Simple guide to official wg-easy app installation on SCALE

[Black_Duck]

Hello!

I am register at this forum to add my 5 cents :)

I had some troubles with apps and i am think your scripts work very dirty, so i made small changes:

WG_POST_UP
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp37s0 -j MASQUERADE -m comment --comment WGEASY; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT -m comment --comment WGEASY; iptables -A FORWARD -i wg0 -j ACCEPT -m comment --comment WGEASY; iptables -A FORWARD -o wg0 -j ACCEPT -m comment --comment WGEASY

WG_PRE_UP
iptables-save | grep -v WGEASY | iptables-restore

WG_POST_DOWN
iptables-save | grep -v WGEASY | iptables-restore

Imho, in this way it will not affect other containers networking.

Hi @v.komenda
Although I follow what you are doing in the proposed changes, Im not convinced they are necessary. The iptable changes introduced by the Wg-easy environment variables only change the routing tables in the wg-easy container - they have no impact on other containers or apps. The changes are merely for routing from wireguard to the external network through the NIC or Bridge and does not affect other apps.
Couple of other points:

• with Version 9 of the app, you no longer need to set the WG-POST_UP Environment variable - just set the Application Variable "Device Name" to your NIC or Bridge.
• Generally use of the WG_POST_DOWN is discouraged, as this will not be executed if for instance the server goes down. In this case your iptables will not be restored.

 

[Enderkev]

Hi,
I'm having trouble configuring wg-easy.
my box is in IPv6 & IPv4 CGNAT. So I would like to configure the VPN in IPv6.
Here my configuration :

Thank you in advance for your help

 

[v.komenda]

The iptable changes introduced by the Wg-easy environment variables only change the routing tables in the wg-easy container - they have no impact on other containers or apps.

I am meet strange effect, random apps lost connections to internet (for example: MeTube, FreshRSS), so i decide wg-easy is guilty (i have no other places where i play with routing or iptables).

with Version 9 of the app, you no longer need to set the WG-POST_UP Environment variable - just set the Application Variable "Device Name" to your NIC or Bridge.

Great news, thanks!
(i am check it - yep, it works fine)

 

[Mihu]

Hi,

Kinda newbie here also, first of all thanks for the guide and explanations. Just wanted to comment about these troubleshoot replies below, the correct "Hostname or IP" and using DDNS is the section I missed. wg-easy setup in SCALE defaults my NAS's internal IP in there. Haven't done DDNS yet, but looks like it ("Hostname or IP") works with my routers external address for now.

Side note I didn't do any DDNS yet or configure on TrueNas just wanted to see if I could get it to work. Hope that is ok and would work.

Thats okay, but you will need to set "Hostname or IP" in your wg-easy config to the "the external IP" address of your router. Note that if your ISP changes your IP address, the VPN will no longer work.

 

[Black_Duck]

Hi,

Kinda newbie here also, first of all thanks for the guide and explanations. Just wanted to comment about these troubleshoot replies below, the correct "Hostname or IP" and using DDNS is the section I missed. wg-easy setup in SCALE defaults my NAS's internal IP in there. Haven't done DDNS yet, but looks like it ("Hostname or IP") works with my routers external address for now.

This is the address that wg-easy puts into the client config file. When you start Wireguard on the client, it uses this address to establish a connection with the Wireguard server running on Truenas. For IPV4 connections, the address should be either the Domain Name or IP address of your router (with a port forward to the Truenas server). For IPV6, it should be the Domain Name or IP address of your Truenas Server (with appropriate firewall setting to allow the IP address and port through).

 

[Black_Duck]

Hi,
I'm having trouble configuring wg-easy.
my box is in IPv6 & IPv4 CGNAT. So I would like to configure the VPN in IPv6.
Here my configuration :
View attachment 74084

View attachment 74080
View attachment 74081
View attachment 74085
View attachment 74086

Thank you in advance for your help

Im a little confused by your statement "I want to configure the VPN in IPV6".
I assume you want to establish your connection between your client wireguard and the wireguard server on the Truenas using IPV6.
If that is the case, I believe all you need to do is to use the IPV6 address of your Truenas server, with appropriate firewall settings on your router to allow access to the IPV6 address and port.
I note that you have set up the Network Configuration with UDP port 30057. Did you set your router to port forward 3057 for IPV4 - or "allow" the port to the Truenas IP address for IPV6?
Also, watch out that your client's IP address range does not clash with the VPN address range (10.8.0.x) if you are also on CGNAT at the client end as well.

