Simple guide to official wg-easy app installation on SCALE

[InfamousJox]

To anyone who could not get internet access here is the fix I had to do because I had a bridge set up for some vm :

Instead of the physical interface in step 3, put the bridge name. For me it was br0.

 

[Black_Duck]

@NugentS and @InfamousJox are correct.
With Host Network enabled, wg-easy is effectively running through the TrueNAS NIC definition. As such, you need to set up a bridge as outlined here.

1. Set up the bridge (eg. br0) as per the instuctions here.
2. Update your VMs or Apps that use an Host Network interface to use the Bridge (i.e. br0 interface)
3. Change wg-easy to use the bridge (i.e. br0 interface) instead of the of the NIC. Specifically, in step 3 above, use:
   • Set the Allocation Variable "Device Name" to the bridge (I.e br0)
   • Name: WG_POST_UP
   • Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

Note: you will need to update your port forward for wg-easy (and any other port forward you may have for apps on the TrueNAS server) after these changes, as the mac address for the server changes with the creation of the bridge (i.e. its the bridge mac address now).

You should now have access to the VMs and Apps using the host network interface through the VPN.
I've updated the guide to include this.

 

[rvega]

@Black_Duck, thanks a lot for your help!

I already had the bridge set up because all of the VMs needed access to the NAS storage. And I did try to change the interface to br0 before. Curiously the VPN only worked if I left the interface as eth0. If I used either br0 or enp6s it would break.

Then I went through everything again and found out that I did not tick the "Host Network" checkbox. Ticking that and changing the interface to br0 solved the issue!!

 

[SKB]

Hi,
does anybody know, how to access internal devices as well?
As i read somewhere, that

Code:

sysctl net.ipv4.ip_forward=1

needed to be turned on, the image does not start anymore, if entering that into "WG_PRE_UP".

When entering this command into the shell directly, it says, that it is readonly filesystem.

Thank you!

 

[Black_Duck]

Hi,
does anybody know, how to access internal devices as well?
As i read somewhere, that

Code:

sysctl net.ipv4.ip_forward=1

needed to be turned on, the image does not start anymore, if entering that into "WG_PRE_UP".

When entering this command into the shell directly, it says, that it is readonly filesystem.

Thank you!

If you cant access devices on your lan then the most common reasons are:
1) You have the wrong Network Interface name in your WG_POST_UP Device Name
2) you have not ticked “Host Network” in your App setup

 

[SKB]

If you cant access devices on your lan then the most common reasons are:
1) You have the wrong Network Interface name in your WG_POST_UP
2) you have not ticked “Host Network” in your App setup

I have the following Setup:
WG_POST_UP:

Code:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

WG_PRE_UP:

Code:

iptables -t nat -F; iptables -F;

Host Network is ticked

Network Setup of TrueNAS:

I am able to see the connected device in the Web-Interface.

 

[Black_Duck]

Nothing obvious there...
Log into the wg-easy shell and issue the following commands: "iptables -L -v -t nat" and also "iptables _L -v"
Compare your results to the ones I published here in my debugging procedures.
If nothing stands out, then DM me the results.
Also, I note you are running a bridge. When you say you can't access local devices, do you mean physical devices on the lan (eg. your router) or addresses on your Truenas (i.e. a VM or App)... or both?

 

[SKB]

I could figure out, what was wrong. 2 problems in a row - my mobile network supplier has had a network error, so the 5G connection was not working all the time and i got dropped.

2nd problem, which was causing a lot of problems: MTU of 1420. I changed it to 1384 and it is running perfectly now.

 

[Black_Duck]

Glad to hear all is working now.
Yes, if you lose the connection, the WireGuard server will still show as being connected but with no inbound traffic. Best to check the time since "Latest Handshake" in the client.
Generally WireGuard default MTU of 1420 should work. The only proviso is if something in the network does not allow ICMP frames to get back to reset MTU size if required.

 

[thearmm85]

Good morning,

First of all, thank you for your tutorial which helps a lot.

However I have some concerns. I may have a particular configuration. my connection is "IPv6 & IPv4 CGNAT" so I only have public IPv6.

