wireguard client in a jail

[amagikei]

Hi. I lost a lot of time trying to set a wireguard as a client in a jail or plugin jail, but got nothing except errors.
Do someone still uses wireguard as a client for p2p?
Truenas Core 13.U4,
- that doesn't worked for me https://www.cyberciti.biz/faq/how-to-install-a-wireguard-vpn-client-in-a-freebsd-jail/
- i tried to change tunables to LOADER
- config checked (taken from another PC)
/ and some errors like someone forgot access rights to /boot/modules/if_wg.ko

Regards

 

[winnielinnie]

This post is too vague. What exactly did you try, in more detail?

 

[amagikei]

1. New Jail
13.1 release
DHCP
VNET
Berkeley Packet Filter
ipv6 disabled
+ allow_raw_sockets
ip6.saddrsel disabled
+ allow_tun

2. Jail installed

3. System tunables
if_wg_load YES LOADER yes
wireguard_enable YES RC yes
wireguard_interfaces wg0 RC yes

4. https://www.cyberciti.biz/faq/how-to-install-a-wireguard-vpn-client-in-a-freebsd-jail/
starting jail
registered on router
jail shell
pkg update ok
pkg upgrade ok
cat /etc/devfs.rules
cat: /etc/devfs.rules: No such file or directory

nano /etc/devfs.rules
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'bpf*' unhide
add path zfs unhide
saved

pkg search wireguard
pkg install wireguard

root@QBB:~ # pkg install wireguard
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
bash: 5.2.15
readline: 8.2.1
wireguard: 2,1
wireguard-kmod: 0.0.20220615_1
wireguard-tools: 1.0.20210914_1

Number of packages to be installed: 5

The process will require 11 MiB more space.
2 MiB to be downloaded.

Proceed with this action? [y/N]: y
[QBB] [1/5] Fetching wireguard-2,1.pkg: 100% 1 KiB 1.5kB/s 00:01
[QBB] [2/5] Fetching wireguard-tools-1.0.20210914_1.pkg: 68% 40 KiB 41.0kB/s[QBB] [2/5] Fetching wireguard-tools-1.0.20210914_1.pkg: 100% 58 KiB 59.6kB/s 00:01
[QBB] [3/5] Fetching readline-8.2.1.pkg: 100% 371 KiB 379.7kB/s 00:01
[QBB] [4/5] Fetching bash-5.2.15.pkg: 100% 2 MiB 1.7MB/s 00:01
[QBB] [5/5] Fetching wireguard-kmod-0.0.20220615_1.pkg: 100% 39 KiB 39.6kB/s 00:01
Checking integrity... done (0 conflicting)
[QBB] [1/5] Installing readline-8.2.1...
[QBB] [1/5] Extracting readline-8.2.1: 100%
[QBB] [2/5] Installing bash-5.2.15...
[QBB] [2/5] Extracting bash-5.2.15: 100%
[QBB] [3/5] Installing wireguard-tools-1.0.20210914_1...
[QBB] [3/5] Extracting wireguard-tools-1.0.20210914_1: 100%
[QBB] [4/5] Installing wireguard-kmod-0.0.20220615_1...
[QBB] [4/5] Extracting wireguard-kmod-0.0.20220615_1: 100%
[QBB] [5/5] Installing wireguard-2,1...
[QBB] [5/5] Extracting wireguard-2,1: 100%
=====
some bla bla bla

5. wg0.conf
root@QBB:~ # cd /usr/local/etc/wireguard/
root@QBB:/usr/local/etc/wireguard # umask 077; wg genkey | tee privatekey-remote-ln-sg-vpn | wg pubkey > publickey-remote-ln-sg-vpn
root@QBB:/usr/local/etc/wireguard # ls -l
total 17
-rw------- 1 root wheel 45 Aug 27 11:34 privatekey-remote-ln-sg-vpn
-rw------- 1 root wheel 45 Aug 27 11:34 publickey-remote-ln-sg-vpn
root@QBB:/usr/local/etc/wireguard # cat privatekey-remote-ln-sg-vpn publickey-remote-ln-sg-vpn
key=
key=
nano /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = key=
Address = 172.x.x.x/24
DNS = 192.168.1.1

