wg-easy default configuration assumes interface name eth0

[Softwaerewolf]

Setting up the wg-easy official app and I checked the default generated configuration which includes the following line:

Code:

PostUp = iptables -t nat -A POSTROUTING -s 192.168.26.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

It targets the interface eth0 - but this can't be assumed to exist. In my case, I have several interfaces but none of them are eth0.

enp6s0 is a 1GbE ethernet interface (used as fallback/service port)
enp7s0f0 is a 10GbE SFP interface
enp7s0f1 is a 10GbE SFP interface
bond1 is a bonded pair of the 2 enp7s0f* interfaces

As far as I can see there isn't any way to tell wg-easy which interface to use?

 

[Johannes4]

I ran into the same issue. What you need to do is 'overwrite' the default WG_POST_UP parameter by adding a parameter WG-Easy Environment, which is simply the line you posted, but adjusted for your particular ethernet port.

[I][B]Name: [/B][/I]WG_POST_UP [B][I]Value: [/I][/B]iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o enp0s31f6 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;

All parameters that can be configured are documented on Docker Hub:

Docker

 

[Extremk]

Hello, where can I see if he takes the right interface?
Unfortunately I have the problem that I can connect, but I can't access the internet or my home network!
It seems to me that he doesn't take the right interface!
Where can I find the default generated configuration?
and where can i overwrite the default WG_POST_UP parameter.
Best Regards

 

[Black_Duck]

Hello, where can I see if he takes the right interface?
Unfortunately I have the problem that I can connect, but I can't access the internet or my home network!

By the sound of it you have the wrong interface.

It seems to me that he doesn't take the right interface!
Where can I find the default generated configuration?

Your Interface name(s) is listed under the "Network" tab in Scale. You can also find it by issuing the "ip a" command within the shell. It will look something like "enp0s31f6". If you are running Host Path to a Configuration Volume, you can see the POST_UP in wg0.conf file. However if you're running PVC is much harder to find it. Just assume its wrong.

and where can i overwrite the default WG_POST_UP parameter.

I am running Host Path to a Configuration volume, so I just edited the wg0.conf file, replacing the "eth0" with the correct Interface name.
However, looking at the wg-easy config.js, it appears you may just be able to Edit the Application setup, Add an Environment variable, then set Name to "WG_DEVICE", and Value to the Interface name. Sorry I'm not at home so I can't try this.

 

[overeat]

WG_DEVICE config option isn't in the "version 7" which TrueNas SCALE uses. It needs to be updated to "7-nightly"

Additionally in this wg-easy install, I noticed it always appends iptables rules everytime upon restart. So every time you restart the daemon the iptables rules appends 3 duplicate rules every time.

I couldn't get it to work personally, so I'm trying to figure out something else out.

The TrueCharts helm isn't very great either, so i'm just doing custom docker.

---

Update: I got the TrueCharts one working. You need to run it as PID=0. Seems like a security issue potentially, but you need to do it because the image doesn't have `sudo` and you can't start it otherwise.

as for WG_DEVICE, it appears TrueCharts docker install uses eth0 and not what ever your main devices internet device is (in my case bond0). So you don't seem to need to fiddle with WG_DEVICE or WG_POST_UP

I did add `net.ipv4.conf.all.src_valid_mark=1` into sysctl via settings > advanced > sysctl as the docker for wg-easy suggests you do that.

----

UPDATE: I re-installed TrueNas's chart after sysctl net.ipv4.conf.all.src_valid_mark=1 and that doesn't fix it.

Also in the truenas chart, I do have to use bond0 I assume, since eth0 doesn't exist like it does in the Truecharts helm chart.

So for now, the only thing I can get working is Truecharts running as root.

 

[Black_Duck]

Yea, I also noticed that it appends to the iptables after every restart creating duplicate entries. Would be nice if startup issued an iptables -flush or something, but as they are duplicate entries it doesn’t affect the outcome.
I have no issues with the latest iX version after changing the interface, nor did I have a problem with the Truecharts version which ran perfectly ‘out of the box’ until they updated it and forced reinstall of all their apps. Permanently moved away from Truecharts since.
Disappointing about WG_ DEVICE - would have been a simple solution.

 

[overeat]

Yea, I also noticed that it appends to the iptables after every restart creating duplicate entries. Would be nice if startup issued an iptables -flush or something, but as they are duplicate entries it doesn’t affect the outcome.
I have no issues with the latest iX version after changing the interface, nor did I have a problem with the Truecharts version which ran perfectly ‘out of the box’ until they updated it and forced reinstall of all their apps. Permanently moved away from Truecharts since.
Disappointing about WG_ DEVICE - would have been a simple solution.

I could never get the default TrueNas one to work personally, regardless of what internet interface I change it to. Simply won't allow clients to connect.

Also tried disabling "host network" which defaults the interface on the docker container to eth0 and still wouldn't work.

For now I'm using the TrueCharts version, which seems to work.