No internet connection with Wireguard on TrueNAS SCALE 21.06-BETA.1

Obli

Cadet
Joined
May 19, 2021
Messages
4
TrueNAS SCALE is just what I need, so thanks guys.

One question, does Wireguard via CLI work for anybody?
It works on my desktop PC but not on SCALE :(

My steps:
create /etc/wireguard/wg0.conf with following contents:

Code:
[Interface]
PrivateKey = ...
Address = ...
DNS = 193.138.218.74

[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = ...


wg-quick up wg0

Code:
truenas# wg show
interface: wg0
  public key: ...
  private key: ...
  listening port: 51548
  fwmark: 0xca6c

peer: ...
  endpoint: ...
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 48 minutes, 49 seconds ago
  transfer: 92 B received, 93.04 KiB sent


but no connection beyond my openWRT router:

Code:
truenas# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.430 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.433 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.436 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2027ms
rtt min/avg/max/mdev = 0.430/0.433/0.436/0.002 ms


Code:
truenas# ping 9.9.9.9  
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
^C
--- 9.9.9.9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2028ms


I don't know much about iptables yet, maybe something is misconfiguered?
Code:
truenas# iptables -L          
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
KUBE-ROUTER-INPUT  all  --  anywhere             anywhere             /* kube-router netpol - 4IA2OSFRMVNDXBVV */
KUBE-ROUTER-SERVICES  all  --  anywhere             anywhere             /* handle traffic to IPVS service IPs in custom chain */ match-set kube-router-service-ips dst
KUBE-FIREWALL  all  --  anywhere             anywhere          
ACCEPT     tcp  --  192.168.1.101        anywhere             tcp dpt:6443
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:6443
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:6443
DROP       tcp  --  anywhere             anywhere             tcp dpt:6443

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
KUBE-ROUTER-FORWARD  all  --  anywhere             anywhere             /* kube-router netpol - TEMCG2JMHZYE7H7T */
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere             /* allow outbound node port traffic on node interface with which node ip is associated */
ACCEPT     all  --  anywhere             anywhere             /* allow inbound traffic to pods */
ACCEPT     all  --  anywhere             anywhere             /* allow outbound traffic from pods */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
KUBE-ROUTER-OUTPUT  all  --  anywhere             anywhere             /* kube-router netpol - VEAAIY32XVBHCSCY */
KUBE-FIREWALL  all  --  anywhere             anywhere          

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination        
DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
DROP       all  -- !loopback/8           loopback/8           /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT

Chain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination        

Chain KUBE-ROUTER-FORWARD (1 references)
target     prot opt source               destination        

Chain KUBE-ROUTER-INPUT (1 references)
target     prot opt source               destination        
RETURN     all  --  anywhere             10.96.0.0/12         /* allow traffic to cluster IP - 4H2UH6XHRCCZXCYQ */
RETURN     tcp  --  anywhere             anywhere             /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
RETURN     udp  --  anywhere             anywhere             /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767

Chain KUBE-ROUTER-OUTPUT (1 references)
target     prot opt source               destination        

Chain KUBE-ROUTER-SERVICES (1 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             /* allow input traffic to ipvs services */ match-set kube-router-ipvs-services dst,dst
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp echo requests to service IPs */ icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp destination unreachable messages to service IPs */ icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp ttl exceeded messages to service IPs */ icmp time-exceeded
REJECT     all  --  anywhere             anywhere             /* reject all unexpected traffic to service IPs */ ! match-set kube-router-local-ips dst reject-with icmp-port-unreachable


I did exactly the same steps on my manjaro desktop which is also connected to the openWRT router and it works flawless.
Did I miss something which has to be done different on TrueNAS SCALE?
 

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
2,691
It should be noted that wireguard is used by TrueNAS SCALE for connection to TrueCommand Cloud.
Its on the list for future releases to support Wireguard for other use-cases.
So, not currently supported and may need developer skills to make it work now.
 

Obli

Cadet
Joined
May 19, 2021
Messages
4
Thanks for the info, I'll set up OpenVPN and wait for the official support.
 

Sitoxic

Cadet
Joined
Sep 25, 2021
Messages
1
Thanks for the info, I'll set up OpenVPN and wait for the official support.
Hi, Sorry to bother, but did you managed to use OpenVPN Server to work on TrueNAS Scale and be able to access local network from the client-side? My OpenVPN could start. but not accessing the local network only the server.
 

