Wireguard interface no showing

[Fred974]

Hi all,

I am following the ixsystem guide to setup wireguad on the TrueNAS system. Once I rebooted the server I cannot see the wg0 interface.
I am also not able to see the

wireguard_enable = YES

in the /etc/rc.conf file

Code:

root@freenas2[~]# ifconfig wg0       
ifconfig: interface wg0 does not exist

Code:

root@freenas2[~]# wg-quick up wg0   
[#] wireguard-go wg0
INFO: (wg0) 2021/05/13 13:05:06 Starting wireguard-go version 0.0.20200320
[#] wg setconf wg0 /tmp/tmp.WqhToS44/sh-np.BeievT
[#] ifconfig wg0 inet 172.15.10.11/24 172.15.10.11 alias
ifconfig: ioctl (SIOCAIFADDR): File exists
[#] rm -f /var/run/wireguard/wg0.sock

Could anyone please advise?

 

[Fred974]

Hi all,

I just managed to get the interface up and running by changing the interface address.
I had the following:

Code:

[Interface]
# TrueNAS server private IP address ##
Address = 172.15.10.11/24

## Wireguard VPN server port ##
ListenPort = 51820

## VPN server's private key from /etc/wireguard/privatekey ##
PrivateKey = PNmyprivatekeylED5H41geGbXvLmkU=

The IP 172.15.10.11 is my TrueNAS IP.
I changed it to 172.15.10.111 and now the interface load.

Could anyone please advise what exactly I am meant to set the Address to? It it my public IP ir my TrueNAS IP?


Thank you

 

[jgreco]

Well, the [Interface] stanza says "private IP address" and yet you are listing a public IP address on that line. This implies that your TrueNAS host is exposed to the public Internet, which is a whole bunch of bad.

Try putting your TrueNAS behind a firewall, using some RFC1918 space, and forwarding the wireguard traffic to it. I'm guessing that you may also want the wireguard interface address to be different than the primary TrueNAS IP address. The syntax of that "ifconfig wg0" line looks unlikely to me.

 

[Fred974]

@jgreco my ip 172.15.10.11 is a private IP and not expose to the internet behing pfsense. What made you think that it was public?

My goal with the wireguard is to connect my MinIO S3 from TrueNAS and my Xen Orchestra server so that I can send my xcp-ng backup to the MinIO remote located on my office TrueNAS.

you may also want the wireguard interface address to be different than the primary TrueNAS IP address

Do I pick any value? Will any IP will do? Sorry this is my very first attempt at wireguard

 

[jgreco]

@jgreco my ip 172.15.10.11 is a private IP and not expose to the internet behing pfsense. What made you think that it was public?

Because 172.15.10.11 is within a public allocation, obviously. I don't *think* that, it's a *fact*.

NetRange: 172.0.0.0 - 172.15.255.255
CIDR: 172.0.0.0/12
NetName: SIS-80-8-2012
NetHandle: NET-172-0-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7132
Organization: AT&T Corp. (AC-3280)
RegDate: 2012-08-20
Updated: 2018-07-19
Ref: https://rdap.arin.net/registry/ip/172.0.0.0

That space is assigned to AT&T. Commonly used private IP space is defined in RFC1918 and followups, and does not include 172.15.10.11. You should not just grab a random IP block from the Internet and declare it "private."

My goal with the wireguard is to connect my MinIO S3 from TrueNAS and my Xen Orchestra server so that I can send my xcp-ng backup to the MinIO remote located on my office TrueNAS.

Do I pick any value? Will any IP will do? Sorry this is my very first attempt at wireguard

I don't know the specific answer to that, as I haven't tried to build such a setup with Wireguard. I typically build routed networks, which are designed somewhat differently.

 

[Fred974]

@jgreco will set the address to 192.168.15.10 do the job? what is the purpose of that address IP?

 

[Fred974]

Because 172.15.10.11 is within a public allocation, obviously. I don't *think* that, it's a *fact*.

Ok I got it. I think I typed it wrong. It should be 172.16.10.11. I believe this should be a private network. Is that correct?

 

[jgreco]

172.16.0.0/12 is RFC1918 space, so yes, you can use that as private network space.

I'm not clear on what Wireguard requires for a design where you appear to be trying to use local ethernet addresses. In OpenVPN, we do this with bridging (tap), and there wouldn't be any IP address associated with the interface being bridged. The usual problem that people run into with OpenVPN is that they don't understand the routing aspect, and so if you use a tunnel (tun), and fail to set up return path routing, it "doesn't work" and "is OpenVPN's fault" and all sorts of other ridiculous and incorrect PEBCAK-class drama.

Normally, I would expect to set up a different network, let's say for the sake of argument, 172.17.0.0/24, with 172.17.0.1 as the wireguard interface on the NAS, and 172.17.0.{2...255} as the tunnel endpoints. This will work for your NAS but not for the rest of the network. To make the rest of the network work, you need for devices on 172.16.{whatever} to know how to reach 172.17.0.0/24, so you need to install a static route for 172.17.0.0/24 on the gateway router for your 172.16.{whatever} networks that points 172.17.0.0/24 at 172.16.10.11 (your NAS).

 

[jag5cof]

I have been reading the threads above. I don't see anything on how to set up wireguard from scratch

 

[Redcoat]

I don't see anything on how to set up wireguard from scratch

Look at the links close to the bottom of https://www.truenas.com/docs/core/network/wireguard/