Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

How-To: Setup a Wireguard VPN Server in a Jail

keboose

Member
Joined
Mar 5, 2016
Messages
91
It looks like your clients have never connected. If you look at mine:
Screenshot 2020-10-14 092606.png


You'll see it has info on the last client that connected. Yours lacking info means the client never really completed the handshake procedure, so it never connected (even though the client says its connected, this is a massive shortcoming of all the official Wireguard clients: It shouldn't count as 'connected' until AFTER the handshake.) If you look at the log when you turn on the VPN on your client, what do you see?
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
The log repeats the message that it's initiating the handshake and eventually times out. So yes it's clear the client never connected and I agree that's a major shortcoming on the client application side.
I ended up getting the VPN server to work with client connectivity by changing by endpoint to the physical IP address of my router rather than using a domain name. I own a domain.com but when I use it as the endpoint the VPN breaks. I know the domain redirects right with regular applications as I have a few web pages that I host. Do you or anyone else have any idea why the DNS lookup is breaking there?
 

keboose

Member
Joined
Mar 5, 2016
Messages
91
That will be down to your domain provider and how you set up your domain. did you set up a subdomain (like vpn.example.com) to connect with, or use the port directly with your domain (like www.example.com:51820 )? If its the former, you might have to wait a while (up to 24 hours) for the DNS settings to propagate.
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
I have some subdomains set up, which forward correctly from cloudflare, for my self-hosted services (image server, etc.). In the endpoint key of my wireguard config I just use the domain though, no subdomain set up. Since the domain forwards correctly I didn't think I needed a subdomain because I don't need to redirect the request for the VPN traffic on 80/443. My understanding is that the wireguard client would resolve the ip via the domain name (which again, I know forwards correctly given how I have it set up in cloudflare) and then work just fine. I'm not sure what the hangup is with the domain/ip resolution though.
 

keboose

Member
Joined
Mar 5, 2016
Messages
91
Can you post a redacted version of your client config file?
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
I wanted to follow up as I did some testing on my computer as well. When I'm on my Windows machine, with this same config, I have similar issues plus one extra which is that if I specify the public IP of my router in the endpoint, then wireguard works and I have access to the internet but I do not have access to anything on my home network whereas when I use wireguard on my phone I am able to, within the wireguard tunnel, hit my home server at its local ip address. Can anyone help me understand what the difference is here? Is this a wireguard issue or is my set up poor? I am hosting wireguard in a freebsd jail on FreeNAS.
 

keboose

Member
Joined
Mar 5, 2016
Messages
91
Are you testing your clients on the local network? It may behave strangely unless you are actually connecting from outside your LAN.
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
I am testing clients off network yes. The on network behavior has been very strange.
As an update I did actually resolve this DNS lookup issue. My domain is registered with cloudflare and they have a proxy set up so that paynepride.com doesn't resolve to my actual ip. I added a service that is not proxied and the dns lookup works now.

I am now unable to configure Wireguard for point to site which is what I am really after here. I'd like to be able to remote into my network and talk to all the devices I have running at their local IPs as well as remote into my main workstation. All the rules I am finding online are for setting this up on Linux but using the FreeBSD OS in the FreeNAS jail is making it difficult to find more help.

Can anyone comment on the ipfw rules I need to change in the example config in this guide in order to get point to site working correctly?
 

keboose

Member
Joined
Mar 5, 2016
Messages
91
Assuming you followed the guide to the letter, then disregarding all other factors, you should have access to your LAN. I am able to log into the SMB share on my NAS at home while I am away from my house. If you look back at my first post in this thread, I was also having similar issues, but my problem ended up being that I segment my network into two physical LANs, and wasn't able to tunnel across them properly; I ended up moving the service I wanted to the same LAN as the one my wireguard server is on to fix it.
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
I only have 1 LAN. When I VPN through wireguard I can confirm that the IP is correct, from off network I can route through my router. I have access to the internet just fine but continue to not be able to ping anything on my local 192.x.x.x.
Do I need to add something else in the client configs under AllowedIPs? I have tried "0.0.0.0/0,::0" as well as adding "192.168.1.0/24".
 

keboose

Member
Joined
Mar 5, 2016
Messages
91
"0.0.0.0/0,::0" should allow all IPv4/v6 traffic to rout through your VPN. The firewall rules are mostly "ip from any to any", meaning the rules apply to all IP traffic, regardless of source or destination network/interface. How closely did you match the jail settings (in the FreeNas GUI) in the guide?
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
Other than the greyed out ipv4 netmask of the jail ipv4 address (mine looks like 30) and the interface name being different, it's exactly the same.
I tore everything down and started up again and was able to get on the lan.
So I know my problem is evolving but my end goal has been to be able to vpn in and then use Windows Remote Desktop to work on my main workstation at home if I'm away. I think I need to set up a point-to-site configuration but the only docs I can find for this are for archlinux. Anyone here have experience with my use-case?
 

nicpayne713

Neophyte
Joined
Oct 13, 2020
Messages
10
Ok I think all my problems have been more or less figured out and I just wanted to post the conclusion here.
The guide worked as advertised and it was the few changes I required that led to a lot of confusion. The main problem was that my domain name didn't resolve to the WAN IP properly, once that was resolved with Cloudflare (by removing their proxy on my domain), the LAN access worked fine.
The Windows RDC had been failing because the computer name wasn't resolving the ip of my workstation properly, but if I RDC with the ip of my workstation then it all works just fine.
Looks like, for me, this has been just a classic example of trying to do too much at once.
Thanks for replying and I think I'm good to go now.
Cheers!
 

