Resource icon

How-To: Setup a Wireguard VPN Server in a Jail

FreeVel

Dabbler
Joined
Feb 28, 2017
Messages
30
FreeVel submitted a new resource:

How-To: Setup a Wireguard VPN Server on Jail - WireGuard VPN Server

[DRAFT] open to comments

Goal
  • To setup a VPN server based on the Wireguard technology and running from within a Jail.
  • The VPN server would allow remote devices to connect and access resources in the local network
  • All remote traffic should be routed via the VPN channel
Approach Overview
  • [1] The FreeNas host is running on the local network 192.x.x.x/24 using the bge0 iface
  • [2] The Jail is having VNET setup with its own network 172.x.x.x/24...

Read more about this resource...
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Thank you for this detailed and clearly explained tutorial. I'm stuck, however, at this point 'service wireguard start' after the 'wg0.conf' configuration. I assume I paste in the actual keys for private and public? In which case I'm getting the following parsing error:
1594637964051.png

<< >> at each end didn't work; < > at each end didn't work; removing them altogether didn't work.
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Thought I had come across the solution by omitting the << & >> at beginning and end of the keys, but still getting "key is not the correct length or format" parsing error.
:confused:
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Yeah, have tried this, but the instructions after the init scripts are not there and I need a lot of help with the steps after this. Have read loads of tutorials on basic wireguard installation, but there are essentially missing pieces when interpreting for freenas.
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
hello
ixsystems make an announcement in blog
https://www.ixsystems.com/blog/wireguard-on-freenas-11-3/
why a wireguard in jail, why not a wireguard vpn on FreeNAS ??!!
I think is much simple
in truenas core 12 is already implemented OpenVPN client/server

suuccess

I have messed a bit with this yesterday. I have not been able to get the openvpn server to start after configuration. If anyone has had some success be great to hear about it. Overall. I am so happy that this is being addressed.
 

FreeVel

Dabbler
Joined
Feb 28, 2017
Messages
30
Thought I had come across the solution by omitting the << & >> at beginning and end of the keys, but still getting "key is not the correct length or format" parsing error.
:confused:

you should replace "<< ..text... >> " with your key; remove << >>
make sure you don't miss any characters from the key when you copy and paste
I had the same issue since when you double click / select to copy, you can miss the last character '='

It should look like this

Code:
[Interface]
...
PrivateKey = AFWSMtJi9lYrGb0+E+pHo8XKln8kU1NF6/1+qWj8ZHc=
...

[Peer]
....
PublicKey = kDeSujf1RoaxyZZDF6XyI9e4ikd1MwmcxTRrfJnLLH4=
....
 
Last edited:

FreeVel

Dabbler
Joined
Feb 28, 2017
Messages
30
why a wireguard in jail, why not a wireguard vpn on FreeNAS ??!!
I think is much simple

I agree. This resource is for those that would like to setup a Wireguard VPN solution using a Jail for their own reasons.
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
you should replace "<< ..text... >> " with your key; remove << >>
make sure you don't miss any characters from the key when you copy and paste
I had the same issue since when you double click / select to copy, you can miss the last character '='

It should look like this

Code:
[Interface]
...
PrivateKey = AFWSMtJi9lYrGb0+E+pHo8XKln8kU1NF6/1+qWj8ZHc=
...

[Peer]
....
PublicKey = kDeSujf1RoaxyZZDF6XyI9e4ikd1MwmcxTRrfJnLLH4=
....
Yeah, thanks. Did that and it still didn't work for me. Have in the meantime experimented with an ubuntu server vm and set up wireguard on this - with successful remote login on an android device. Only thing is, just as with ubuntu 20.04 desktop, the vm becomes unreachable after less than 24 hours for some reason, both vnc and ssh, and only a reboot fixes the problem. Not a particularly useful solution if I'm away from the physical NAS for long periods. I don't have this problem with earlier versions of distros, so must be something in 20.04 that's incompatible. Couldn't even get Mint 20.04 to install (whereas 19.x had no connection problems). Why not use earlier versions then I hear you ask? Because I'm trying to utilise the benefits of wireguard integration with kernel 5.4. Perhaps I could just update the kernel within Mint 19.x? Would this work? Maybe I should just try ...
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I agree. This resource is for those that would like to setup a Wireguard VPN solution using a Jail for their own reasons.
You cannot install software on FreeNAS. All additional applications go into jails or VMs.
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
is not need to install anything in FreeNAS, just

"To do this you must first navigate to System -> Tunables -> Add.
Enable the WireGuard service by adding “wireguard_enable” -> “YES” in rc.conf."
success
 