 

[Enderkev]

Im a little confused by your statement "I want to configure the VPN in IPV6".
I assume you want to establish your connection between your client wireguard and the wireguard server on the Truenas using IPV6.

Yes, that's it.
In CGNAT I don't have public IPv4, so I have to use IPv6.

If that is the case, I believe all you need to do is to use the IPV6 address of your Truenas server, with appropriate firewall settings on your router to allow access to the IPV6 address and port.
I note that you have set up the Network Configuration with UDP port 30057. Did you set your router to port forward 3057 for IPV4 - or "allow" the port to the Truenas IP address for IPV6?
Also, watch out that your client's IP address range does not clash with the VPN address range (10.8.0.x) if you are also on CGNAT at the client end as well.

Yes that's what I did, I used the truenas IPv6 address.
The firewall setting in the image below.

I forward port 3057 to the IPv6 address of my NAS.
Not having public IPv4, I cannot configure the forward port for IPv4.

Also, watch out that your client's IP address range does not clash with the VPN address range (10.8.0.x) if you are also on CGNAT at the client end as well.

Normally no problem at this level.



Thanks for your help but it doesn't solve my problem.

 

[Black_Duck]

Yes, that's it.
In CGNAT I don't have public IPv4, so I have to use IPv6.



Yes that's what I did, I used the truenas IPv6 address.
The firewall setting in the image below.

View attachment 74214

I forward port 3057 to the IPv6 address of my NAS.
Not having public IPv4, I cannot configure the forward port for IPv4.



Normally no problem at this level.



Thanks for your help but it doesn't solve my problem.

Sorry, failed to register.
Try changing your port to 51820 per the instructions:

• Port Number: The default port in the app is (now) 30057. However WireGuard always listens on port 51820 inside the container. I recommend making the following changes under "Networking" setting in the app setup:
  1. Set "WireGuard UDP Node Port for WG-Easy" to 51820.
     Note: you will now need to forward port 51820 (instead of 20920) in your router (see below)
  2. Set "WebUI Node Port for WG-Easy" to 51821
     Note: that means the wg-easy web interface is through 51821 (i.e https://[truenas IP address]:51821)

You will also need to change the "allowed port" on the router to 51820.

 

[Enderkev]

[RESOLVED]

Hi,

First of all, thank you @Black_Duck, changing the port solved one of the problems.

I also added this setting for the vpn to work:

Yes I know it's strange but with the basic settings it didn't work.


And also, if you use your VPN in 4G, don't forget to activate IPv6 on your phone, below is a link explaining how to do it:

Comment activer IPv6 sur son mobile ? | Arcep

www.arcep.fr

 

[Black_Duck]

I also added this setting for the vpn to work:

View attachment 74285

Yes I know it's strange but with the basic settings it didn't work.

Glad to hear its now working.
Your "Allowed IPs" setting will only allow clients to access destination addresses on your lan. This is fine, but will exclude access to the internet through the VPN.
The default for "Allowed IPs" (when no entry is added) is "0.0.0.0/0, ::/0" (i.e. allow all destination ip addresses IPV4 and IPV6). That's the setting recommended in the Setup Guide.
Note, this setting only goes into the client config file and can easily be overwritten in the wireguard client by pressing "edit" and changing it.

 

[penzinho]

Thank you very much for an awesome guide, I've followed it step by step and got it up and running. I have setup wg-easy on my office server to be able to connect to it remotely.

The problem I have is my home ISP. When I use my phone's internet (tether it to laptop), everything works great. When I use my home optical connection (Deutsche Telekom, Speedport router), I can't access anything. It seems like their firewall is blocking UDP traffic. I've tried contacting them and help line workers either don't understand or don't want to go into those depths and open the port.

Is there anything I could do beside change my ISP? I've checked at my friend's house and it works flawlessy over A1 network.

I was thinking to try and change wg-easy/wireguard ports but don't know how to do it :) Do I only need to edit wg0.conf or anything else?

I've attached a photo of a blockage, if it helps. If you need any logs, please let me know.

Thanks a lot

 

[majorgear]

Can this be used in "client" mode to connect ix charts apps *to* external , commercial VPN's? If not, is that in the works?

I have several apps whose traffic I route though a VPN use gluetun running on a virtual machine. I'd love to be able to shut that machine down and run my "VPN gateway" in k3s using a helm chart app!

 

[Black_Duck]

Thank you very much for an awesome guide, I've followed it step by step and got it up and running. I have setup wg-easy on my office server to be able to connect to it remotely.

