• Creating the jail
  • Basic Properties
  • Jail Properties
  • Custom Properties
• Setup inside the jail
  • Wireguard
    • Installation
    • Postdown script
    • Mullvad Wireguard configuration
    • Getting Wireguard config into jail
    • Finalize Wireguard config
    • Enable Wireguard
    • Start, Stop, Restart Wireguard
  • Connection check
    • Mullvad connection check
  • Using a single jail as a vpn for other jails

I will be setting up a jail with a working vpn. Once the vpn is setup you can install whatever you want inside.

I will be using Wireguard, and I will be connecting to Mullvad in this guide.

Creating the jail

(Make sure to check advanced jail creation)

Basic Properties

• Set the jail name, I’m calling mine VPN

• Jail type, I’m using Basejail

• Release, I’m using 13.2-RELEASE

• Check both NAT and VNET

Jail Properties

• Check allow_raw_sockets

Custom Properties

• Check allow_tun

Save and create the jail.

Setup inside the jail

Start the jail and open a shell.

Setup package management:

$ pkg

Then tell it yes to install and setup the package manager.

After this is setup install a text editor of your choice. I’m going to be using vim:

$ pkg install vim

Wireguard

Installation

Install Wireguard

$ pkg install wireguard

Then say yes and let it install.

Postdown script

First we’re gonna make a postdown script which will restore /etc/resolv.conf. Otherwise when Wireguard disconnects the jail will likely be left without internet.

Create the file:

$ touch /usr/local/etc/wireguard/postdown.sh

Make it executable:

$ chmod +x /usr/local/etc/wireguard/postdown.sh

Get contents of resolv.conf we will need this to restore it later:

$ cat /etc/resolv.conf

You will get an output like:

# Generated by resolvconf
search lan
nameserver 192.168.1.1

Now open the postdown script and add the following:

#!/usr/local/bin/bash
echo "# Generated by resolvconf
search lan
nameserver 192.168.1.1
" > /etc/resolv.conf

Where the contents inside the quotes is the content from your resolv.conf file.

Now create a backup of resolv.conf just in case:

$ cp /etc/resolv.conf /etc/resolv.conf.bak

And run the postdown script to test that it works:

$ /usr/local/etc/wireguard/postdown.sh && ping truenas.com

If your ping command doesn’t work restore from the backup and try again.

Mullvad Wireguard configuration

Since this guide is for Mullvad, login and head to their Wireguard config generator.

• Platform, Linux, since we’re using TrueNAS Core, which is openBSD, choose Linux for the platform, because that is the closest option and shouldn’t matter.

• Generate a Wireguard key

• Select one or multiple exit locations, I’m going to choose All countries and cities and servers.

• Under advanced, I’m checking IPv4 only

• Click Download zip archive to get the configurations.

Getting Wireguard config into jail

Now we need to actually get the configuration into the jail, since I already have a bunch of shared datasets, I’m going to temporarily mount one into the jail so I can copy the files over. You can do this however.

• Copy the Wireguard zip downloaded from Mullvad into the dataset you want to mount.

• STOP the jail

• Click MOUNT POINTS > ACTIONS > Add

• Choose the source as the dataset you copied the file into

• Choose the destination as /mnt (which actually has the full path of /mnt/<poolname>/iocage/jails/VPN/root/mnt)

• Make it read-only if you want

• START the jail, open up a SHELL, and cd into the mount point:

  $ cd /mnt
  

• Copy the zip file into the Wireguard config directory:

  $ cp mullvad_wireguard_linux_all_all.zip /usr/local/etc/wireguard/wireguard_configs.zip
  

• Unzip the file into a directory of your choice:

  $ unzip wireguard_configs.zip -d wgconfigs
  

• Now cd into the Wireguard directory and copy the config you want to use into it and open it:

  $ cd /usr/local/etc/wireguard/
  $ cp ./wgconfigs/ca-tor-wg-002.conf wg0.conf
  $ vim wg0.conf
  

Finalize Wireguard config

Under the [Interface] section, add the line postdown script:

PostDown = /usr/local/etc/wireguard/postdown.sh

Your config should look something like:

[Interface]
PrivateKey = <private_key>
Address = 10.xxx.xxx.xxx/32
DNS = 193.xxx.xxx.xxx
PostDown = /usr/local/etc/wireguard/postdown.sh

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = 193.xxx.xxx.xxx:xxxx

Enable Wireguard

Now we’re ready to actually use Wireguard, lets enable it.

Set the configuration file we just made:

$ sysrc wireguard_interfaces="wg0"

Enable the Wireguard service on startup:

$ sysrc wireguard_enable="YES"

Start, Stop, Restart Wireguard

Now Wireguard will auto connect when the jail starts, but you can also control it using service.

To start Wireguard:

$ service wireguard start

To stop Wireguard:

$ service wireguard stop

To restart Wireguard:

$ service wireguard restart

Connection check

I’m going to use curl to check my connection, this will need to be installed:

$ pkg install curl

Mullvad connection check

Mullvad provides an endpoint for checking your connection.

Simply run:

$ curl https://am.i.mullvad.net/connected

You should see something like:

You are connected to Mullvad (server ca-tor-wg-002). Your IP address is xxx.xxx.xxx.xxx

Congrats, you’re jail is now connected to the vpn.

Using a single jail as a vpn for other jails

I have not figured out how to get this working. So if you read this and know how, please let me know.

So far my solution to this is just install any and all apps which need a vpn inside the vpn jail.