I intentionally set the MTU to 1280 because of my IPV6 configuration.

The problem is, I do not have access to the internet and the web interface of my truescale and wireguard when I am outside my local networks, however I can see that the connection works on the wireguard interface. No problems on my local networks.

my configuration:

Thank you in advance for your assistance :)

 

[Black_Duck]

Hi thearmm85
A couple of observations:

However I have some concerns. I may have a particular configuration. my connection is "IPv6 & IPv4 CGNAT" so I only have public IPv6.

To clarify, your isp provides you with an IPV6 address and a CGNAT IPV4 address.
Do not use IPv4 with CGNAT as It will mess up your port forwarding.
I assume you are using a static IPv6 address and you are using NAT64 on your router(?) and using IPv4 on your local network.
If you are attempting to use IPv6 addressing as well on your lan, then things get really complicated. The default route tables will not work for IPv6 addresses. I suspect you will need to add a postroute (masquerade) with source being your IPv6 subnet. You will also need to have an IPV6 address range for the WireGuard subnet…

I intentionally set the MTU to 1280 because of my IPV6 configuration.

This is fine and correct.

The problem is, I do not have access to the internet and the web interface of my truescale and wireguard when I am outside my local networks, however I can see that the connection works on the wireguard interface. No problems on my local networks.

Are you sure the connection works? Your iptables printout shows zero traffic through WireGuard?
Remember Wirequard runs silent - you could be seeing packets sent, but unless you see packets being received, you are not connected.

When you say you can’t access your “truescale” do you mean your nas? Are you using its ipv4 address?
i can understand you may have problems accessing the web. Be aware that under your config, all of the VPN is running in IPv4. I don’t know enough about NAT64 conversion to help here.

my configuration:

From your Network Interface screen shot, you appear to be using subnet 192.168.1.x on your lan as well as IPv6 subnet…
You have specified subnet 192.168.0.x to be used in your WireGuard clients. Any reason you changed from the default of 10.8.0.0/24?

 

[fjpanna]

*** Updated 28/08/2023 ***
Wg-easy provides a simple and easy way to provide a WireGuard VPN access to your system. It allows you to securely log into your local network remotely, providing access to all devices on you local network, including your TrueNAS server and File Servers.
Under SCALE, wg-easy is available as an app in the offical iX catalog as well as the Truecharts catalog. There has been a number of threads about issues with the official wg-easy app (iX catalog) installation. For those interested in using this version, I thought it may be beneficial to summarise a number of known issues and associated fixes here.

1. Installation Documentation. The installation documentation found in the Documentation hub is a good start. However, there are a number of know issues that need to be corrected before it will work (see below). Some notes:
   • Recommend you stick to default values, especially for "Clients IP Address Range"
   • Note that if you "Enable Custom Host Path for WG-Easy Configuration Volume" and subsequently edit wg0.conf, any changes will be overwritten on subsequent restarts.
   • Make sure that "Host Network" is ticked.
2. Port Number: The default port in the app is 20920. However WireGuard always listens on port 51820 inside the container. I recommend making the following changes under "Networking" setting in the app setup:
   1. Set "WireGuard UDP Node Port for WG-Easy" to 51820.
      Note: you will now need to forward port 51820 (instead of 20920) in your router (see below)
   2. Set "WebUI Node Port for WG-Easy" to 51821
      Note: that means the wg-easy web interface is through 51821 (i.e https://[truenas IP address]:51821)
3. Network Interface: wg-easy defaults the network interface name to “eth0”. Most SCALE network interfaces have a different name. If you have the wrong name, you will not be able to access the internet through your vpn. To fix this, you need to add the following to the app setup:
   1. First obtain your interface name. It’s located under Network/Interfaces in SCALE. It will look something like “enp0s31f6”.
   2. Go into the the app setup. Go down to the section “WG-Easy Environment”. Add an Environment Variable:
      • Name: WG_POST_UP
      • Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp0s31f6 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
        Note: If your interface name is different to “enp0s31f6”, change it to the name you have.
        Also, note the above assumes the you have not changed the Client IP address range and have set the UDP Node Port to 51820.
4. Duplicates in iptables: At startup, the app appends a number of route rules to the iptable chains, creating duplicate entries. This is not really a “show-stopper”, but if you want to stop this, add the following to the app setup.
   1. Go into the the app setup. Go down to the section “WG-Easy Environment”. Add an Environment variable:
      • Name: WG_PRE_UP
      • Value: iptables -t nat -F; iptables -F;
        This flushes the chains before adding new rules at startup
5. Static IP address: to ensure that Port Forwarding works correctly (see below), you need to ensure you have a static address on your TrueNAS server. Follow the instructions outlined here. I noticed the setup is lightly different from the documentation in 22.12.3.3. In that version you need to create an "Alias" with the static IP address.
6. Port Forwarding: You need to set up port forwarding on your router. Specifically, forward UDP port 51820 to [the IP address you set up in Step 5], port 51820. Each router is different, so just google how to do it on your device.
7. Set up Client: Install WireGuard on your client. See here for downloads.
8. Set up VPN: Log into the wg-easy WebUI either by clicking on wg-easy "Web Portal" on the APPS page of your server or via https://[truenas IP address]:51821 (this assumes you are running https on your server). Login using the password you set in the apps setup.
   1. Click on "Add" and enter a name for the Client you are creating. Click enter.
   2. Depending on the client either:
      • download the Configuration file and input the file into the client
      • Click on "Show QR code"; go into your your client; add a new Wireguard Tunnel; then select "Create from QR code"