ZodiacUHD

Member
Joined
Aug 28, 2015
Messages
211
Hello there and thank you very much for your guide. Did you maybe try to use WG to connect to a VPN like PIA?
Cheers
 

Patrick M. Hausen

Dedicated Sage
Joined
Nov 25, 2013
Messages
2,767
Did you maybe try to use WG to connect to a VPN like PIA?
If by PIA you mean "Private Internet Access" - the commercial VPN provider by that name, that is not possible. If I read their website correctly.
They say they support:
  • PPTP
  • OpenVPN
  • L2TP/IPSec
You could of course suggest WireGuard support as a feature request to them. One problem I have with WireGuard, too, and the reason why I don't use it for our company "road warrior" VPN: the complete lack of external authentication methods and dynamic IP address assignment. So it looks difficult to build something for dozens (in our case) or even thousands (in PIA's case) of users with central account management.
 

SamPool

Neophyte
Joined
Jan 15, 2021
Messages
7
Hello, after having no luck with OpenVPN I thought I would give WireGuard a go.
I can not get past the Client Handshake timing out.

ClientLog.jpeg


I am running TrueNAS-12.0-U1 .
I followed the Setup with everything in the guide except in the guide it was on Freenas.

My TrueNAS is ip: 192.168.69.129
The wireguard jail ip: 172.16.0.2/30 (this is what is was given after the setup)

Code:
root@wireguard:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
    groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:be:89:0d
    hwaddr 02:1a:c8:2b:ac:0b
    inet 172.16.0.2 netmask 0xfffffffc broadcast 172.16.0.3
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=1<PERFORMNUD>
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
    options=80000<LINKSTATE>
    inet 10.0.0.1 --> 10.0.0.1 netmask 0xffffffff
    groups: tun
    nd6 options=101<PERFORMNUD,NO_DAD>
    Opened by PID 66376

root@wireguard:~ # wg show
interface: wg0
  public key: gQE3c80er9Ym+ChriSDeI5R0bmQhUM0DHilMHBjVEVI=
  private key: (hidden)
  listening port: 51820

peer: [removed by me in the cut/paste]
  allowed ips: 10.0.0.2/32


I am a little fuzzy on Port-forwarding parts.
Code:
port-forwarding for 192.x.x.x:51820 (local) <-->172.x.x.x/24 (jail)

Finally port-forwarding from WAN <---> 192.x.x.x:51820

This is what I have forwarded in my router but if I try and ping the wireguard jail it times out.
So, I am not sure I have this corrected and any help would be appreciated.
PortForwarding.jpg
 

FreeVel

Member
Joined
Feb 28, 2017
Messages
27
The forwarding is happening in two places
1. From your TrueNAS IP:port to the Jails (internal) port - Confirm you did correctly Step 1.c
2. From your Router port to TrueNas port - your NetworkComputer / Device is incorrect.

So on your router screenshot, rather than 172.16.0.2 you should edit the setting and replace it with 192.168.69.129.
 

SamPool

Neophyte
Joined
Jan 15, 2021
Messages
7
The forwarding is happening in two places
1. From your TrueNAS IP:port to the Jails (internal) port - Confirm you did correctly Step 1.c
2. From your Router port to TrueNas port - your NetworkComputer / Device is incorrect.

So on your router screenshot, rather than 172.16.0.2 you should edit the setting and replace it with 192.168.69.129.
So, updated the router:
PortForwarding2.jpg


When I type "wg show" I get the same where I can not see anyone connected
Code:
root@wireguard:~ # wg show
interface: wg0
  public key: gQE3c80er9Ym+ChriSDeI5R0bmQhUM0DHilMHBjVEVI=
  private key: (hidden)
  listening port: 51820

