For apps that I don’t want exposed to the whole Internet, I’ve been making Nginx proxy hosts with an access list to only allow traffic from 192.168.x.x/16 addresses.
When I want to work on my server from somewhere else, I use a WireGuard tunnel on my ASUS router, which lets me access web GUIs via their address:port, but not via the subdomains I’ve set up. I tried changing the tunnel IPv4 to a 192.168.x.x address, but that didn’t change anything.
Has anyone gotten this working? From what I understand the usual approach is to run the WireGuard tunnel from the TrueNAS server itself, so I’m having trouble finding results for this. Here’s what the tunnel looks like on my router web UI.
Look up WG-Easy in the app catalog, or run it as a Custom-App
I’m not sure what’s supposed to be happening here. I’ve tried using WG-Easy before, but I couldn’t get it to work (clients have no Internet access). It also looks like all the tutorials and guides and other question threads I’ve found are out of date, because their app installation page has options that mine doesn’t.
I installed WG-Easy and created a tunnel with my phone. I enabled my router to forward port 51820 to my TrueNAS server, trying UDP and BOTH; neither worked.
I saw on this Reddit thread that I might try changing the WG_DEVICE environment variable. My TrueNAS’s Network page says that I’m on enp2s0,so I changed it to that; didn’t work. I double-checked my container’s ifconfig, and it’s connected on that interface. I tried converting the community app to a custom app and adding the variable in that way just to be sure, and it still didn’t work.
Am I missing something obvious? I must be.
Use the official docker-compose here → wg-easy/docker-compose.yml at master · wg-easy/wg-easy · GitHub
volumes:
etc_wireguard:
services:
wg-easy:
#environment:
# Optional:
# - PORT=51821
# - HOST=0.0.0.0
# - INSECURE=false
image: ghcr.io/wg-easy/wg-easy:15
container_name: wg-easy
networks:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- etc_wireguard:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
# - NET_RAW # ⚠️ Uncomment if using Podman
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64
Use their official docs for more
1 Like
Thanks! Can’t really say I know what’s being done differently in the official compose file, but after I set port forwarding on my router for port 51820 it was plug-and-play.
