TrueNAS Scale Wireguard Client issues

[chereszabor]

Hello,
I'm having some issues with setting up a remote TrueNAS Scale instance which I would like to connect to my local network.

Current setup: TrueNAS Scale Bluefin, clean install. The other side is a Ubiquiti Unifi router with WireGuard Serverrunning.

I am currently able to set up and authenticate with my local network, however, there is no traffic being passed through and the TrueNAS's IP is not showing up on my local network.

What makes this more interesting is that I have a mac mini running on the same remote network, with the same type of Wireguard configuration and it connects with out any issues to my local network.

Any help would be appreciated.

 

[chereszabor]

Also, here are the wg0.conf and ifconf outputs:

Code:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.2.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.2.1/32,192.168.2.3/32,0.0.0.0/0
Endpoint = my.ddns.address:1234
PersistentKeepalive = 30

Code:

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 192.168.2.3  netmask 255.255.255.255  destination 192.168.2.3
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 148 (148.0 B)
        TX errors 0  dropped 716 overruns 0  carrier 0  collisions 0

 

[Whattteva]

First, this is more like a Wireguard question than a TrueNAS SCALE question.

That being said, please post the output of wg on both client and server.

Also, what do you really mean by this statement?

I am currently able to set up and authenticate with my local network, however, there is no traffic being passed through and the TrueNAS's IP is not showing up on my local network.

As far as I remember, Wireguard doesn't support layer 2, so it won't "show" on your local router DHCP registrations.

 

[chereszabor]

Here are the wg outputs from the the server and client respectively:

Server:

Code:

interface: wgsrv1
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 62342

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx <- Mac Mini
  endpoint: xxxxxxxxxxxxxxxxxx:60814
  allowed ips: 192.168.2.2/32
  latest handshake: 1 minute, 5 seconds ago
  latest receive: 2 seconds ago
  transfer: 25.70 MiB received, 51.89 MiB sent
  forced handshake: every 5 seconds

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx <- TrueNAS Scale
  allowed ips: 192.168.2.3/32
  forced handshake: every 5 seconds

TrueNAS WG Client:

Code:

interface: wg0
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 35787
  fwmark: 0xca6c

peer: xxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: my.ddns.address:62342
  allowed ips: 192.168.2.1/32, 192.168.2.3/32, 0.0.0.0/0
  transfer: 0 B received, 1001.02 KiB sent
  persistent keepalive: every 30 seconds

 

[Whattteva]

Looking at those outputs, it looks like the problem is on the client. It's receiving, but never sending any data out. Perhaps a routing error or a firewall. I'm guessing the server is 192.168.2.1?

 

[chereszabor]

My guess it would be a routing error in TrueNAS, as there are no issues with the Mac Mini, however, I haven't been able to find any useful examples while googling...

The server is at 192.168.1.1, 192.168.2.0/32 is used for WG clients.

 

[Whattteva]

What's the output of netstat -r on the TrueNAS machine?

The server is at 192.168.1.1, 192.168.2.0/32 is used for WG clients.

Actually, this might be the reason why you can't contact the server. You state that your server is at 192.168.1.1, but your clients are at 192.168.2.0/24 network I'm assuming, which means to reach 192.168.1.0/24, the default gateway (I assume 192.168.2.1) would need to have a route to 192.168.1.0/24 network.

To troubleshoot this properly, probably would need all the subnet settings on your server as well as your clients. Try ip addr and netstat -r on the TrueNAS machine. Unfortunately, I don't know how to dig that info out of a Unifi as I have never owned one.

 

[chereszabor]

When connected to wg client:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.10.1    0.0.0.0         UG        0 0          0 enp3s0f0
172.16.0.0      0.0.0.0         255.255.0.0     U         0 0          0 kube-bridge
192.168.2.1     0.0.0.0         255.255.255.255 UH        0 0          0 wg0
192.168.2.3     0.0.0.0         255.255.255.255 UH        0 0          0 wg0
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 enp3s0f0

Will note the 192.168.2.1 entry is strange....

