Latest update to wg-easy failed

Hi everyone,

i need to update all my app in my system and I have the error:
[EINVAL] values.network.udp_port: A dict was expected
I already read the Latest update of emby today fails - #13 by lolo
and after update the truenas to the TrueNAS-SCALE-24.10.2.2
all my app updated correctly, but not the Wg-easy app on my truenas scale.
I have an error upgrading Wg-easy.

“middlewared.service_exception.ValidationErrors: [EINVAL] values.network.dns_opts: Field was not expected
[EINVAL] values.network.udp_port: A dict was expected”

I don’t want to reinstall the wg-easy because neet to change all the client that connect to.
a help is very appreciated.

the wg-easy release is:
App Version:14
Version:1.1.14

Thanks

WG Easy released v15, upstream suggest to reinstall.
You can export your config, reinstall app and import config.

thanks for your reply,
I take the suggestion and backup the config and restore.
I think that was not possible
thank you a lot.

How did you get this working? I’m stuck in a circle trying to upgrade that I can’t escape from:

I was previously running v14 with no issues, and I followed the suggestion to export my config from my v14 container, and then start fresh with v15 and import those settings.

Here’s what happens:

  1. Log into v14 and export config, then shutdown v14 container.
  2. Add v15 app to TrueNAS as new app. Accepted all defaults.
  3. Logged into new v15 instance and setup my initial user
  4. Imported old config saved from v14

At this point I am presented the login screen for WG. I put in my username and password, but it just keeps taking me back to the login screen. I see the following above my login:

“You can’t log in with an insecure connection. Use HTTPS.”

At this point I’m stuck. I can’t login on that page, and trying to put https in front of the address with the same port won’t load the page. Any help anyone can provide would be great.

This allowed me to login after the update:

1 Like

OK, that fixed the first problem, now I can login at least. However it seems my imported config doesn’t work. If I connect to it from my client, it seems to work on the client end, but I can’t reach anything on the inside, and if I run ‘wg show’ in the container, I don’t see my peer. If I revert back to the old container, everything works as expected. Is there anything special I need to do to get the new config to import and work successfully other than importing it initial setup?

Last year, I migrated from Core to Scale and installed WG Easy.
Since then, I never removed WG Easy or changed its files in the iX directory (yes, I was using the default hidden directory).

Now, on ElectricEel-24.10.2.2 had overcome the same problem you had.
The only thing I’ve changed when reinstalling the app was to set permanent storage as shown in the image attached. Keep in mind that the dataset I’ve named “Apps” and its child dataset “Wireguard” are both of the type “Apps”. The user “Apps” is the default one.

I ended up finding the real problem. I had used a different port on my previous install, so when I imported that config, it didn’t lineup with the port set by default in the new app. Changing the port to be my old has fixed the issue and I can now reach the TrueNAS server from WireGaurd and a client over the VPN.

However, I’m still having a routing issue where I can’t reach any other clients on the inside of the network from a VPN client. I verified that switching back to the old WireGuard allows me to reach those clients, but on the new WireGuard I can’t. After some digging, it looks like the routing tables are set to forward it to eth0 instead of ens2p0 like I need it to:

/app # iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 987K packets, 324M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 770K packets, 299M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 81192 packets, 5747K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 82119 packets, 5828K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all – any eth0 10.8.0.0/24 anywhere
0 0 MASQUERADE all – any eth0 10.8.0.0/24 anywhere
/app # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 34:97:f6:94:fa:e4 brd ff:ff:ff:ff:ff:ff
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 3c:52:a1:cc:60:07 brd ff:ff:ff:ff:ff:ff
inet 192.168.68.120/22 brd 192.168.71.255 scope global dynamic enp2s0
valid_lft 5601sec preferred_lft 5601sec
inet6 fe80::3e52:a1ff:fecc:6007/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: br-46790bf81b14: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:72:29:93:7b brd ff:ff:ff:ff:ff:ff
inet 172.16.2.1/24 brd 172.16.2.255 scope global br-46790bf81b14
valid_lft forever preferred_lft forever
6: br-f2b7b89e4f56: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:07:f3:3c:ed brd ff:ff:ff:ff:ff:ff
inet 172.16.1.1/24 brd 172.16.1.255 scope global br-f2b7b89e4f56
valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:10:69:f0:f5 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/24 brd 172.16.0.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fdd0::1/64 scope global nodad
valid_lft forever preferred_lft forever
37: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.8.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
inet6 fdcc:ad94:bacf:61a4::cafe:1/112 scope global
valid_lft forever preferred_lft forever

On the v14 wg_easy there was a field on the config tab to specify the device that it should route to. in v15 it looks like this field is removed, so I have no way to set it. How can I change this value so that my iptables ends up routing to enp2s0 instead of eth0?

True, I too can’t access clients on a local network from the VPN.
Whatever I try, doesn’t help.
It was working fine on the previous version.
WG-easy homepage looks to be in the works, check this:

I found an answer in the wg_easy GitHub. You have to login as your admin user, then click on the username to open a menu. In there I was able to open up the config pages and change my network device to the correct one that clients should be routed to. After doing that and restarting it’s working again.

1 Like

Thanks! Working fine now :slight_smile:

1 Like

Hello. Is there a possibility to install v14?

I suppose you could convert it to a custom app and then manually change the version for Docker to pull. Your current wg-easy config files may not be backwards compatible though.

v15 is the version marked as “Latest”, even if v14 has received an update since v15 was released. A bit confusing…