ghostrider
Cadet
- Joined
- Apr 15, 2023
- Messages
- 7
Hello,
This may seem like a question more appropriate for Wireguard than Truenas, but I'm posting it here just to see if there's any sort of special quirk on Truenas that needs to be configured beforehand that isn't directly related to Wireguard.
Having recently installed Truenas scale, I'm now in the process of routing all my Truenas traffic to my VPN provider, similar to what I do with all my other servers.
When I ssh to the system I see that the wireguard binaries are already present by default, however once Wireguard is configured and when I try to connect to Mullvad I see routes being pushed but I'm unable to ping or resolve anything.
When I filter ICMP with tcpdump, I see packets leaving the virtual wg interface, but I get no response (echo reply):
Upon closer inspection of the iptables rules, nothing strikes me as a blocking factor.
My Wireguard configuration looks like this:
Does anyone have any idea what might be missing and how to route all truenas traffic through Wireguard?
This may seem like a question more appropriate for Wireguard than Truenas, but I'm posting it here just to see if there's any sort of special quirk on Truenas that needs to be configured beforehand that isn't directly related to Wireguard.
Having recently installed Truenas scale, I'm now in the process of routing all my Truenas traffic to my VPN provider, similar to what I do with all my other servers.
When I ssh to the system I see that the wireguard binaries are already present by default, however once Wireguard is configured and when I try to connect to Mullvad I see routes being pushed but I'm unable to ping or resolve anything.
~# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add X.X.X.X dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set gw0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev gw0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
[#] ip r a 192.168.1.0/24 via 172.16.2.1 (Added a static route to allow access to my LAN subnet)
When I filter ICMP with tcpdump, I see packets leaving the virtual wg interface, but I get no response (echo reply):
~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
13:25:15.023875 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 1, length 64
13:25:16.033189 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 2, length 64
13:25:17.057175 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 3, length 64
13:25:18.081177 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 4, length 64
13:25:19.105144 wg0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 5, length 64
13:25:20.129130 gw0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 6, length 64
13:25:21.153174 gw0 Out IP X.X.X.X > 1.1.1.1: ICMP echo request, id 28503, seq 7, length 64
^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6129ms
Upon closer inspection of the iptables rules, nothing strikes me as a blocking factor.
My Wireguard configuration looks like this:
[Interface]
PrivateKey = (...)
Address = X.X.X.X
DNS = X.X.X.X
PostUp = ip r a 192.168.1.0/24 via 172.16.2.1
PostDown = ip r d 192.168.1.0/24
[Peer]
Presharedkey = (...)
PublicKey = (...)
Endpoint = 193.32.126.69:31173
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Does anyone have any idea what might be missing and how to route all truenas traffic through Wireguard?