffff8012af79100 0 0 fffff8003e37ed00 stream 0 0 0 0 0 0 fffff8004576d600 stream 0 0 fffff804cd943d58 0 0 0 /var/db/qbittorrent/conf/qBittorrent/config/.ntDcmQ/s fffff800450a3000 stream 0 0 0 fffff8014eb05d00 0 0 fffff8014eb05d00 stream 0 0 0 fffff800450a3000 0 0 fffff8004576f500 dgram 0 0 0 fffff8003ef8fb00 0 fffff8012a8a6900 fffff8012a8a6900 dgram 0 0 0 fffff8003ef8fb00 0 fffff8012a8a7900 fffff8012a8a7900 dgram 0 0 0 fffff8003ef8fb00 0 fffff800450c5200 fffff800450c5200 dgram 0 0 0 fffff8003ef8fb00 0 0 fffff8003ef8fb00 dgram 0 0 fffff8041440b3d0 0 fffff8004576f500 0 /var/run/logpriv fffff80045094c00 dgram 0 0 fffff806d0f4c988 0 0 0 /var/run/log


And via Wireguard on:
root@qbittorrent:/home/r # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> pflog0: flags=0<> metric 0 mtu 33160 groups: pflog epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 52:eb:f6:5b:ca:e6 hwaddr 02:cd:16:8d:f4:0b inet 10.0.1.39 netmask 0xffffff00 broadcast 10.0.1.255 groups: epair media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=1<PERFORMNUD> wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420 options=80000<LINKSTATE> inet 172.20.201.134 netmask 0xffffffff groups: wg nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD> root@qbittorrent:/home/r # ipfw list 00001 allow ip from any to any via lo0 00010 allow ip from any to any via wg0 00101 allow ip from me to 10.0.0.0/16 uid qbittorrent 65535 allow ip from any to any root@qbittorrent:/home/r # netstat -rn Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN tcp46 0 0 *.8080 *.* LISTEN tcp6 0 0 fe80::1%lo0.17689 *.* LISTEN tcp6 0 0 ::1.17689 *.* LISTEN tcp4 0 0 172.20.201.134.17689 *.* LISTEN tcp4 0 0 10.0.1.39.17689 *.* LISTEN tcp4 0 0 127.0.0.1.17689 *.* LISTEN udp6 0 0 *.53981 *.* udp4 0 0 *.53981 *.* udp4 0 0 10.0.1.39.29877 *.* udp6 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp4 0 0 *.6771 *.* udp6 0 0 fe80::1%lo0.17689 *.* udp6 0 0 ::1.17689 *.* udp4 0 0 172.20.201.134.17689 *.* udp4 0 0 10.0.1.39.17689 *.* udp4 0 0 127.0.0.1.17689 *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr fffff8004576d600 stream 0 0 fffff804cd943d58 0 0 0 /var/db/qbittorrent/conf/qBittorrent/config/.ntDcmQ/s fffff800450a3000 stream 0 0 0 fffff8014eb05d00 0 0 fffff8014eb05d00 stream 0 0 0 fffff800450a3000 0 0 fffff8004576f500 dgram 0 0 0 fffff8003ef8fb00 0 fffff8012a8a6900 fffff8012a8a6900 dgram 0 0 0 fffff8003ef8fb00 0 fffff8012a8a7900 fffff8012a8a7900 dgram 0 0 0 fffff8003ef8fb00 0 fffff800450c5200 fffff800450c5200 dgram 0 0 0 fffff8003ef8fb00 0 0 fffff8003ef8fb00 dgram 0 0 fffff8041440b3d0 0 fffff8004576f500 0 /var/run/logpriv fffff80045094c00 dgram 0 0 fffff806d0f4c988 0 0 0 /var/run/log

Also throwing in a "drill" with WG off and then on:
root@qbittorrent:/home/r # drill truenas.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61441 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; truenas.com. IN A ;; ANSWER SECTION: truenas.com. 271 IN A 38.109.202.235 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; SERVER: 10.0.1.1 ;; WHEN: Sun Mar 12 11:54:11 2023 ;; MSG SIZE rcvd: 45 root@qbittorrent:/home/r # drill truenas.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16840 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; truenas.com. IN A ;; ANSWER SECTION: truenas.com. 236 IN A 38.109.202.235 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 12 msec ;; SERVER: 172.16.0.1 ;; WHEN: Sun Mar 12 11:54:26 2023 ;; MSG SIZE rcvd: 45
 

Volts

Patron
Joined
May 3, 2021
Messages
210
Why does your netstat -rn output look like it was from netstat -an?

