*** Updated 28/08/2023 ***
Wg-easy provides a simple and easy way to provide a WireGuard VPN access to your system. It allows you to securely log into your local network remotely, providing access to all devices on you local network, including your TrueNAS server and File Servers.
Under SCALE, wg-easy is available as an app in the offical iX catalog as well as the Truecharts catalog. There has been a number of threads about issues with the official wg-easy app (iX catalog) installation. For those interested in using this version, I thought it may be beneficial to summarise a number of known issues and associated fixes here.
- Installation Documentation. The installation documentation found in the Documentation hub is a good start. However, there are a number of know issues that need to be corrected before it will work (see below). Some notes:
- Recommend you stick to default values, especially for "Clients IP Address Range"
- Note that if you "Enable Custom Host Path for WG-Easy Configuration Volume" and subsequently edit wg0.conf, any changes will be overwritten on subsequent restarts.
- Make sure that "Host Network" is ticked.
- Port Number: The default port in the app is 20920. However WireGuard always listens on port 51820 inside the container. I recommend making the following changes under "Networking" setting in the app setup:
- Set "WireGuard UDP Node Port for WG-Easy" to 51820.
Note: you will now need to forward port 51820 (instead of 20920) in your router (see below)
- Set "WebUI Node Port for WG-Easy" to 51821
Note: that means the wg-easy web interface is through 51821 (i.e https://[truenas IP address]:51821)
- Network Interface: wg-easy defaults the network interface name to “eth0”. Most SCALE network interfaces have a different name. If you have the wrong name, you will not be able to access the internet through your vpn. To fix this, you need to add the following to the app setup:
- First obtain your interface name. It’s located under Network/Interfaces in SCALE. It will look something like “enp0s31f6”.
- Go into the the app setup. Go down to the section “WG-Easy Environment”. Add an Environment Variable:
- Name: WG_POST_UP
- Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s31f6 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
Note: If your interface name is different to “enp0s31f6”, change it to the name you have.
Also, note the above assumes the you have not changed the Client IP address range and have set the UDP Node Port to 51820.
- Duplicates in iptables: At startup, the app appends a number of route rules to the iptable chains, creating duplicate entries. This is not really a “show-stopper”, but if you want to stop this, add the following to the app setup.
- Go into the the app setup. Go down to the section “WG-Easy Environment”. Add an Environment variable:
- Name: WG_PRE_UP
- Value: iptables -t nat -F; iptables -F;
This flushes the chains before adding new rules at startup
- Static IP address: to ensure that Port Forwarding works correctly (see below), you need to ensure you have a static address on your TrueNAS server. Follow the instructions outlined here. I noticed the setup is lightly different from the documentation in 22.12.3.3. In that version you need to create an "Alias" with the static IP address.
- Port Forwarding: You need to set up port forwarding on your router. Specifically, forward UDP port 51820 to [the IP address you set up in Step 5], port 51820. Each router is different, so just google how to do it on your device.
- Set up Client: Install WireGuard on your client. See here for downloads.
- Set up VPN: Log into the wg-easy WebUI either by clicking on wg-easy "Web Portal" on the APPS page of your server or via https://[truenas IP address]:51821 (this assumes you are running https on your server). Login using the password you set in the apps setup.
- Click on "Add" and enter a name for the Client you are creating. Click enter.
- Depending on the client either:
- download the Configuration file and input the file into the client
- Click on "Show QR code"; go into your your client; add a new Wireguard Tunnel; then select "Create from QR code"
You should now have a working wg-easy, allowing access to your network from anywhere.
If you have Virtual Machines or Apps using the host network interface (i.e.
enp0s31f6 ) and need to access the them through the VPN, you will need to create a bridge and update your wg-easy config accordingly.
- Set up a bridge (eg. br0) as per the instructions here.
- Update your VMs or Apps that use a Host Network interface to use the bridge (i.e. br0 interface)
- Change wg-easy to use the bridge (i.e. br0 interface) instead of the of the NIC. Specifically, in step 3 above, use:
- Name: WG_POST_UP
- Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
Note: you will need to update your port forward for wg-easy (and any other port forwards you may have for apps on the TrueNAS server) after these changes, as the mac address changes with the creation of the bridge (i.e. its the bridge mac address now).
You should now have access to the VMs and Apps using the host network interface through the VPN.
Let me know if you find something else out that may help others and I’ll add it to the list.