[Peer]
PublicKey = key=
AllowedIPs = 192.168.1.0/24, 0.0.0.0/1, 128.0.0.0/1, 172.x.x.x/24
Endpoint = server:port
PersistentKeepalive = 3600

6. Turn on WireGuard VPN client service
sysrc wireguard_interfaces="wg0"
wireguard_interfaces: -> wg0
sysrc wireguard_enable="YES"
wireguard_enable: -> YES

~ # service wireguard start
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
/usr/local/bin/wg-quick: line 33: wireguard-go: command not found
[#] ifconfig wg0 destroy
ifconfig: interface wg0 does not exist

7. so is it
pkg install wireguard wireguard-go libqrencode
ok
[QBB] [1/3] Installing png-1.6.39...
[QBB] [1/3] Extracting png-1.6.39: 100%
[QBB] [2/3] Installing libqrencode-4.1.1...
[QBB] [2/3] Extracting libqrencode-4.1.1: 100%
[QBB] [3/3] Installing wireguard-go-0.0.20220316_14,1...
[QBB] [3/3] Extracting wireguard-go-0.0.20220316_14,1: 100%
root@QBB:~ # service wireguard start
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
Warning: AllowedIP has nonzero host part: 172.x.x.x/24
[#] ifconfig wg0 inet 172.x.x.x/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 192.168.1.0/32 -interface wg0
[#] route -q -n add -inet 172.x.x.0/32 -interface wg0
[#] route -q -n add -inet 192.168.1.0/24 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[+] Backgrounding route monitor

interface: wg0
public key: key=
private key: (hidden)
listening port: port

peer: key=
endpoint: server
allowed ips: 192.168.1.0/24, 172.x.x.0/32, 192.168.1.0/32, 0.0.0.0/1, 128.0.0.0/1
latest handshake: 2 minutes, 51 seconds ago
transfer: 4.43 KiB received, 7.03 GiB sent ///// here is always a lot of GiB
persistent keepaliv

root@QBB:~ # ps aux | grep wireguard
root 99270 0.0 0.1 884204 84896 21 IJ 11:50 8:29.20 wireguard-go wg0
root 99430 0.0 0.0 12920 2408 21 S+J 11:55 0:00.00 grep wireguard

root@QBB:~ # ping -c 1 172.x.x.1 /// remote server
PING 172.x.x.1 (172.x.x.1): 56 data bytes

--- 172.x.x.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

root@QBB:~ # ping -c 1 192.168.1.1 //remote router
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

root@QBB:~ # ping -c 1 192.168.2.1 //router
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.622 ms

--- 192.168.2.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.622/0.622/0.622/0.000 ms

root@QBB:~ # ifconfig wg0
wg0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 172.x.x.4 netmask 0xffffff00 broadcast 172.x.x.255
groups: tun
nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
Opened by PID 99270
root@QBB:~ #

8. See routing info on your FreeBSD:
root@nas[~]# netstat -f inet -r -n
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.2.1 UGS re0
127.0.0.1 link#6 UH lo0
192.168.2.0/24 link#1 U re0
192.168.2.138 link#1 UHS lo0

9.
if i try to use a plugin-jail, installation can not be finished due
"failed to creat temporary file if_wg.ko"

 

[winnielinnie]

1. New Jail
13.1 release

EOL, unsupported. Should have chose 13.2 (or upgraded to it).

