Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

WireGuard Mystery

Chuck Munro

Cadet
Joined
Jan 3, 2016
Messages
7
I am experiencing a mysterious issue with WireGuard Client to be installed on three NAS systems .... two of them are FreeNAS 11.3-U5 and one is TrueNAS Core 12.

My aim is to replace OpenVPN running in a jail, with WireGuard running on the main platform. I am doing the primary test installation on one of the FreeNAS 11.3-U5 machines. If I can make it work correctly I can get rid of the jails.

The WireGuard packages install correctly (wireguard-go and wireguard tools), and the VPN starts and runs after following the instructions in various posts here. The client picks up its correct IP address from the WireGuard server (on a Linux machine). Reboots restart WireGuard correctly, as expected.

The client conf file:
[Interface]
Address = 10.8.0.5/24
ListenPort = 33094
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = yyyyyyyyyyyyyyyyyyyyyyyyyyy
PresharedKey = zzzzzzzzzzzzzzzzzzzzzzzzzzz
AllowedIPs = 10.8.0.0/24
PersistentKeepalive = 10
Endpoint = server_fqdn:33094

But after connecting and configuring ok, the problem starts ... I can't ping or SSH to any other machines on the VPN, but pings and SSH work fine via the same VPN among the other non-FreeNAS machines (Linux and macOS). Pings in both directions between the VPN server and the FreeNAS client fail silently, and SSH just hangs.

Netstat seems to report routing is ok:

Internet:
Destination Gateway Flags Netif Expire
default 192.168.10.1 UGS re0
10.8.0.0/24 wgvpn45 US wgvpn45
10.8.0.5 link#4 UH wgvpn45
127.0.0.1 link#3 UH lo0
192.168.10.0/24 link#2 U re0
192.168.10.45 link#2 UHS lo0
192.168.50.0/24 link#1 U em0
192.168.50.45 ink#1 UHS lo0

All traffic for the other two interfaces (re0 and em0) works correctly, but I can't send or receive anything on net 10.8
The WireGuard config for wgvpn45 has a PersistentKeepalive parameter set to 10 seconds, just in case.

Ipfw reports nothing should stop packets: ' 65535 allow ip from any to any ', and I have net.inet.ip.forwarding set to 1 in the System Tunables GUI.

So ... I must be missing something or I've made a dumb mistake somewhere. Does anyone have any ideas or perhaps seen the same issue?

Thanks in advance for any assistance you can offer,
Chuck
 

Chuck Munro

Cadet
Joined
Jan 3, 2016
Messages
7
The mystery has shifted away from the NAS box ... it actually has been working all along! The problem points to my pfSense firewall which is failing to forward packets between the FreeNAS machine and the remote server. Sorry for the false alarm .... I'll post questions on the pfSense forum.
 
Top