I realize CORE and it’s Iocage jails are going away but I still wanted to figure out how the networking for this topic would work, if someone can help.
Using the excellent guide, “How to setup a wireguard vpn server in a jail” from the old TrueNAS forum, I was able to update the instructions a little (to install wireguard-tools and to load the kernel module on the host (“kldload if_wg”)) to work on Core v 13.3-U.1.1 and managed to get Wireguard configured and working.
I can now access everything on my LAN (which is 192.168.1.x), and everything on the hosts virtual networks (which are 172.16.0.x). However when I try to reach any jail from the Wireguard client using the LAN ip of the TrueNAS host and one of the ports that are forwarded to the jail with the NAT feature of the jails (the normal way of reaching the jails from my LAN), the wireguard client can’t reach the jail that way. The packets don’t go through.
Is someone able to tell me how to add route commands or how to add a NAT rule to the Wireguard server’s jail that would make this possible?
I have ipfw configured just like the guide advised.
I discovered that the port forward rules on the host that let me use the host’s IP with different ports to reach the jails from elsewhere on my LAN are set up like this:
root@freenas:~ # ipfw nat show config
ipfw nat 462 config if em1 same_ports redirect_port udp 172.16.0.22:51820 42171 redirect_port tcp 172.16.0.18:4040 4040 redirect_port tcp 172.16.0.14:8989 8081 redirect_port tcp 172.16.0.10:8080 8080 redirect_port tcp 172.16.0.6:7878 7878 redirect_port udp 172.16.0.2:7359 7359 redirect_port udp 172.16.0.2:1900 1900 redirect_port tcp 172.16.0.2:8920 8920 redirect_port tcp 172.16.0.2:8096 8096
I am trying to understand a way to change the configuration in the Wireguard server in the jail that would let me leverage the host’s port forwarding without having to repeat it in the jail. But I realize that may not be possible and would be OK with repeating it in the jail if someone could tell me exactly how I might accomplish that.
Has anyone solved this problem or is able to see a way to solve it?