Hello,
After spending 4+ days trying to fix weird issues in a TrueNAS Jail with OpenVPN and Private Internet Access (PIA) I’ve decided to throw in the towel.
For those interested, I’ve been trying to get it fixed with help on the TrueNAS forums with no succes. After some discussions on various Discord servers I’ve come to the conclusion that the problem must be with PIA as I’m not the only one experiencing this.
Configuration sanity check
I decided to switch to Mullvad VPN service with WireGuard and after doing so all my issues have disappeared. Unfortunately I have very little fundamental knowledge of networking and would like to know if I’ve done things right.
I have Transmission running in a TrueNAS Jail and I want to make sure all external Transmission traffic is going over the VPN connection while still being able to reach the Transmission Web UI on my LAN. This seems to be working as intended right now. I’ve followed this guide and I’m using service wireguard start/stop to start and stop the service. I’ve also configured /etc/rc.conf to start it automatically.
This is my WireGuard configuration file which I got from Mullvad:
[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx
[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxxx
These are my IPFW rules to make sure that all external traffic that doesn’t go through the VPN gets blocked but internal traffic is allowed for the user Transmission is running under:
# Set rules command prefix
cmd="ipfw -q add"
vpn="wg0"
user="<transmission_user>"
localLan="192.168.178.0/24"
# Flush out the list before we begin
ipfw -q -f flush
# Allow all local traffic on the loopback interface
${cmd} 00001 allow all from any to any via lo0
# Allow any connection to/from VPN interface
${cmd} 00010 allow all from any to any via ${vpn}
# Allow connection to/from LAN by User
${cmd} 00101 allow all from me to ${localLan} uid ${user}
${cmd} 00102 allow all from ${localLan} to me uid ${user}
# Deny any User connection outside LAN that does not use VPN
${cmd} 00103 deny log all from any to any uid ${user}
These is my routing table, which I don’t understand how I should interpret unfortunately
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 wg0 US wg0
default 192.168.178.1 UGS epair0b
<mullvad_ip> link#4 UH wg0
127.0.0.1 link#1 UH lo0
128.0.0.0/1 wg0 US wg0
192.168.178.0/24 link#3 U epair0b
192.168.178.10 link#3 UHS lo0
<mullvad_endpoint> 192.168.178.1 UGHS epair0b
/etc/resolv.conf being cleared after stopping WireGuard
I do have one small issue with WireGuard. When I start WireGuard my /etc/resolv.conf file get altered so it uses the WireGuard DNS server(s). After I stop the WireGuard service it clears this rule but doens’t restore the old nameserver. I think I can fix this with some sort of post down script but I don’t know how and so far I haven’t been able to find a solution for this. How can I fix this?
Thanks in advance for your help.