The ipfw output doesn't match the ipfw.rules that you posted previously.
If you ipfw flush and then service ipfw start, does the expected set of rules get loaded?
 
Joined
Mar 10, 2023
Messages
9
The netstat issue is because I'm a dumbass and pasted the wrong output. (I have to pipe output to a text file and scp it from a local terminal because I can't seem to copy/pasta output from the Web GUI shell). Here is netstat -rn... <facepalm>

First one is without WG started, the 2nd is with WG started
root@qbittorrent:/home/r # netstat -rn
Routing tables Internet: Destination Gateway Flags Netif Expire default 10.0.1.1 UGS epair0b 10.0.1.0/24 link#3 U epair0b 10.0.1.39 link#3 UHS lo0 127.0.0.1 link#1 UH lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 link#1 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#1 U lo0 fe80::1%lo0 link#1 UHS lo0 ff02::/16 ::1 UGRS lo0 root@qbittorrent:/home/r # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire 0.0.0.0/1 link#4 US wg0 default 10.0.1.1 UGS epair0b 10.0.0.0/16 link#4 US wg0 10.0.1.0/24 link#3 U epair0b 10.0.1.39 link#3 UHS lo0 127.0.0.1 link#1 UH lo0 128.0.0.0/1 link#4 US wg0 172.20.201.134 link#4 UH lo0 198.44.131.4 10.0.1.1 UGHS epair0b Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 link#1 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#1 U lo0 fe80::1%lo0 link#1 UHS lo0 ff02::/16 ::1 UGRS lo0

I also just noticed (after the ipfw flush and service restart) that I'm getting a warning/error as ipfw starts up; I didn't notice that before:
ipfw: hostname ``%'' unknown Firewall rules loaded. Firewall logging enabled.
I'm googling on how to fix the ipfw warning/error-whichever now.
 
Joined
Mar 10, 2023
Messages
9
ok, so making progress... I started dissecting and comparing my /etc/ipfw.conf file originally looking for any occurrence of "%" and found none, but I did realize my shebang line was: #!/bin/sh and changing it to #!/usr/local/bin/bash made a difference. I can at least now start wireguard and still be able to SSH into the jail. But, now I can't get to the qbittorrent web GUI with wireguard ON or OFF. So, looking there, now.

At least, now I see changes in ipfw list:
root@qbittorrent:/home/r # ipfw list 00001 allow ip from any to any via lo0 00010 allow ip from any to any via wg0 00101 allow ip from me to 10.0.0.0/16 uid qbittorrent 00103 deny ip from any to any uid qbittorrent 65535 allow ip from any to any
 
Joined
Mar 10, 2023
Messages
9
Got it all working, finally! I had to comment out the last deny rule and I was immediately able to access both the Web UI and still SSH. I'm guessing that ipfw doesn't really cooperate will with #!/bin/sh and explicitly wants #!/usr/local/bin/bash instead.
 
Joined
Mar 10, 2023
Messages
9
The last rule was:
${cmd} 00103 deny all from any to any uid ${user}

Once I commented it out, flushed, and restarted ipfw, I could access the qbittorrent web GUI.
 

Volts

Patron
Joined
May 3, 2021
Messages
210
The deny line is there for safety. It ensures that qbittorrent can't communicate directly with the Internet. Without it, if the VPN is down, qbittorrent will attempt to use the default route to the Internet.

If it doesn't work with the deny line present, that implies that rules 00101 and 00102, which permit qbittorrent to communicate with the LAN, aren't working properly.

