Struggling with WG-Easy configuration on TrueNAS Scale

Using wg-easy v15.1.0
On TruenNAS Scale 25.10-BETA.1

I had a wg-easy VPN successfully setup on a previous TrueNAS installation. I had to set TrueNAS again for other reasons and the copied settings don’t work with the new version of wg-easy.

I’ve looked for/followed several guides online but I still have some kind of config error. Most of the guides were for the previous wg-easy version and I have likely misunderstood how to apply them to the new version.

The we-easy app is configured for port 51820 in the TrueNAS settings.

The wg-easy web GUI is configured for port 51820 and the same interface as the one from my TrueNAS networking page.

image2650×520 23.7 KB

I’ve confirmed that my router has port forwarding enabled configured for 51820, UDP protocol

image1206×505 29.6 KB

I set up a DDNS + hostname via the asus router’s options as well.

Finally, I used the QR code from the wg-easy web GUI to create the tunnel on the phone app. When I enable the connection on both the phone app and the webGUI, there is a small amount of data transfer observable on both, and it appears to stop. I’m unable to access internal network addresses (like the TrueNAS server) or external web addresses on the phone while the WG connection is up.

I’ve clearly gotten something wrong. Any help is appreciated, including letting me know what additional info you need to better diagnose what I got wrong.

Hi,

I ran into the very same issue a few weeks ago. The default configuration is not sufficient, you need to edit a couple of things to make networking work.

Admin Panel → Config

image656×646 17.2 KB

• 192.168.188.0/24 → Forward traffic for LAN (use your network address)
• 10.8.0.0./24 → Allow WireGaurd clients to talk to each other
• 1.1.1.1 and 1.0.0.1 → Use public DNS servers so if connection goes down (server) the client will still have internet access (name resolution).

And here is a config file used by one of my clients:

[Interface]
PrivateKey = ***REDACTED***
Address = 10.8.0.2/24
DNS = 1.1.1.1, 1.0.0.1
MTU = 1420

[Peer]
PublicKey = ***REDACTED***
PresharedKey = ***REDACTED***
AllowedIPs = 192.168.188.0/24, 10.8.0.0/24, 1.1.1.1, 1.0.0.1
PersistentKeepalive = 60
Endpoint = yourdomain.com:51820

Notes:

• You see that I don’t have IPv6 configured, this is intentional on my end to keep it simple (at least for now)
• My setup is working fine and in case the server goes down the clients can still access the internet

Hi,

I am having the same problem and tried you the suggested solution above however, mine does not work as expected

I have tried both using host network and manually configure the UDP ports
Can I see your WG-Easy configure when you installing

Thanks

I finally got mine working, with the following tweaks:

WebGUI [Admin Panel]->[Config]
Host: (Click suggest and pick the first option “IPv4 - Public”)

After that I had to make a new client on the WebGUI.
I left everything default and when I loaded that tunnel on the phone app it worked.

Definitely make sure that the correct interface is chosen in the wg-easy web ui under “Device”. eth0, the default, is likely not correct.

Allowing all IPs with 0.0.0.0/0 would be simpler and more elegant IMHO. It works in the same manner

In my case, eth0 was automatically set by wg-easy. After setting my real interface, enp4s0 all worked well \o/

```
/app # ifconfig |grep 10.0.0 -B 2

enp4s0 Link encap:Ethernet HWaddr XX:XX:XX:04:3D:6D
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
```

If the goal is to route ALL traffic through the VPN, then yes. Otherwise: no.

At least in my case, I use WG to access my server from a remote location, that’s it. I Intentionally want usual internet traffic go straight out.

I also use this to connect a backup server from another country to my main server to do offsite backups.

However, I agree that many users want ALL traffic routed, so it really depends on what you’re doing.

If you’re willing to have a split tunnel, with some extra subnets, I think your config works well.
If you’re wishing to enroute all the traffic (full tunnel), then better to use 0.0.0.0/0.

Ok, I’ve worked out how to select br01 in the WG config page. I can connet and access internal resources but I cannot connect to the internet from my remote client.

I added all those ‘allowed IPs’ as suggested above and can access internal devices but not the internet.

If I just have 0.0.0.0/0 i cannot connect to internal devices or the internet.

Anyone any suggestions?

What config information do you need me to post?

On another thread someone put their router IP as a DNS and I’ve added that to my config and my remote client can now access the internet and internal devices.

spoke too soon, it is now not routing anything local or internet

Ok, I’ve got it working… not sure how!