TreuNAS Core Wireguard Not Working

[DemonWarrior]

if anyone has an idea. Im attempting to get truenas to run wireguard on truenas core. Iv tried everything and considered something from truenas core is not propegating outside my truenas install. i used this method https://www.cyberciti.biz/faq/how-to-install-a-wireguard-vpn-client-in-a-freebsd-jail/ i have a working wireguard working from my windows pc on another computer on my network to my vps. but for some odd reason truenas wont connect with it.

Wg0.conf on truenas

Code:

[Interface]
Address = 10.254.0.3/24
SaveConfig = true
ListenPort = 51820
PrivateKey = (privatekey of truenas)

[Peer]
PublicKey = (publickey of vps)
AllowedIPs = 10.254.0.0/24
Endpoint = xxx.xxx.81.108:51820
PersistentKeepalive = 25

wg1.conf VPS

Code:

[Interface]
PrivateKey = (PrivateKey for VPS)
Address = 10.254.0.4/32
ListenPort = 51820
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o enp0s3 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
[Peer]
PublicKey = (PublicKeyforTRUENAS-CORE)
AllowedIPs = 10.254.0.0/32
Endpoint = truenas-movies4you.duckdns.org:51820
PersistentKeepalive = 25

I have a dynamic ip which is why i have a domain as the endpoint which again does work on my windows to the same vps. I have tried everything. Im literally pulling out my hair trying to figure this out. I cant get a ping from the 10.254.0.3 from my vps.

 

[Patrick M. Hausen]

Try iocage set allow_tun=1 <jailname> and restart the jail.

 

[DemonWarrior]

Try iocage set allow_tun=1 <jailname> and restart the jail.

Still cant get a ping outside the truenas network. Do you have anything else I can try. Or need more information on anything.

 

[DemonWarrior]

here are some logs i found inside the wireguard /var/log/messages

Code:

Mar 22 08:49:22 wireguard dhclient[6880]: unknown dhcp option value 0x7d
Mar 22 12:26:50 wireguard root[22613]: /etc/rc.shutdown: WARNING: Can't unload if_wg module.
Mar 22 12:26:50 wireguard dhclient[6880]: receive_packet failed on epair0b: Device not configured
Mar 22 12:26:50 wireguard dhclient[6880]: ioctl(SIOCGIFFLAGS) on epair0b: Operation not permitted
Mar 22 12:26:50 wireguard dhclient[6880]: Interface epair0b no longer appears valid.
Mar 22 12:26:50 wireguard dhclient[6880]: No live interfaces to poll on - exiting.

 

[DemonWarrior]

bump?

 

[Constantin]

FWIW, I found the following video on how to do it with two Mikrotik router tunnels to be 100% functional. Even works with two DDNS sites, no hard-coded IP addresses needed. Only downside is that you're potentially opening your whole respective networks up to nonsense vs. the machine-to-machine approach you're considering. However, even that can be mitigated somewhat via restrictive IP firewall settings.

This approach worked much better than IPSEC, for example.

 

[DemonWarrior]

FWIW, I found the following video on how to do it with two Mikrotik router tunnels to be 100% functional. Even works with two DDNS sites, no hard-coded IP addresses needed. Only downside is that you're potentially opening your whole respective networks up to nonsense vs. the machine-to-machine approach you're considering. However, even that can be mitigated somewhat via restrictive IP firewall settings.

This approach worked much better than IPSEC, for example.

it would be a great place to start but i dont have an enterprise router/modem system or an open source linux router system. So this wont work for my specific use case. The whole reason im doing this is to route my traffic to my vps so I use the vps for my reverse proxy for my selfhosted webapps. It still wont matter though because if my truenas cant be seen outside my network it wont work anyway. This is mainly done because i have a dynamic ip and it changes quite randomly and frequently. I am pretty sure this method will only work with static business class use case

 

[Constantin]

Nope, I can confirm that the two Mikrotik routers were happily communicating with FQDNs that are based on 100% dynamic IP addresses. Mikrotik makes that easy by using the SN of each Mikrotik router as part of a DDNS name, which it hosts to make discovery relatively easy.

Every time the network berg mentions a IP address that is seen by the outside world in his tutorial, simply substitute the DDNS address of each router. Worked 100% for me without any hard coded IP addresses. Unlike his IPSEC VPN tutorial, this approach worked perfectly the first time I tried it. And it was MUCH easier than getting two Edgerouters to talk (that took hours / days).

 

[DemonWarrior]

i understand but i do not have mikrotik routers or hardware that is enterprise based. I appreciate the input but my endgoal is to get this working as its intended to work from wireguard and truenas

Nope, I can confirm that the two Mikrotik routers were happily communicating with FQDNs that are based on 100% dynamic IP addresses. Mikrotik makes that easy by using the SN of each Mikrotik router as part of a DDNS name, which it hosts to make discovery relatively easy.

Every time the network berg mentions a IP address that is seen by the outside world in his tutorial, simply substitute the DDNS address of each router. Worked 100% for me without any hard coded IP addresses. Unlike his IPSEC VPN tutorial, this approach worked perfectly the first time I tried it. And it was MUCH easier than getting two Edgerouters to talk (that took hours / days).

 

[Volts]

wg1.conf VPS

Code:

[Peer]
AllowedIPs = 10.254.0.0/32

That doesn't look right. This should probably be /24 to match the other entries.

 

[Volts]

Mar 22 12:26:50 wireguard root[22613]: /etc/rc.shutdown: WARNING: Can't unload if_wg module.

Get it working first.

Then, it's worth loading the wireguard if_wg kernel module on the host. It's dramatically faster and uses less CPU.

