Wireguard - more than just access to TrueNAS system?

[Aephir]

I wanted to set up Wireguard on my TrueNAS Core 13 system. I saw the official documentation, and thought that this should be pretty straight forward. And it was, for the simple case where you "just" need access to the TrueNAS system.

But trying to build from there, giving access to the entire LAN as well as being able to use as a VPN for WAN access, things started to get more difficult. And after a lot of searching, I see I'm not the only one.

I know this is not, strictly speaking, a TrueNAS question, but more a Wireguard/FreeBSD question. But the vast amount of guides, (answered) questions, etc., I have been able to find are NOT for TrueNAS/FreeBSD, leaving me, and (from what I could Google) a whole lot of other people quite frustrated.

Despite this being a "not strictly TrueNAS issue", I would assume that this is a common use case, and that it therefore might make sense to include this in the documentation - especially since it, from what what I have been able to find, does seem to include some steps that are/can be done in a certain way on a TrueNAS system (e.g., tunables from the GUI)

With that, does anyone have a good guide to allowing access to LAN and WAN from a remote client through the TrueNAS (Core) host using Wireguard?

The official documentation only goes so far. I have tried:

• Adding additional `rc.conf` tunables (`wireguard_enable="YES"`, `wireguard_interfaces="wg0"`, `pf_enable="YES"`, `pf_rules="/usr/local/etc/pf.conf"`, `pflog_enable="YES"`, `gateway_enable="YES"`, `ipv6_gateway_enable="YES"`, `net.ipv4.ip_forward="1"`, `net.ipv6.conf.all.forwarding="1"`) as well as adding a /root/pf.conf file and the additional post init script described here.
• Adding the IP forwarding PostUp in the wg0.conf as this documentation suggests (but then wg just didn't seem to start the interface).
• Adding IP tables, Masquerade, etc. in the wg0.conf as described here.
• Several combinations of the above.

Nothing I've tried gives LAN or WAN access to the client.

 

[Patrick M. Hausen]

Put the LAN into the allowed IPs in the client's wireguard config. Enable forwarding either by gateway_enable or by net.ipv4.ip_forward. Add a static route to the wireguard network via your TrueNAS to the configuration of your router. Then you do not need to mess with NAT, pf, etc. in an unsupported way.

If your router cannot manage static routes, then you need to NAT, but then I'm out. I would not mess with the firewall on a TrueNAS.

 

[Aephir]

I already have gateway_enable (from when I used OpenVPN), and have tried with net.ipv4.ip_forward (but I only need one OR the other?).
I also already have a port forwarding rule (which works fine for the "basic" VPN; I can connect to the TrueNAS system's local IP from remote client).

For the client config I have "AllowedIPs = 0.0.0.0/0, ::/0, 10.0.0.0/8" (where my local LANs are 10.0.10.0/23, 10.0.20.0/23, 10.0.30.0/24, and 10.0.40.0/24).

I'm using all UniFi network hardware, and I tried setting a static route with:
Destination => 10.10.10.0/24 # vpn ip range
Type => Next hop
Next hop => 10.0.30.27 # TrueNAS IP
Distance => 1

It just said "There was an error updating settings. This action could not be completed." (I'm away from home this week, so can't ssh into the router to get logs). But is this even needed when the port forwarding works for connections to the TrueNAS system?

 

[Patrick M. Hausen]

Your VPN client sends a TCP SYN packet (for e.g. SSH) to a system in 10.0.30.0/24 that is not your TrueNAS, That system needs to send a SYN/ACK packet back to your client's address from 10.10.10.0/24.

Quiz: where does the end system in question send that reply? Your TrueNAS? How should it know? All it's got is the destination address and its default route (in most cases).

 

[Aephir]

Hmm, I'll check the router logs when I'm back then...
Thanks!

 

[Jeff Zuki]

Did you get this figured out for yourself? I was able to get it working and took some notes. I used the information here that you researched and referenced other forum posts re setting up wg and pf on FreeBSD and TrueNAS Core. Once done I verified that all communication was working as intended.

Setup:

Wireguard network: 10.13.0/24 wg, 10.2.2/24 LAN
Server IPs: 10.13.0.1 , 10.2.2.54
PC1 Cleint IP: 10.13.0.2
PC2 Client IP: 10.13.0.3

wg udp port: 47374
WAN router: my WAN Router IP or DNS name
Forward 47373 udp -> 10.2.2.54

All clients can reach all 10.13.0/24 and 10.2.2/24 IPs. pf NAT, net.ipv4.ip_forward, and gateway_enable allow clients to reach IPs other than the server. pf make the server act as a gateway and NAT server. Note that other systems in 10.2.2/24 cannot go in the reverse back to 10.13.0/24 clients because they do not have a route to do so. If this is needed, a static route on the 10.2.2/24 hosts should allow this. I did not need this so did not test.

The server can reach all 10.13.0/24 clients.

Tested:

From clients to server LANs:

10.13.0.2 -> 10.13.0.1
10.13.0.2 -> 10.2.2.54
10.13.0.2 -> 10.2.2.9

10.13.0.3 -> 10.13.0.1
10.13.0.3 -> 10.2.2.54
10.13.0.3 -> 10.2.2.9

From server to clients:

10.13.0.1 -> 10.13.0.2
10.13.0.1 -> 10.13.0.3

Client to client:

10.13.0.2 -> 10.13.0.3
10.13.0.3 -> 10.13.0.2

For server to clients and client to client traffic it is necessary to disable all Windows firewalls. For desktops behind a NAT firewall this is fine for me. For laptops I will add rules to allow all traffic in from 10.13.0/24. On other clients such as Linux, you'd need to do something similar.