 

[Whattteva]

Ok, so here's what's going on:

• TrueNAS SCALE host is on 192.168.10.0/24 network, probably some 192.168.10.x that you can get by doing ip -4 addr show enp3s0f0
• TrueNAS wg ip is... I don't know... your configs don't list it.
• Your Unifi wg ip is also unknown, not in your config.

Basically, this is kinda' like why it doesn't work. You need a

Code:

Address = 192.168.2.1/32

field or something similar to that on the clients and the server because Wireguard does NOT support DHCP.

 

[chereszabor]

Just to clarify, the configured WG IP for TrueNAS is 192.168.2.3, and the server IP/URL is also available in the config, I am just masking it.

Do you mean I need to add another address config somewhere?

 

[Whattteva]

The way WG works is through a layer 3 NAT because it doesn't support layer 2 bridging.
So you need to have another "internal network", if you will, for the WG network. This is a distinctly separate subnet from your LAN and requires routing.

So, if your LAN is 192.168.10.0/24, then the WG network needs to be a different subnet (NOT 192.168.10.0/24) if that makes sense. In your example, you seem to have picked 192.168.2.0/24.

What this means is, your server should look like this:

Code:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.2.1/32
ListenPort = 51820

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.2.0/24

Your clients should look like this:

Code:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.2.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Endpoint = my.ddns.address:51820
AllowedIPs = 192.168.2.0/24,192.168.10.0/24

That should work. You may still need to add a static route on your router though for return traffic from your LAN (192.168.10.0/24) to your WG (192.168.2.0/24) through your WG gateway (192.168.2.1). I'm guessing you can skip this step since your Wireguard server is actually also your router, so it should set it up automatically.

 

[chereszabor]

Yes, but what am i missing in the configuration? This is my client config file:

Code:

Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.2.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.2.1/32,192.168.2.3/32,0.0.0.0/0
Endpoint = my.ddns.address:1234
PersistentKeepalive = 30

 

[Whattteva]

You want to connect to your local network so your AllowedIPs should really be like this:

Code:

AllowedIPs = 192.168.2.0/24, 192.168.10.0/24

Is there any particular reason why you're also routing all traffic through the VPN tunnel? I don't think that's what you want, I'm guessing.

 

[chereszabor]

I don't have a particular reason, this was the config that UnifiOS uses...

I have tested the configuration you suggested, I can now get ping response from google, and local 192.168.10.x IPs, however, I still can't reach the 192.168.2.x IPs or 192.168.1.x - this is my primary local network after adding 192.168.1.0/24 to the list of AllowedIPs.

 

[Whattteva]

Why exactly are you adding 192.168.1.x? Your LAN from the outputs show 192.168.10.x NOT 192.168.1.x.

 

[Whattteva]

To really diagnose this. You need to tell me your exact network topologies. Both from the client and the server. From what I've gathered so far, this is what I see.

Server:

Code:

LAN: 192.168.10.1/24
WG: 192.168.2.1/24

Client:

Code:

LAN: Unknown, never discussed.
WG: 192.168.2.3/24

 

[chereszabor]

Got it, sorry for the confusion:

Server:

Code:

LAN: 192.168.1.1/24
WG: 192.168.2.1/24

Client:

Code:

LAN: 192.168.10.1/24
WG: 192.168.2.3/24

 

[Whattteva]

Oh, I definitely got confused. In that case, then your config should look like this.

Server:

Code:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.1.1/32
ListenPort = 51820

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.2.0/24, 192.168.10.0/24

Client:

Code:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.2.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Endpoint = my.ddns.address:51820
AllowedIPs = 192.168.1.0/24, 192.168.2.0/24

192.168.10.0/24 on the server is probably not needed unless you need to set up site-to-site VPN, but leaving it there does no harm really.

 

[chereszabor]

yes, that's correct.

 

[Whattteva]

Still doesn't work? Can you print the routing tables on both server and client?