3. System tunables
if_wg_load YES LOADER yes
wireguard_enable YES RC yes
wireguard_interfaces wg0 RC yes

For the host? Only the first one is needed. The other two can be removed.

nano /etc/devfs.rules
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'bpf*' unhide
add path zfs unhide
saved

Why? Setting up or editing the jail, you can use the GUI to do all these configurations, including the devfs_ruleset and other configurations. No need to manually do this inside the jail with a command-line. In fact, you already configured this before even editing this file in the jail. (Off topic: Not sure why you want to unhide ZFS in the jail.)

pkg install wireguard

Not needed. This meta-package pulls in other unneeded packages. You only need the package wireguard-tools installed in the jail.


For the rest of the steps, are you just following that guide word-for-word, just because? There are guides and posts in this forum meant for TrueNAS.

Are you running your own WireGuard server, or are you using a provider that you connect to as a client, such as AirVPN, Mullvad, Proton, etc?

 

[amagikei]

I tried to google the solution, but didn't find it in a completed form.
I have my own server.
Am i need to configure firewall on host or ipfw.rules?
This simple task make me angry, while there is no native build-in option with GUI on/off.
Sry

 

[subnetspider]

nano /etc/devfs.rules
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'bpf*' unhide
add path zfs unhide
saved

Did you create the devfs rule on TrueNAS or inside jail? And did you apply the decfs rule in the jails config?

 

[amagikei]

Did you create the devfs rule on TrueNAS or inside jail? And did you apply the decfs rule in the jails config?

nano /etc/devfs.rules was inside jail
devfs rule - no, will try now

upd:
still can not ping or reach anything outside LAN

 

[subnetspider]

The "decfs" was a typo, sorry.
AFAIK the devfs rules have to be set on the Host / TrueNAS CORE. You can change the setting in the GUI under "Jail > jailname > Jail Properties > devfs_ruleset. Before that, the devfs rule has the be added to /etc/devfs.rules on TrueNAS CORE though.

 

[amagikei]

Hmmm, truenas log shows new error
23:30:47 truenas kernel: wg0: loop detected
Aug 27 23:31:47 truenas kernel[1406]: Last message 'wg0: loop detected' repeated 1 times, suppressed by syslog-ng on truenas.local

Code:

root@QB:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          link#4             US          wg0
default            192.168.2.1        UGS     epair0b
127.0.0.1          link#1             UH          lo0
128.0.0.0/1        link#4             US          wg0
172.16.82.0/24     link#4             U           wg0
172.16.82.10       link#4             UHS         lo0
192.168.1.0/24     link#4             US          wg0
192.168.2.0/24     link#3             U       epair0b
192.168.2.93       link#3             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     NetifExpire
::/96                             ::1                           UGRS        lo0
::1                               link#1                        UHS         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

root@QB:~ # ipfw show
65535 126 36813 allow ip from any to any

root@QB:~ # cat /etc/rc.conf
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
ifconfig_epair0b="SYNCDHCP"
wireguard_interfaces="wg0"
wireguard_enable="YES"


root@QB:~ # cat mpd.conf
cat: mpd.conf: No such file or directory

 

[subnetspider]

[Peer]
PublicKey = key=
AllowedIPs = 192.168.1.0/24, 0.0.0.0/1, 128.0.0.0/1, 172.x.x.x/24
Endpoint = server:port
PersistentKeepalive = 3600

I suppose the Problem lies somewhere in here. If you want all traffic to go through WireGuard, you should only use 0.0.0.0/0 instead. If you want to only access 172.16.0.0 - 172.31.255.255, you should use 172.16.0.0/12, so internet access goes through your router (192.168.2.1). ;^)

 

[amagikei]

Here was my problem, this loop. 0.0.0.0/0 saved my neurons. Thanks a lot!

I suppose the Problem lies somewhere in here. If you want all traffic to go through WireGuard, you should only use 0.0.0.0/0 instead. If you want to only access 172.16.0.0 - 172.31.255.255, you should use 172.16.0.0/12, so internet access goes through your router (192.168.2.1). ;^)

 

[subnetspider]

Glad I could help