How-To: Setup a Wireguard VPN Server in a Jail

[slyfterin]

No matter what configuration I choose I can't get past starting wireguard without this error

When through a ton of effort to get OpenVPN Server to work with accessing LAN files and I read this was an easier method so I quit that and started down wireguard. But no matter the release version I can't get it to work.

If I continue past this error I can set it up just fine but it simply won't work.

Insight would be appreciated since I just invested a good amount of money into this NAS and one of the main purposes of this was to have access remotely.

 

[Patrick M. Hausen]

Can you try to unload the kernel module on the host before starting wireguard in the jail?

Code:

kldunload if_wg

 

[FreeVel]

No matter what configuration I choose I can't get past starting wireguard without this error

This is not an error. Your wireguard has loaded correctly and is active. This is how my instance looks when it starts ...
The interfaces come up and the routes are in place... Wireguard runs in userspace rather than kernel, that is fine.

if you type "ifconfig" should show you the wg0 interface as active

if you cannot test successfully an end-2-end connection then I suspect any of the below error combinations might be the cause
(a) your key setup is somehow incorrect
(b) issue with port forwarding
(c) jail firewall NAT routing incorrect

 

[slyfterin]

This is not an error. Your wireguard has loaded correctly and is active. This is how my instance looks when it starts ...
The interfaces come up and the routes are in place... Wireguard runs in userspace rather than kernel, that is fine.
View attachment 52373

if you type "ifconfig" should show you the wg0 interface as active

if you cannot test successfully an end-2-end connection then I suspect any of the below error combinations might be the cause
(a) your key setup is somehow incorrect
(b) issue with port forwarding
(c) jail firewall NAT routing incorrect

Thank you for the responses. I was hoping that wasn't a deal breaker.

I actually got it to work last night, from wireguard via my phone. I can access my LAN SMB Files no problem as well.

The only issue I am running into now is I can't access my LAN files via the mapped drives within file explorer within windows. I can access the TrueNAS Console via root, but nothing shows in file explorer. The second I disconnect wireguard on the OC the LAN files are accessible again.

I'm just puzzled why I can access the LAN files via android phone wireguard but not PC wireguard. Any ideas? I appreciate the help. Spent majority of the whole weekend trying to get this to work and it seems as if I am still not quite there yet.

 

[idArns]

Hi everyone!

I have set up wg last night through this very detailed and on point guide. First of all thank you for it. I can reach my LAN and the resources on it but I have a small problem. I cannot reach resources that are on my truenas server, running as jails also. So you know I have for example a Unifi Controller routed through server-ip:8080 or a transmission client on server-ip:9110 and so on. Those are also in jails with vnet enabled just like wg so they have their own network stack. I have a jail that uses DHCP so it receives It's own IP on the LAN. That is unreachable as well.

I can access the Truenas GUI no problem, but seems like jailed resources on the same machine the wg jail is running or are unreachable with this configuration. I would imagine this would have something to do with the ipfw rules or more specifically the NAT rules in it, but I'm not knowledgeable enough to come to a solution.

 

[volothamp]

Hi everyone!

that uses DHCP so it receives It's own IP on the LAN. That is unreachable as well.

I can access the Truenas GUI no problem, but seems like jailed resources on the same machine the wg jail is running or are unreachable with this configuration. I would imagine this would have something to do with the ipfw rules or more specifically the NAT rules in it, but I'm not knowledgeable enough to come to a solution.

I'm no expert but the whole point of jails is to have them isolated from one another, so this is totally expected behaviour.

You should probably map the internal jail folder from your share mechanism and then you should be able to access those

 

[idArns]

I'm no expert but the whole point of jails is to have them isolated from one another, so this is totally expected behaviour.

You should probably map the internal jail folder from your share mechanism and then you should be able to access those

I'm sure there's a way then to link them all together somehow. Maybe putting all of them on the same vnet?

 

[idArns]

Unfortunately It's not just some folders. The goal is to have access to the jailed services GUIs, like you normally would from a separate client. Maybe I'm just making it unnecessary complicated. I'm thinking of enabling a systemwide WireGuard since It's now part of the kernel and can be easily switched on. Or just setup wireguard on my router, that would be even more isolated from the NAS and probably much simpler from a routing standpoint

 

[Cellobita]

After setting up two TrueNAS 12-U8.1 WireGuard jails successfully, I have attempted the exact same procedure on TrueNAS 13-RELEASE, with a FreeBSD 13 based jail, and it doesn't work; I have checked and rechecked everything (it's a copy and paste procedure, after all), to no avail.

What I have noticed is that the

ipfw nat show config

command returns a blank response on the 13.0-RELEASE jail (instead of the correct line I get on the 12.3-RELEASE one).

Anyone has ideas on this?

 

[AuburnJamJoe]

I’m so happy to read this comment! Thought I was going mad having tried it multiple times and it simply not working. Would love a solution!

 

[Patrick M. Hausen]

Why would you want to NAT? Use static rules on your upstream default gateway.

 

[AuburnJamJoe]

Thanks for the response… I’ve tried also setting up wireguard in the root as described in the documentation but not having any joy there either. Apologies, I’m a total newbie to everything about this, but trying hard!

 

[Patrick M. Hausen]

Setting up in a jail is good. But instead of messing with the FreeBSD firewall in an unsupported way you could add routes to your tunnel and remote networks to your router.

 

[AuburnJamJoe]

That sounds great! Do you know of a guide to set that up? I think using WireGuard to gain external access to a TrueNas Core server is something a lot of people want to do, so such a thing would be really helpful!

 

[vrtareg]

I am having issues also.
Difference is that my Jail VNET is on the same network as my LAN, it does not have internal 172 network assigned to it.
I modified IPFW rules to only NAT WG network via my Jail epair interface but something does not work.

 

[Patrick M. Hausen]

Sorry, I cannot help you if you mess with NAT. I explicitly recommend doing that and using static routing instead. Possibly somebody else knows.