Truenas 13.0 Wireguard in jail kernel mode wont work

[mmplpri]

Hi I just updated to truenas 13 and all jails and I got problem to get wireguard working in jail with kenel support.
I turn on tunebales in freenas if_wg_load; YES , RC tried (I been using guide from this thread https://www.truenas.com/community/t...ion-jail-to-use-wireguard-with-mullvad.90232/) tried create new jail as well still not working.

And when i restarting wireguard service I got this as well after upgade I was using wireguard go for qbtorrent and I got dht nodes no prob now with new version Got connection and its show that is green but 0 dht nodes thats why I think i need to get it through kernel.

[#] rm -f /var/run/wireguard/wg0.sock
[#] resolvconf -d wg0
[#] /usr/local/etc/wireguard/postdown.sh
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.64.155.116/32 alias
[#] ifconfig wg0 inet6 fc00:bbbb:bbbb:bb01::1:9b73/128 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet6 ::/1 -interface wg0
[#] route -q -n add -inet6 8000::/1 -interface wg0
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n delete -inet 194.37.96.98
[#] route -q -n add -inet 194.37.96.98 -gateway 192.168.1.1
[+] Backgrounding route monitor

 

[Volts]

Please show the specific tunables you've configured.

On the host:
What does kldstat | grep if_wg show?
What does kldload if_wg do?

 

[mmplpri]

Hi thx for helping
kldstat | grep if_wg not showing if_wg loaded when i load it manualy with kldload if_wg working ok why it doesnt load up from tuneables on start then?;f

 

[Patrick M. Hausen]

why it doesnt load up from tuneables on start then?

The tunable needs to be of type LOADER, not RC ...

 

[mmplpri]

The tunable needs to be of type LOADER, not RC ...

Thx so much thats sort it.It was said in guide on forum to ad it as rc...

 

[Amphibious]

This guide helped me get up to speed after some troubleshooting got me lost in the guide above. Hope it helps:
https://www.cyberciti.biz/faq/how-to-install-a-wireguard-vpn-client-in-a-freebsd-jail/
I set up my jail in the same base configuration (release 13.0), but found the set-up of wireguard and the testing steps in the linked guide to be very handy.

 

[vrtareg]

I would like to check if this is for WireGuard client or server?
I am trying to set up WireGuard server in my Jail to connect to my network but something does not work.
I can see incoming packets to port 51820 in the jail but nothing on wg0 interface.

I have another jail for OpenVPN and there is a traffic on tun0 interface when I connect.

Not sure if I am missing IPFW NAT rule or something else.

 

[Patrick M. Hausen]

There is no dedicated client and server in WireGuard, only peers. Are you using a VNET jail bridged to your physical network? You should. Don't mess with ipfw ...

 

[vrtareg]

There is no dedicated client and server in WireGuard, only peers. Are you using a VNET jail bridged to your physical network? You should. Don't mess with ipfw ...

I have a Jail with VNET on the same network that my TrueNAS
Jail IP is 192.168.234.111
In the Jail I configured wg0.conf with:

Code:

[Interface]
# Name     = WG Server
Address    = 10.234.111.1/32
ListenPort = 51820
PrivateKey = <key>
MTU        = 1450
#PostUp     =
#PostDown   =
Table      = auto

[Peer]
# Name       = Mobile
AllowedIPs   = 10.234.111.2/32
PreSharedKey = <key>
PublicKey    = <key>

Peer has config:

Code:

[Interface]
# Name     = Mobile
Address    = 10.234.111.2/32
PrivateKey = <key>

[Peer]
# Name       = WG Server
AllowedIPs   = 0.0.0.0/0 # Internet
Endpoint     = wg.mydomain:51820
PreSharedKey = <key>
PublicKey    = <key>
## Keep connection alive ##
PersistentKeepalive = 30

IPFW rules as 10.234.111.x network does not have route

Code:

#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.234.111.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

This is working fine in OpenVPN jail but not in WireGuard ....

Thanks for help.