Ziggy

Contributor
Joined
Oct 7, 2015
Messages
157
Yes but I need detailed instructions from this point on. Just a regular wireguard config? How to generate keys in shell? Etc?
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
I just done
not install any piece of software
use SSH (putty) and WinSCP from my Windows laptop to connect to the remote FreeNAS (with a OpenVPN connection on my PFsense)
just I fallow the instruction from iXsystems blog and recommandations from comments

after that I fallow instruction from your tutorial starting from step 3 (genkey, edit wg0.conf, remote.conf, etc.) and adapt for my situation, IP, etc.

reboot FreeNAS (like in iXsystems instruction) and make some modification to the PostInit command like in comments from other people

verify WireGuard service and wg0 interface -> working

forward external IP:PORT on pfsense gateway on the remote network to internal FreeNAS IP:PORT

install Wire Guard on my Windows laptop(client) and add tunnel from my remote.conf file and start tunnel

ping ip of remote server -> working

access FreeNAS interface (at 10.0.11.1 ip) -> working

access SMB share of FreeNAS and transfer some movie file -> working much faster than my OpenVPN connection

I think in this moment you can do another tutorial for starting WireGuard in FreeNAS :D
is not my merit, is yours. I just fallow YOUR instruction

success
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
now I make a "arrogance", I map SMB FreeNas "Media" folder to my windows laptop and install Plex Media Server
must to wait for plex to add in "Library" movies from my SMB map drive (and have some error when add to plex, maybe from network latency)
but is working
I post after plex add movies
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
play movies to my local samsung SmartTV from my remote FreeNAS connected with WireGuard with a Plex MediaServer on my local windows laptop working
next will make a WireGuard connectin from my TrueNAS Core 12-beta VM (on my laptop ofcourse) to the FreeNAS remote
after some sleep
success
 

rwatts_tci

Cadet
Joined
Jul 25, 2020
Messages
3
After trying over and over to get openvpn set-up to no avail. This is incredible! Thanks.
 

keboose

Explorer
Joined
Mar 5, 2016
Messages
92
I just tried out this guide too, and it worked great, pretty much immediately connected and started moving traffic.

I'm having a few issues with random apps on my phone though. For example, my Plex app cannot see any servers at all when on the VPN, and Discord could not connect until I turned off the VPN (after which it started working with the VPN on, weirdly.) It seems to me like the IPFW rules are maybe a bit too strict? I wouldn't know, I've barely set more than a dozen ipfw rules in my life before this, and adding NAT into the mix is just on another level that I don't know how to interpret. The NAT rules look like they pass all IP traffic, which I would think would include my Plex server, but idk.

Edit: I haven't been able to replicate the Discord problem, so I'm going to say that was a fluke. To clarify my problem with Plex: I have access to multiple servers, including my own at home. When I am at home (VPN off,) My phone (Android) can see ALL servers on my account and connect directly, including the one on my home LAN. The same is true out in the world (most public WiFi and mobile data.) But, once I turn on the VPN, I can continue to access all Plex servers EXCEPT the one on my home LAN (on the same LAN as my VPN.) I'm going to say this is probably a quirk of my network setup combined with how the WireGuard VPN is configured, considering I didn't have this problem when using OpenVPN. Any tips would still be appreciated.
 
Last edited:

FreeVel

Dabbler
Joined
Feb 28, 2017
Messages
30
Bear in mind that any service discovery protocols using broadcasting appear not to be routed via the VPN channel which is why you don't see any service in the local network.

Have you tried in your Android plex client to set the "manual connection" under the "advanced" option in the settings ? This is how Plex is working for me over the VPN channel.
 

keboose

Explorer
Joined
Mar 5, 2016
Messages
92
That's unfortunate, but not the worst drawback I could imagine.

I think the issue lies mostly in my network config. I have two LANs, physically separated (no VLAN tagging), with my FreeNas server plugged into both using dual NICs. The jails (including Plex) run on the second LAN, with a reverse proxy bridging the NICs for secure access to the config pages of my services. In theory I have rules for Plex in my router config for devices in the first LAN to be able to see it, but that obviously isn't working properly. I moved the Plex jail onto my primary LAN since the web interface is secure enough for me to trust, and now I have everything working properly.
 

nicpayne713

Dabbler
Joined
Oct 13, 2020
Messages
10
Hi all,
I am having issues that I dont' know how to resolve. I followed the tutorial, to my knowledge - exactly. I have wireguard up in a FreeNAS jail and have copied the remote.conf to 2 separate client machines. Both of them successfuly tunnel via the Wireguard application, but there is no internet available, even the LAN is broken. I am wondering if there's some ipv4 forwarding I have overlooked. I'm using freeNAS 11.3-U4.1 and my Wireguard jail is build on 11.4-RELEASE-p4 (I didn't have any other options).
Here is the output of `ifconfig` in the jail:
1602642631236.png

wg show:
1602642653259.png

Appreciate any guidance!
 
Top