You should now have a working wg-easy, allowing access to your network from anywhere.

If you have Virtual Machines or Apps using the host network interface (i.e. enp0s31f6 ) and need to access the them through the VPN, you will need to create a bridge and update your wg-easy config accordingly.

1. Set up a bridge (eg. br0) as per the instructions here.
2. Update your VMs or Apps that use a Host Network interface to use the bridge (i.e. br0 interface)
3. Change wg-easy to use the bridge (i.e. br0 interface) instead of the of the NIC. Specifically, in step 3 above, use:
   • Name: WG_POST_UP
   • Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

Note: you will need to update your port forward for wg-easy (and any other port forwards you may have for apps on the TrueNAS server) after these changes, as the mac address changes with the creation of the bridge (i.e. its the bridge mac address now).

You should now have access to the VMs and Apps using the host network interface through the VPN.

Let me know if you find something else out that may help others and I’ll add it to the list.

Hello, first I'm a newbie trying to follow along. Everything is setup and not getting errors. Have a few questions hoping you could answer.
#1 My router is asking for the "Original Port", i put in 51820, not sure if that is correct.
#2 When I setup on client computer external to home network, it has the internal IP of the truenas server as the end point ex 192.168.1.38:51820, should it be update to my external IP:51820? Side note I didn't do any DDNS yet or configure on TrueNas just wanted to see if I could get it to work. Hope that is ok and would work.

 

[Black_Duck]

Hello, first I'm a newbie trying to follow along. Everything is setup and not getting errors. Have a few questions hoping you could answer.
#1 My router is asking for the "Original Port", i put in 51820, not sure if that is correct.

Yes. The incoming ("Original") port and the Outgoing (or lan) port should be set to 51820 for the above config.

#2 When I setup on client computer external to home network, it has the internal IP of the truenas server as the end point ex 192.168.1.38:51820, should it be update to my external IP:51820?

Not sure I understand. Your client computer should normally be using DHCP. Its local address is irrelevant.
You don't set the IP address - they are set in the wg-easy profile.
See How WireGuard works in the debugging post above.

Side note I didn't do any DDNS yet or configure on TrueNas just wanted to see if I could get it to work. Hope that is ok and would work.

Thats okay, but you will need to set "Hostname or IP" in your wg-easy config to the "the external IP" address of your router. Note that if your ISP changes your IP address, the VPN will no longer work.

 

[Glowtape]

WG-"Easy".

At this point, it's more comfortable to set it up manually using the host OS' Wireguard module.

 

[li_chang]

• Name: WG_POST_UP
• Value: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

Thanks for a head up about port 51820. For the NIC, you can just use built-in option WG_DEVICE = NIC_NAME without iptables setup.