The problem I have is my home ISP. When I use my phone's internet (tether it to laptop), everything works great. When I use my home optical connection (Deutsche Telekom, Speedport router), I can't access anything. It seems like their firewall is blocking UDP traffic. I've tried contacting them and help line workers either don't understand or don't want to go into those depths and open the port.

Is there anything I could do beside change my ISP? I've checked at my friend's house and it works flawlessy over A1 network.

I was thinking to try and change wg-easy/wireguard ports but don't know how to do it :) Do I only need to edit wg0.conf or anything else?

I've attached a photo of a blockage, if it helps. If you need any logs, please let me know.

Thanks a lot

Hi @penzinho
Glad to hear it's working .... almost. As it works when tethered through your phone, then the problem is clearly in your ISP (Deutsche Telekom). I can think of a few possibilities:
I just noticed your attachments - in particular 2/3 which I assume your router port forward setup on your office router. You are running IPV6, and port 30057-30058....
A couple of points:

1. You only need to forward 1 port - lets say its 30057. I can't see all the details on the port forward from the image. But, in your router you need to set the source port to 30057, but you must set your destination port to 51820 - you must use port 51820 to your container as Wireguard only listens to port 51820. Alternatively (especially if your router does not allow port translation and what I recommend in the setup guide) is to set wg-easy to use 51820 in the app setting, then you don't need to translate ports - set the router to UDP 51820 , destination address is your Truenas Server. Set"UDP Port" in the app setting to 51820 (see guide).
2. Another thing to check is your Domain Name points to your TrueNas server ip address (not your router address). Ping your Server, using the Domain Name. make sure the address resolution is to the server address (and not the router address).
3. ISP blocking UDP. I doubt this very much. They may throttle it (as it's used for video streaming) but I can't see them blocking it. If they do, then you're cooked. Wireguard only uses UDP.
4. Don't attempt to edit wg0.conf. As I said in the guide, it will be reset at startup and all changes will be lost.

It's confusing that it works with tethering to your phone. I'm suspecting that when you tether it's going through IPV4 while through your ISP it's IPV6.
Anyway, have a go at the above and let me know how you go.

 

[Black_Duck]

Can this be used in "client" mode to connect ix charts apps *to* external , commercial VPN's? If not, is that in the works?

I have several apps whose traffic I route though a VPN use gluetun running on a virtual machine. I'd love to be able to shut that machine down and run my "VPN gateway" in k3s using a helm chart app!

The wg-easy container wasn't set up for that. It's basically a Wireguard server (not client), with some extra coding to make creating and distributing config files easier. I think you would have better luck with Tailscale. You may also like to take a look at this thread. I particularly like @sfatula ’s approach here

 

[par]

Note, the instructions below are is only for the iX catalog version. It will not work for the Truecharts version.

As a new SCALE user I'm confused. When I click Discover Apps and search for wireguard, I assume the search results show the Truecharts version and NOT the iX catalog version? I tried for a while to get this working and failed. Set the network device name, set port forwarding, tried the different ports. Not so easy after all.

 

[Black_Duck]

As a new SCALE user I'm confused. When I click Discover Apps and search for wireguard, I assume the search results show the Truecharts version and NOT the iX catalog version? I tried for a while to get this working and failed. Set the network device name, set port forwarding, tried the different ports. Not so easy after all.

I’m not sure why you’re searching for wireguard given that this is about installing the wg-easy app (as per the thread title). Wireguard is merely an element of the package.
Nevertheless, I’m sorry to hear you’re having issues getting the app to work. Sadly without some concrete information I can’t help much at this point. In the meantime may I suggest going through the debug guide published above to help sort out your issue.
I can confirm that it works perfectly well for many users.

 

[majorgear]

The wg-easy container wasn't set up for that. It's basically a Wireguard server (not client), with some extra coding to make creating and distributing config files easier. I think you would have better luck with Tailscale. You may also like to take a look at this thread. I particularly like @sfatula ’s approach here

No worries. I’ll continue to use gluetun on a separate system to connect docker containers to VPNs.

 

[MrCaspan]

Just as an FYI Frigates default port is also 30057 so maybe someone wants to choose a better port number as the default?

 

[help!]

How do we turn one side into a server


not client, I need to connect from one end only as subnet issues and the other side is connected to isp router with a vpn router on lan behind?


cheers all

 

[help!]

So im after both my true nas's to connect to each other via WG-easy,


but where di i ut the config file thats downloaded?


do i put the offsite locations server adress in my onsite server or something