FreeNAS: ZFS Replication via Wireguard

On By In Server

So far I have used OpenVPN for the synchronization of my two FreeNAS boxes. Wireguard is a fast alternative, but a bit more complicated in setup.

ZFS replication is a convenient tool to keep data synchronized between two FreeNAS installations. The whole point is to create an offsite backup where the data would survive a house fire or burglary without using external cloud services (which is difficult from a data protection point of view and becomes a cost factor when several terabytes of data are involved).

Unlike OpenVPN Wireguard is not yet part of FreeNAS. So you have to install it elsewhere. To keep FreeBSD as untouched as possible, I decided to use a Debian VM. The basic data flow is as follows.

  1. A ZFS snapshot is created
  2. The data is routed to the Wireguard connection via a static route
  3. The 2nd FreeNAS system in the target network processes the data

Thanks to the static route, it looks to the sending FreeNAS as if the receiving FreeNAS is on the same network. Unlike OpenVPN, Wireguard delivers a much better load on the interface (in my case VDSL with 250/40 Mbps for FreeNAS Box 1 and VDSL 50/10 Mbps for FreeNAS Box 2. In the sending direction, the limit is therefore 40 Mbps - in case I need the backup and have to restore it, sending a disk would probably be faster. All in all the structure looks like in this picture:

wireguard
Wireguard as connection between two networks

As you can see, I did not use a virtual machine on the FreeNAS box in the target network. This is a meanwhile quite old HP Proliant N36Lwhich has 8 GB RAM. Instead, an Odroid C2 single-board computer receives the data (which also receives the Start FreeNAS time-controlled can).

I don't want to do the basic wireguard configuration here, this is done the official site better. Also helpful: the Debian documentation for Wireguard.

If the Wireguard connection is established, the appropriate route is still missing. In the Debian virtual machine, the following is entered in the "/etc/rc.local"(adapt to the respective conditions if necessary):

iptables -t nat -A POSTROUTING -o wg0-client -s 192.168.0.0/24 -j MASQUERADE

exit 0

If the rc.local file is missing or not executed, the steps described in this post on ITechLounge.net are described.

Once the setting is done on the Debian VM, all you need to do is set a route in FreeNAS:

Screenshot 2019 03 17 at 15.57.35
Static route in FreeNAS

Now a ping from FreeNAS-Box 1 to FreeNAS-Box 2 should work, so that the replication can easily be configured directly with the IP address of the target box.

With a setup like this, in which both FreeNAS boxes hang on private DSL connections whose IP addresses change at the latest every 24 hours, sooner or later a disadvantage of Wireguard becomes apparent: the resolution of the hostnames of the peers to their IP addresses takes place only once when the Wireguard interface is started. This means that at some point the connection will fail if the IP address has changed.

The solution: a small script, which I presented in another article: Wireguard: Peer IP check. This is done in this setup on the Debian virtual machine.

I hope this article will inspire one or two readers to look into the connection of two FreeNAS boxes for replication. Surely there are other ways to connect two networks together, but if a VPN server is available at the backup location you can also "help yourself" directly to the mirrored data without having to synchronize the complete data.

Similar contributions

One comment

  1. Pingback: TrueNAS: Easily set up ZFS replication over Wireguard VPN - tech-blogger.net

Leave a Reply

Your email address will not be published. Required fields are marked *