1. Can you double-check that qbittorrent is in-fact running as the user qbittorrent?
2. Did you delete rule 00102?

I expect to see this:

Code:
00001 allow ip from any to any via lo0
00010 allow ip from any to any via wg0
00105 allow ip from me to 10.0.0.0/16 uid qbittorrent
00106 allow ip from 10.0.0.0/16 to me uid qbittorrent
00204 deny ip from any to any uid qbittorrent
65535 allow ip from any to any
 

Dopamin3

Dabbler
Joined
Aug 18, 2017
Messages
46
I followed this guide after having issues with PIA and switched to Mullvad and got everything working. However my transmission is crashing and throwing something else in the logs.

Code:
May 24 08:33:00 Downloads transmission-daemon[22945]: UDP Failed to set receive buffer: requested 4194304, got 42080 (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3.00/libtransmission/tr-udp.c:97)


I tried researching this and to my host I added the following Tunables:
net.inet.udp.recvspace 4194304 SYSCTL
kern.ipc.maxsockbuf 16777216 SYSCTL

My NIC on the host is Chelsio T520-SO-CR 10GbE attached with a DAC SFP+ to a 10GbE switch. Even after adding those tunables and rebooting host it's still crashing with that message after a few hours.
 
Joined
Oct 22, 2019
Messages
3,580
So much for Mullvad. Shame really, but there were signs that as company they were changing.

Apparently there's "IVPN", but in order to get the equivalent features and pricing, you'd need to buy a 2-year plan.

There's also "ProtonVPN", but they've displayed some questionable behavior recently.
 
Last edited:
Joined
Oct 22, 2019
Messages
3,580
AzireVPN is another one to consider, though I've never heard of them before, until reading through the Mullvad announcement on Reddit.

Their pricing and features seem eerily similar to Mullvad's. (Only if you purchase a 12-month plan.) Almost like Mullvad VPN, but with a different branding. I wonder if others have first-hand experience with them?
 
Last edited:

Volts

Patron
Joined
May 3, 2021
Messages
210
So much for Mullvad. Shame really, but there were signs that as company they were changing.

Mullvad's reasons for dropping port forwarding seem clear.

Are you talking about something else? My impression is that they are still the most trustworthy VPN provider.

There's also "ProtonVPN", but they've displayed some questionable behavior recently.

I don't think that's *completely* fair. They have to follow the laws of the local jurisdiction. They went to court - and won - to fight about the classification of email providers.

I haven't looked into them for VPN in years, but they would still be on my short list of options to research.

Re: Port Forwarding. I dunno, Windscribe? People like them, at least.

As long as it isn't Nord or any of the spam-bot-crap affiliated companies you're doing OK.
 
Joined
Oct 22, 2019
Messages
3,580
Mullvad's reasons for dropping port forwarding seem clear.
This same reasoning can be applied to the Tor network.

"Bad people do bad things using XYZ service."

This rationale can be used in the future to go after messaging services with end-to-end encryption, Tor, private email, etc.
 
Joined
Oct 22, 2019
Messages
3,580
Re: Port Forwarding. I dunno, Windscribe? People like them, at least.
AzireVPN seems promising. (Very "Mullvad'ish".)

There's also "IVPN".
 
Last edited:
Joined
Oct 22, 2019
Messages
3,580
Once my Mullvad balance expires in a week, I might give AzireVPN a try.

After doing some research, it seems like the best choice to "continue" with what Mullvad offers, at a slightly higher price.

I made a simple table comparison to help myself, but you might find it useful. I can't speak from personal experience (yet).


