Installing Wireguard client on Truenas ip to access Webui from outside my network

[petoniano]

Hi, I´m quite new on VPNs and advanced networking. When I had freenas 11.1 I had zerotier as VPN because setting up an openVPN was very difficult for me. After upgrading to Truenas 12 Stable Zerotier is not longer suported and decided to try a VPN, and read about Wireguard so I spent these weeks learning and tring how to do it.

My system now has an ip 192.168.0.10 (for the system with the WebUI) and two jails, one for PlexMediaServer and another one to access my data, downloads, and whatever I need.

I followed this tutorial to create a Wireguard Server on a Jail

How-To: Setup a Wireguard VPN Server in a Jail

[DRAFT] open to comments Goal To setup a VPN server based on the Wireguard technology and running from within a Jail. The VPN server would allow remote devices to connect and access resources in the local network All remote traffic should be...

www.truenas.com

It creates a jail with IP 172.16.0.2/30 and 10.0.01 in the Wireguard subnet as the wireguard server

Code:

root@WGServerJail:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether d2:50:99:71:13:2a
        hwaddr 02:06:39:e2:c7:0b
        inet 172.16.0.2 netmask 0xfffffffc broadcast 172.16.0.3
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERF

Then I installed Wireguard in my allpurpose Jail following this tutorial:

How to install a Wireguard VPN client in a FreeBSD jail - nixCraft

Explains how to install and set up WireGuard VPN client for FreeBSD jail running either on FreeNAS or FreeBSD host.

www.cyberciti.biz

That jail is 192.168.0.3/24 and 10.0.0.3/32 in the Wireguard network and is reachable from outside from 10.0.0.2 my android phone client for example.
(sometimes is not reachable I don´t know why, and have to restart the Jail, but that´s not the point of this thread)

And I want to access the WebUI of my freenas System from outside for example If I have problems accessing the jail and I want to restart that jail.
My main ip where the Truenas system is is: 192.168.0.10
I try to install a wireguard client there with this steps:

/core/coretutorials/network/wireguard/

adding two tunables in the webui-system-tunables: “wireguard_enable” -> “YES” in rc.conf and “wireguard_interfaces” -> “wg0” in rc.conf
and a postinit scrip to put the wg0.conf file in the correct place after a reboot: “cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start”

Code:

root@freenas:~ # ifconfig
igb0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether d0:50:99:c2:a0:87
        media: Ethernet autoselect
        status: no carrier
        nd6 options=1<PERFORMNUD>
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: freenas_ui
        options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
        ether d0:50:99:c2:a0:88
        inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.0.0.10 --> 10.0.0.10 netmask 0xffffffff
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 1810
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:f9:ca:ee:fe:00
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0.5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 11 priority 128 path cost 2000
        member: vnet0.4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 10 priority 128 path cost 2000
        member: vnet0.3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 2000
        member: vnet0.1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
vnet0.1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: WGJ2 as nic: epair0b
        options=8<VLAN_MTU>
        ether d2:50:99:1f:f8:25
        hwaddr 02:06:39:e2:c7:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: WGServerJail as nic: epair0b
        options=8<VLAN_MTU>
        ether d2:50:99:71:13:29
        hwaddr 02:30:17:69:45:0a
        inet 172.16.0.1 netmask 0xfffffffc broadcast 172.16.0.3
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0.3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: freebsd_pkg as nic: epair0b
        options=8<VLAN_MTU>
        ether d2:50:99:ef:26:f8
        hwaddr 02:b7:e9:66:b8:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0.4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: openspeedtest as nic: epair0b
        options=8<VLAN_MTU>
        ether d2:50:99:62:52:c3
        hwaddr 02:ea:f8:ce:3e:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0.5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

my wg0.cong file in the Truenas System client is:


root@freenas:~ # cat wg0.conf [Interface] Address = 10.0.0.10/32 PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= DNS = 8.8.8.8 [Peer] PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= AllowedIPs = 0.0.0.0/0,::/0 Endpoint = my_public_IP_from_ouside:51820


and when I reboot I the truenas system ip is not reachable, and the whole Wireguard VPN doesn´t work.
I don´t know what to do, and searcherd a los in the forums and goolgle.Any light woulf be much apreciated. I know it´s difficult to know what happens with my english and this poor data. ask me if you need more info.

in the truenas shell it shows not receiving data:

Code:

root@freenas:~ # wg show
interface: wg0
  public key: XXXXXXXXXXXXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 40847

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx=
  endpoint: 188.XXX.XXX.XXX:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 24.43 KiB sent
root@freenas:~ #

Thak you very much for the help. I don´t know where to continue...
petoniano

 

[Dan Tudora]

hello
I use in this moment that VPN, BUT not in TrueNAS 12, in FreeNAS11.3 u5
forget about part with "jail"
use it in system with no complication with firewall/redirect port and another thing
read the discussion of the resources and maybe have success
success

 

[petoniano]

But I only found documentation about coneccting to a wireguard network, conect my truenas system as a client.
And documentation about creating a wireguard server inside a jail.

I don´t find any info about a server on the truenas system

thank you for your help

 

[Dan Tudora]

hello
on discussion of resources have "discussion" about that resources
iXsystems say https://www.ixsystems.com/blog/wireguard-on-freenas-11-3/
https://www.truenas.com/community/threads/how-to-setup-a-wireguard-vpn-server-in-a-jail.86116/
and read/fallow that instruction from discussion and for sure work including in FreeNAS not just in jail
success

 

[petoniano]

It finally worked! As you said, I changed the settings in the truenas system and it acted like a server (no server inside a jail) and now I think it´s everything working, I need to learn a lot because I don´t hace experience with VPNs, no only with Wireguard.

To reach the Jails from outside I thougt I needed to use their WG IP 10.0.0.1 for my truenas system, and for example 10.0.05 for a jail, but I just need to use me local IP as i were inside my local network, for example, I reach the truenas WebUI with 192.168.0.10 same as I were at home. Need to do more test to use this VPN with other service like owncloud rsync and that stuff.

Thank you very much, I thought to make a tutorial with the details for dummies like me, maybe if I have time i´ll do it.