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
2,691
Hi, Sorry to bother, but did you managed to use OpenVPN Server to work on TrueNAS Scale and be able to access local network from the client-side? My OpenVPN could start. but not accessing the local network only the server.
Its probably worth another thread... I'm not sure its supports acting as a gateway/router to a whole network... only host access is documented.
 

Obli

Cadet
Joined
May 19, 2021
Messages
4
Hi, Sorry to bother, but did you managed to use OpenVPN Server to work on TrueNAS Scale and be able to access local network from the client-side? My OpenVPN could start. but not accessing the local network only the server.
Hey, I didn't manage it and just set up an OpenWRT Router with wireguard infront oft the NAS.
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
You can create an ubuntu vm and install WireGuard in that (I used the pivpn script - https://pivpn.io/ - which makes it all very easy). However, there is a problem so far in Scale that is not in Core that means the vm and host network need to use a bridge to be accessible to each other. Without this you cannot access the host ouside the LAN using WireGuard. This, so far, has messed up my Apps (Apps - Settings - Advanced Settings - Kubernetes Settings) access to the internet. The apps catalog won't update / download. I have tried various options within this dialog box (for the Route v4 Interface using the bridge / original interface / second NIC), all to no avail. See attached. Strangely, a previous-to-this-network-change installation of Transmission still works - i.e. still has internet access - so I'm at a loss to explain that.
 

Attachments

  • Kubernettes-Settings.png
    Kubernettes-Settings.png
    20.2 KB · Views: 550

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
I did eventually resolve this by choosing the bridge, the host ip in node ip, and the router's ip in gateway.
 

LMCDZ

Cadet
Joined
Jan 2, 2021
Messages
8
I have been using wireguard on scale for about 12 months. I use it to access scale (and its k3s applications) remotely though and not for tunneling all outgoing connections.

I just have a cronjob setup that copies the wg.conf from a persistent location and brings the connection up.
 

SnoppyFloppy

Explorer
Joined
Jun 17, 2021
Messages
77
I have been using wireguard on scale for about 12 months. I use it to access scale (and its k3s applications) remotely though and not for tunneling all outgoing connections.

I just have a cronjob setup that copies the wg.conf from a persistent location and brings the connection up.
I know this is a very old post @LMCDZ but I wonder if you still have that cronjob running and if you would like to share it? :smile:
 

LMCDZ

Cadet
Joined
Jan 2, 2021
Messages
8
@SnoppyFloppy Sure thing.
Code:
ping -c1 -W5 10.0.0.1 || ( cp /mnt/path/to/wg.conf /etc/wireguard/ ; wg-quick down wg ; wg-quick up wg )


Replace the ip that is being pinged to your wg server.
This command tries to ping the wg server and if it fails, then it copies the wg.conf from the zfs storage to the the /etc/wireguard folder and cycles the wg connection.

I have this as a cronjob running every minute. Been very reliable.
 

SnoppyFloppy

Explorer
Joined
Jun 17, 2021
Messages
77
@SnoppyFloppy Sure thing.
Code:
ping -c1 -W5 10.0.0.1 || ( cp /mnt/path/to/wg.conf /etc/wireguard/ ; wg-quick down wg ; wg-quick up wg )


Replace the ip that is being pinged to your wg server.
This command tries to ping the wg server and if it fails, then it copies the wg.conf from the zfs storage to the the /etc/wireguard folder and cycles the wg connection.

I have this as a cronjob running every minute. Been very reliable.
Thanks a bunch!

EDIT: One more questions if you wouldn't mind. Have you tried setting up iptables rules in order to be able to access your LAN through the wg interface?

I'm thinking of something like this:
Code:
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I don't know if it's possible/advisable to set this up on the scale server.
 
Last edited:

CoolWolf

Dabbler
Joined
Mar 2, 2023
Messages
10
Code:
ping -c1 -W5 10.0.0.1 || ( cp /mnt/path/to/wg.conf /etc/wireguard/ ; wg-quick down wg ; wg-quick up wg )


Replace the ip that is being pinged to your wg server.
This command tries to ping the wg server and if it fails, then it copies the wg.conf from the zfs storage to the the /etc/wireguard folder and cycles the wg connection.

I have this as a cronjob running every minute. Been very reliable.

Thanks @LMCDZ ! That was exactly what I was looking for :smile:

As I am running the CRON job "only" every 15 mins (for me that is enough), I added that also as a POST INIT command that this is being started right after a reboot and does not have to wait for my next CRON job.

Works like a charm on TrueNAS Scale 22.12.4.2 :grin:
 
Top