peer: [removed by me in the cut/paste]
  allowed ips: 10.0.0.2/32


From the Client App log, the info is different and near the end says "connected", but I can not access anything on network. Appreciate any help.
Code:
2021-01-15 17:03:32.285983: [APP] startActivation: Entering (tunnel: test3)
2021-01-15 17:03:32.286329: [APP] startActivation: Tunnel is disabled. Re-enabling and saving
2021-01-15 17:03:32.298727: [APP] startActivation: Tunnel saved after re-enabling, invoking startActivation
2021-01-15 17:03:32.298779: [APP] startActivation: Entering (tunnel: test3)
2021-01-15 17:03:32.299859: [APP] startActivation: Starting tunnel
2021-01-15 17:03:32.301926: [APP] startActivation: Success
2021-01-15 17:03:32.306378: [APP] Tunnel 'test3' connection status changed to 'connecting'
2021-01-15 17:03:32.344613: [NET] App version: 1.0.12 (22)
2021-01-15 17:03:32.344772: [NET] Starting tunnel from the app
2021-01-15 17:03:32.648430: [NET] DNS64: mapped [my external IP from cut/paste] to itself.
2021-01-15 17:03:32.648776: [NET] Attaching to interface
2021-01-15 17:03:32.650671: [NET] Routine: decryption worker - started
2021-01-15 17:03:32.651814: [NET] UAPI: Updating private key
2021-01-15 17:03:32.653888: [NET] Routine: event worker - started
2021-01-15 17:03:32.654317: [NET] Routine: handshake worker - started
2021-01-15 17:03:32.655784: [NET] Routine: encryption worker - started
2021-01-15 17:03:32.657784: [NET] Routine: decryption worker - started
2021-01-15 17:03:32.659784: [NET] Routine: handshake worker - started
2021-01-15 17:03:32.661776: [NET] Routine: encryption worker - started
2021-01-15 17:03:32.663784: [NET] Routine: decryption worker - started
2021-01-15 17:03:32.665785: [NET] Routine: handshake worker - started
2021-01-15 17:03:32.667784: [NET] Routine: TUN reader - started
2021-01-15 17:03:32.669783: [NET] Routine: encryption worker - started
2021-01-15 17:03:32.671797: [NET] UAPI: Removing all peers
2021-01-15 17:03:32.673793: [NET] UAPI: Transition to peer configuration
2021-01-15 17:03:32.676028: [NET] peer(UdS5…LWHM) - UAPI: Created
2021-01-15 17:03:32.677789: [NET] peer(UdS5…LWHM) - UAPI: Updating endpoint
2021-01-15 17:03:32.679825: [NET] peer(UdS5…LWHM) - UAPI: Updating persistent keepalive interval
2021-01-15 17:03:32.681856: [NET] peer(UdS5…LWHM) - UAPI: Removing all allowedips
2021-01-15 17:03:32.683789: [NET] peer(UdS5…LWHM) - UAPI: Adding allowedip
2021-01-15 17:03:32.685791: [NET] peer(UdS5…LWHM) - UAPI: Adding allowedip
2021-01-15 17:03:32.687945: [NET] UDP bind has been updated
2021-01-15 17:03:32.689796: [NET] peer(UdS5…LWHM) - Starting...
2021-01-15 17:03:32.691875: [NET] Device started
2021-01-15 17:03:32.691875: [NET] Routine: receive incoming IPv4 - started
2021-01-15 17:03:32.693826: [NET] Tunnel interface is utun2
2021-01-15 17:03:32.696296: [NET] Network change detected with satisfied route and interface order [pdp_ip0]
2021-01-15 17:03:32.696860: [APP] Tunnel 'test3' connection status changed to 'connected'
2021-01-15 17:03:32.699928: [NET] Routine: receive incoming IPv6 - started
2021-01-15 17:03:32.699991: [NET] peer(UdS5…LWHM) - Routine: nonce worker - started
2021-01-15 17:03:32.700028: [NET] DNS64: mapped [my external IP from cut/paste] to itself.
2021-01-15 17:03:32.703902: [NET] peer(UdS5…LWHM) - Routine: sequential sender - started
2021-01-15 17:03:32.703975: [NET] peer(UdS5…LWHM) - Routine: sequential receiver - started
2021-01-15 17:03:32.705798: [NET] UAPI: Transition to peer configuration
2021-01-15 17:03:32.707799: [NET] peer(UdS5…LWHM) - UAPI: Updating endpoint
2021-01-15 17:03:32.710012: [NET] Routine: receive incoming IPv4 - stopped
2021-01-15 17:03:32.711889: [NET] Routine: receive incoming IPv6 - stopped
2021-01-15 17:03:32.714078: [NET] UDP bind has been updated
2021-01-15 17:03:32.715809: [NET] Routine: receive incoming IPv4 - started
2021-01-15 17:03:32.716326: [NET] Routine: receive incoming IPv6 - started
2021-01-15 17:03:33.050130: [NET] Network change detected with satisfied route and interface order [pdp_ip0, utun2]
2021-01-15 17:03:33.050353: [NET] DNS64: mapped [my external IP from cut/paste] to itself.
2021-01-15 17:03:33.052643: [NET] UAPI: Transition to peer configuration
2021-01-15 17:03:33.054307: [NET] peer(UdS5…LWHM) - UAPI: Updating endpoint
2021-01-15 17:03:33.056416: [NET] Routine: receive incoming IPv4 - stopped
2021-01-15 17:03:33.058319: [NET] Routine: receive incoming IPv6 - stopped
2021-01-15 17:03:33.060446: [NET] UDP bind has been updated
2021-01-15 17:03:33.062238: [NET] Routine: receive incoming IPv4 - started
2021-01-15 17:03:33.064260: [NET] Routine: receive incoming IPv6 - started
2021-01-15 17:03:37.302899: [APP] Status update notification timeout for tunnel 'test3'. Tunnel status is now 'connected'.
2021-01-15 17:07:58.929578: [APP] App version: 1.0.12 (22)
 
Top