TrueNAS: Easily set up ZFS replication over Wireguard VPN

Wireguard has also found its way into TrueNAS (previously FreeNAS) via FreeBSD. Although there is no interface to configure it directly, a suitable configuration file can be loaded via a post-init script and then also establishes the connection.

The advantage over the previous solution: no virtual machine is needed, which in turn needs its own updates, can hang times and consumes the additional resources. Everything you need is already included in the core system, practically only the configuration is missing, this I have completely taken over from my previous setup, otherwise you can also create a new file.

Establishing the Wireguard connection after the boot process

In my setup the configuration file is located in

/mnt/VM/wireguard/wg0-client.conf

The file itself then corresponds to a normal Wireguard configuration. Since I only want to route the traffic to the server at the other end through the VPN, the parameter "AllowedIPs" is restricted accordingly:

[Interface]
# The address must be unique for each client, use "10.8.0.3/24" for the second client and so on.
Address = 10.8.0.4/24
PrivateKey = WIREGUARD-PRIVATE-KEY

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 8.8.8.8

[Peer]
PublicKey = WIREGUARD-PUBLIC-KEY
# Tunnel access to server-side local network only:
AllowedIPs = 192.168.178.0/24
Endpoint = wireguard.server.net:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25

The connection is started by means of:

wg-quick up /path/to/wg0-client.conf

or by means of

wg-quick down /path/to/wg0-client.conf

terminated again. The necessary route, so that the server in the other network (in my case this runs on the IP 192.168.178.31) can be reached, is set automatically by the Wireguard client.

One problem remains here too: if dynamic IP addresses are used and these change, the Wireguard client is initially unaware of this. For this, the corresponding script solution for the Wireguard Peer IP check adapted to the appropriate FreeBSD commands (instead of restarting the service once and restarting it immediately afterwards, the other elements used, such as "dig", are also present in TrueNAS:

#!/bin/bash
# Check status of interface
# wg0-client: name of the interface to check
# meinpeer.dyndns.net: the name of the peer whose IP should be checked
        
cip=$(wg show wg0-client endpoints | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
echo "$cip"
digIP=$(dig +short meinpeer.dyndns.net) # The address of the peer needs to be adjusted
   echo "$digIP"
     if [ "$digIP" != "$cip" ]
       then
          echo "Data is different"
          wg-quick down /path/to/wg0-client.conf
          wg-quick up /path/to/wg0-client.conf
        else
    echo "Data is the same"
    #Nothing to do
   fi

The script is only executed by cronjob every 5 minutes, as soon as the IP address does not match the connection is re-established:

TrueNAS: Wireguard peer IP check every 5 minutes

What is still necessary with this solution: a "remote station" in the other network where the server is located that is replicated to. In my setup no problem, because I use a Raspberry Pi, which is the Server also starts time-controlled. Whether you can configure TrueNAS's built-in wireguard functionality to accept incoming connections is therefore something I haven't tried yet.

The rest of the steps after establishing the VPN connection are then easily done and is perfectly described in the official TrueNAS documentation described. Basically, replication via VPN works the same way as in the local network, an additional encryption is actually not necessary, but can of course be used.

Even if a NAS is still no backup, you sleep better with the distribution of the data on two physically separate places (in my case also several hundred kilometers apart from each other), than if the data is located, for example, at one of the large cloud providers - apart from the fact that several terrabytes of data then become a bit expensive at AWS and an old HP Proliant N36L is perfectly adequate for this purpose.

1 thought on “TrueNAS: ZFS-Replication über Wireguard-VPN einfach einrichten”

  1. Hello Falk,
    Your blog post with the DynDNS came at just the right time!

    If I understand you correctly, you also have a TrueNAS at the end, right? At
    mirs is a Qnap, which I use as a backup server. Therefore unfortunately works
    the Zfs-Replication not, but with RSYNC it also works and in the Qnap run additionally regular
    Snapshots.
    Anyway...thanks for your effort.
    Greetings, Volker

Leave a Comment

Your email address will not be published. Required fields are marked *

en_USEnglish
Scroll to Top