To do so, create a tunable:

Variable: if_wg_load
Value: YES
Type: loader
Enabled

 

[DemonWarrior]

i attempted this tutorial https://www.truenas.com/docs/core/coretutorials/network/wireguard/ along with this one https://www.truenas.com/community/resources/how-to-setup-a-wireguard-vpn-server-in-a-jail.147/ ive also tried your adding the tuneables and still cant ping my remote device. I just dont get why this wont work? Could it be a networking thing. Is there anything I can change or check to see if the network is blocking it. I know truenas has glitches when it comes to networking

 

[Volts]

If the goal is to configure wireguard in a jail, neither of those links are relevant. Can you confirm the end goal?

Did you see my question about the AllowedIPs subnet mask? They don't match between your configuration files.

 

[DemonWarrior]

i changed them to /24 and it made no change sorry the last messaged i tried to say i already attempted that. My end goal is to have wireguard connect my truenas jail nextcloud to my vps remotely. So i can reverse proxy using that ip of my vps for my nextcloud on truenas on my local pc. I have this succesfully working on my windows 11 pc locally to my vps with other webapps. But I dont have the amount of ram needed to run nextcloud on that system hence why im using extra resources on my truenass install to run and use nextcloud

If the goal is to configure wireguard in a jail, neither of those links are relevant. Can you confirm the end goal?

Did you see my question about the AllowedIPs subnet mask? They don't match between your configuration files.

 

[DemonWarrior]

bump?

 

[Volts]

It's difficult to know the current state of your system. You applied multiple changes from following both of those links?

 

[DemonWarrior]

So do you want me to send the new configs. I tried all the requested changes the only thing that has changed is not run it in a jail setup. All the documentation on the setup is documented by truenas in those links.

 

[DemonWarrior]

It's difficult to know the current state of your system. You applied multiple changes from following both of those links?

So let's say I start over. How can I run this to get it working with wireguard in the end goal that I'm attempting to do.

 

[Volts]

Sure, share the current configs.

Is wireguard still connecting?

With it connected, can you share the output of -

ifconfig
wg show
netstat -rn
ipfw list

 

[DemonWarrior]

Sure, share the current configs.

Is wireguard still connecting?

With it connected, can you share the output of -

ifconfig
wg show
netstat -rn
ipfw list

ifconfig:

Code:

root@truenas[~]# ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=812098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
        ether 88:51:fb:5b:42:ff
        inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.253.0.1 netmask 0xffffff00
        groups: wg
        nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
vnet0.1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: Nextcloud as nic: epair0b
        options=8<VLAN_MTU>
        ether 8a:51:fb:27:9a:bf
        hwaddr 02:e1:b5:e7:3a:0a
        inet 172.16.0.1 netmask 0xfffffffc broadcast 172.16.0.3
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>

wg show:

Code:

root@truenas[~]# wg show
interface: wg0
  public key: jxtIcNHXXXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: 51820

peer: oG21StE+Mfi2NaznXXXXXXXXXXXXXXXXXXXX
  endpoint: 129.xxx.xxx.108:51820
  allowed ips: 10.253.0.0/24
  transfer: 0 B received, 8.32 MiB sent
  persistent keepalive: every 25 seconds

netstat -rn:

Code:

root@truenas[~]#  netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         em0
10.253.0.0/24      link#4             U           wg0
10.253.0.1         link#4             UHS         lo0
127.0.0.1          link#2             UH          lo0
172.16.0.0/30      link#5             U       vnet0.1
172.16.0.1         link#5             UHS         lo0
192.168.1.0/24     link#1             U           em0
192.168.1.21       link#1             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

ipfw list:

Code:

root@truenas[~]#  ipfw list
00100 nat 462 ip4 from 172.16.0.0/24 to any out via em0
00101 nat 462 ip4 from any to any in via em0
65535 allow ip from any to any

here is my remote config for my vps:
wg show:

Code:

[Interface]
PrivateKey = QGgZPcxG+/leJJJXXXXXXXXXXXXXXXXXX
Address = 10.253.0.2/24
ListenPort = 51820
SaveConfig = true
PostUp = iptables -t nat -I POSTROUTING -o enp0s3 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE

[Peer]
PublicKey = jxtIcNH+MqntnDbeXXXXXXXXXXXXXXXXX
AllowedIPs = 10.253.0.0/24
Endpoint = movies4you-nas.ddns.net:51820
PersistentKeepalive = 25

ifconfig:

Code:

ubuntu@ubuntu-22-04:~$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.0.100  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::17ff:fe12:935  prefixlen 64  scopeid 0x20<link>
        ether 02:00:17:12:09:35  txqueuelen 1000  (Ethernet)
        RX packets 4956718  bytes 4222553426 (4.2 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4819363  bytes 4380906309 (4.3 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 139544  bytes 45021763 (45.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 139544  bytes 45021763 (45.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8920
        inet 10.254.0.2  netmask 255.255.255.0  destination 10.254.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 2590027  bytes 3694655380 (3.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1938602  bytes 216787756 (216.7 MB)
        TX errors 0  dropped 886610 overruns 0  carrier 0  collisions 0

wg1: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 8920
        inet 10.253.0.2  netmask 255.255.255.0  destination 10.253.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 57680  bytes 8536640 (8.5 MB)
        TX errors 0  dropped 2884 overruns 0  carrier 0  collisions 0

netstat -rn:

Code:

ubuntu@ubuntu-22-04:~$  netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 enp0s3
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 enp0s3
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 enp0s3
10.0.0.1        0.0.0.0         255.255.255.255 UH        0 0          0 enp0s3
10.253.0.0      0.0.0.0         255.255.255.0   U         0 0          0 wg1
10.254.0.0      0.0.0.0         255.255.255.0   U         0 0          0 wg0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enp0s3
169.254.169.254 10.0.0.1        255.255.255.255 UGH       0 0          0 enp0s3

just in case this help