Mullvad VPN
AzireVPN
Monthly cost ($ USD)5.50 (flat rate)10.00 / 7.00 / 5.00 ¹
Port ForwardingNoYes
WireGuard connections55
PrivacyNo logging, anonymous,etcNo logging, anonymous, etc
RegistrationNo name, email, or personal info requiredNo name, email, or personal info required
Linux and FreeBSD supportGUI app, CLI tool, and generator scriptCLI tool and generator script, but no GUI ²
JurisdictionSwedenSweden
¹ Based on purchasing 1 month / 3 months / 12 months, respectively
² A GUI app is irrelevant to a NAS server; meanwhile, Linux desktop environments, such as KDE and GNOME, have built-in support for WireGuard connections


The way I see it, if I add 3 months to my AzireVPN account, it comes out to $21.00 (which is $7.00 per month). This is about $1.50 per month more expensive than Mullvad VPN.

For an extra $1.50 per month, I get port forwarding and all the other features that Mullvad offers.

The lack of a GUI for Linux and FreeBSD is not really an issue for me, since they provide a command-line script that generates WireGuard config files. (This is what I'm already doing with Mullvad in a Jail on TrueNAS Core.) As for desktop Linux, WireGuard is easy to use with the default GUI network manager. (Don't really need a third-party GUI app, except for convenience.)

When (if) I switch to Azire, I'll share my personal experience and thoughts on it. Rather than take a chance by adding 12 months ($5/month), I'm going to cautiously dip my toes and choose to add 3 months ($7/month).
 
Last edited:
Joined
Oct 22, 2019
Messages
3,580
Will soon do a write-up on my "sidegrade" to AzireVPN from Mullvad.

In the meantime, I found an interesting comment on Reddit in regards to the port-forwarding issue.

Apparently, Azire is handling the issue of port-forwarding with more grace. This is why I believe that Mullvad is either (1) not forthcoming with the real reasons they're outright dropping port forwarding, or (2) they mishandled the situation with a bombastic approach.

[AzireVPN allows port-forwarding in a way] that is unfriendly to permanent hosts by simply making the [forwarded port] expire after a maximum of 30 days. That's not very useful to the XXXXXX crowd who want to host a server. But other than having to change the port number in qBittorrent once a month, it's friendly enough to torrenting to make it extremely useful.

This is something Mullvad should have done, rather than cancel the feature. I'm lucky - I had just switched to Mullvad when this came down, and had only signed up for 3 months. So I'm only out 15€. Still - it's annoying and makes me shake my head at why they would drop the feature entirely without at least trying less drastic remedies.

Well, what do you know. There are other creative means to dissuade a "certain group of people" without completely gutting an entire feature used by everyone else.
 
Joined
Oct 22, 2019
Messages
3,580
So I went ahead and purchased 3 months ($21) of AzireVPN, now that my Mullvad subscription has expired.

I was getting ready to write up a casual "first-time experience and brief guide" on how to migrate from Mullvad to Azire in a TrueNAS Core jail with a torrent client, while maintaining port-forwarding...

Essentially I thought it would be a seamless transition where a user could carry on like normal, the only difference is they are now using Azire instead of Mullvad.

Let's just say that I'm fairly disappointed with Azire, and you realize how much quality Mullvad put into the overall end-user experience.

Mullvad is better in almost every aspect, except for the lack of port-forwarding.

Side note: I'm hopeful that Mullvad will reconsider their decision, and reintroduce port-forwarding with an "expiration" that requires manual intervention from the user. This will dissuade "malicious" servers, yet still allow everyone else who requires port-forwarding use their VPN service.

I'm still going to document how I got Azire (with port-forwarding) working in a TrueNAS Core jail, but I'm going to exclude the hair-pulling I had to go through in order to use Azire (with port-forwarding) on a desktop Linux client. I'm also going to exclude my disdain for their payment and subscription setup. (While not as "gimmicky" as some of the more heavily-advertised VPN services, Azire still rubs me the wrong way with their pricing model based on "bulk discounts" only if you purchase "bundled months". Not to mention their scheme of "refer your friends for more discounts".)

Why, Mullvad? Why? Why must you do this to your loyal users. :frown:
 

Volts

Patron
Joined
May 3, 2021
Messages
210
I don't think there's anything Mullvad can do that will defeat abuse, while also enabling normal use. Anything a user can do, a bot or an outsourced captcha solver can do also.

Thanks for the update.

Windscribe?
 
Top