 

[Patrick M. Hausen]

Sorry, I cannot help you if you mess with NAT. I explicitly recommend doing that and using static routing instead. Possibly somebody else knows.

 

[vrtareg]

Sorry, I cannot help you if you mess with NAT. I explicitly recommend doing that and using static routing instead. Possibly somebody else knows.

So your suggestion is to add static routing for 10.234.111.x network to Jail on my router?
I will try that.

 

[Patrick M. Hausen]

Yes. There are no user servicable parts in ipfw on TrueNAS

 

[vrtareg]

Yes. There are no user servicable parts in ipfw on TrueNAS

I changed to static route on router and I can ping wg0 interface IP from my LAN like from my laptop.
But again there is no traffic on wg0 interface in the Jail when client connected and also from mobile with wireguard android installed and connected I can't access Internet or any other IP. Looks like I am missing something.

Do I need to do a port forwarding on my router to jail wg0 10.234.111.1 IP address or jail 192.168.234.111 IP?

 

[Patrick M. Hausen]

From the outside? Yes. You need to forward the WireGuard port from your router to the jail address. And connect to your public IP from your phone.

 

[vrtareg]

From the outside? Yes. You need to forward the WireGuard port from your router to the jail address. And connect to your public IP from your phone.

I mean that jail has 2 interfaces epair0b/192.168.234.111 and wg0/10.234.111.1

I have 51820 forwarded on my router from WAN to 192.168.234.111 IP.
Do I need to change it to wg0 IP address instead?

No traffic is passing through, unless I mixed up keys...

 

[Patrick M. Hausen]

The wg0 is the internal tunnel address of your VPN. The "client" should connect to the jail address via port forwarding on your router and then the "client" and the jail should be able to ping each other using their respective wg0 address.

You are aware that WireGuard uses UDP?

 

[vrtareg]

The wg0 is the internal tunnel address of your VPN. The "client" should connect to the jail address via port forwarding on your router and then the "client" and the jail should be able to ping each other using their respective wg0 address.

You are aware that WireGuard uses UDP?

Both of the TCP and UDP 51820 port are forwarded to the Jail IP.
I will try to regenerate config and try again.

Just to double check - do I need to have the /32 or /24 mask on a Jail (aka server) side for Address?

Note - after changing the Interface netmask and peer netmask to /24 I was able to ping and communicate from the client.
Note 1 - disabled route to Jail local network, enabled back IPFW NAT rule as I did in OpenVPN - all works fine if I have /24 on a peer in Jail side.
Note 2 - https://try.popho.be/wg.html does this mean that I will need to have /32 for the peer on a Jail side but /24 in a client config - need to test.

Note 3 - I was lost in the keys, need to figure out more robust way of doing it.

 

[Patrick M. Hausen]

WG tunnels are point to point interfaces and so addresses are somewhat arbitrary. You can easily have:

Side 1:

tunnel address: 1.1.1.1/32
peer ...
allowed networks: 2.2.2.2/32

Side 2:

tunnel address: 2.2.2.2/32
peer ...
allowed networks: 1.1.1.1/32

And the two systems should see and "ping" each other.


Now in the case of a central hub and mobile clients you can do something like this - if you like, that's your decision.

Central site:

tunnel address: 192.168.0.1/24
peer 1
allowed networks: 192.168.1.101/32
peer 2
allowed networks 192.168.1.102/32
peer 3:
allowed networks 192.168.1.103/32
...

Peer 1:

tunnel address: 192.168.0.101/32
peer ...
allowed networks 192.168.0.0/24

With this setup all the mobile clients can communicate with each other while they are online. Replace the last line with 192.168.0.1/32 if they should only communicate with the central node.


Using manual IPFW NAT frequently breaks NAT jails and then people come complaining to the forums. In my experience these youtubers don't know TrueNAS, don't know IP, and don't know routing. Use static routing as the standards intended - why would anyone want to NAT an inbound VPN connection? How do you e.g. identify different clients?

My 2 ct. Glad it's working.