 

[Black_Duck]

Thanks for a head up about port 51820. For the NIC, you can just use built-in option WG_DEVICE = NIC_NAME without iptables setup.

View attachment 72890

Sadly this does not work for the iX Catalog version of wg-easy. The iX Catalog version pulls the docker image weejewel/wg-easy. Unfortunately, this docker image does not support the WG_DEVICE option. See post https://www.truenas.com/community/t...ssumes-interface-name-eth0.107407/post-770854 for more details.

I did raise a ticket on this issue (NAS-125186), but no response yet.

It now does. Use Device name.

 

[krasny]

I followed this guide on a SCALE installation and worked very well, but I'm facing one issue. I don't want that clients use wireguard to forward all traffic, so I set up Allowed IP's with 10.8.0.0/24 and another specific IP. The problem is when I generate the config files in wg-easy it always use the default one (0.0.0.0/0,::/0). Any ideas on what can be happening and how to solve it? is this a bug?

 

[Black_Duck]

I followed this guide on a SCALE installation and worked very well, but I'm facing one issue. I don't want that clients use wireguard to forward all traffic, so I set up Allowed IP's with 10.8.0.0/24 and another specific IP. The problem is when I generate the config files in wg-easy it always use the default one (0.0.0.0/0,::/0). Any ideas on what can be happening and how to solve it? is this a bug?

The 10.8.0.x IP Address Range in the wg-easy app configuration is the Address range to be used by Wireguard Clients. To set the Allowed IPs you need to add through the app configuration ("Allowed IPs") or by setting an Environment Variable (Name=WG_ALLOWED_IPS, Value={the IP addresses you allow}). Example value is "192.168.15.0/24, 10.0.1.0/24". Both ways work using version 7_1.0.12 - that is the generated config file has the changed "Allowed IP".
Note that this merely places the value in the wiregruard client config file which can be easily be changed from within the wireguard client or by editing the config file. If you want to limit allowed IPs in such a way that they cannot be bypassed, you will need to updated the wireguard iptables to only forward allowed ip addresses.

 

[krasny]

The 10.8.0.x IP Address Range in the wg-easy app configuration is the Address range to be used by Wireguard Clients. To set the Allowed IPs you need to add through the app configuration ("Allowed IPs") or by setting an Environment Variable (Name=WG_ALLOWED_IPS, Value={the IP addresses you allow}). Example value is "192.168.15.0/24, 10.0.1.0/24". Both ways work using version 7_1.0.12 - that is the generated config file has the changed "Allowed IP".
Note that this merely places the value in the wiregruard client config file which can be easily be changed from within the wireguard client or by editing the config file. If you want to limit allowed IPs in such a way that they cannot be bypassed, you will need to updated the wireguard iptables to only forward allowed ip addresses.

Thank you for your reply!

Yes, I know that you can edit manually to change the IP's, but since I want that people with no much knowledge about this use the wg-easy interface I would prefer if the configuration file is ready to use.

The weird thing is that I did exactly what you described, Introducing the range in Allowed IP's field but the config appears with the default one:

Also I did try with the WG_ALLOWED_IPS in environment but I get an error because it seems that the configuration is duplicated, even after I removed the Allowed IPs field:

Is there any way to configure manually this values inside the container? I'm using 7_2.0.1 version from official charts.

thank you very much!

 

[v.komenda]

Hello!

I am register at this forum to add my 5 cents :)

I had some troubles with apps and i am think your scripts work very dirty, so i made small changes:

WG_POST_UP
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp37s0 -j MASQUERADE -m comment --comment WGEASY; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT -m comment --comment WGEASY; iptables -A FORWARD -i wg0 -j ACCEPT -m comment --comment WGEASY; iptables -A FORWARD -o wg0 -j ACCEPT -m comment --comment WGEASY

WG_PRE_UP
iptables-save | grep -v WGEASY | iptables-restore

WG_POST_DOWN
iptables-save | grep -v WGEASY | iptables-restore

Imho, in this way it will not affect other containers networking.