TrueNAS: Easily set up ZFS replication over Wireguard VPN

Wireguard has also found its way into TrueNAS (previously FreeNAS) via FreeBSD. Although there is no interface to configure it directly, a suitable configuration file can be loaded via a post-init script and then also establishes the connection.

The advantage over the previous solution: no virtual machine is needed, which in turn needs its own updates, can hang times and consumes the additional resources. Everything you need is already included in the core system, practically only the configuration is missing, this I have completely taken over from my previous setup, otherwise you can also create a new file.

truenas wireguard
Establishing the Wireguard connection after the boot process

In my setup the configuration file is located in

/mnt/VM/wireguard/wg0-client.conf

The file itself then corresponds to a normal Wireguard configuration. Since I only want to route the traffic to the server at the other end through the VPN, the parameter "AllowedIPs" is restricted accordingly:

[Interface]
# The address must be unique for each client, use "10.8.0.3/24" for the second client and so on.
Address = 10.8.0.4/24
PrivateKey = WIREGUARD-PRIVATE-KEY

# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 8.8.8.8

[Peer]
PublicKey = WIREGUARD-PUBLIC-KEY
# Tunnel access to server-side local network only:
AllowedIPs = 192.168.178.0/24
Endpoint = wireguard.server.net:51820

# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25

The connection is started by means of:

wg-quick up /path/to/wg0-client.conf

or by means of

wg-quick down /path/to/wg0-client.conf

terminated again. The necessary route, so that the server in the other network (in my case this runs on the IP 192.168.178.31) can be reached, is set automatically by the Wireguard client.

One problem remains here too: if dynamic IP addresses are used and these change, the Wireguard client is initially unaware of this. For this, the corresponding script solution for the Wireguard Peer IP check adapted to the appropriate FreeBSD commands (instead of restarting the service once and restarting it immediately afterwards, the other elements used, such as "dig", are also present in TrueNAS:

#!/bin/bash
# Check status of interface
# wg0-client: name of the interface to check
# meinpeer.dyndns.net: the name of the peer whose IP should be checked
        
cip=$(wg show wg0-client endpoints | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
echo "$cip"
digIP=$(dig +short meinpeer.dyndns.net) # The address of the peer needs to be adjusted
   echo "$digIP"
     if [ "$digIP" != "$cip" ]
       then
          echo "Data is different"
          wg-quick down /path/to/wg0-client.conf
          wg-quick up /path/to/wg0-client.conf
        else
    echo "Data is the same"
    #Nothing to do
   fi

The script is only executed by cronjob every 5 minutes, as soon as the IP address does not match the connection is re-established:

truenas wireguard ip check
TrueNAS: Wireguard peer IP check every 5 minutes

What is still necessary with this solution: a "remote station" in the other network where the server is located that is replicated to. In my setup no problem, because I use a Raspberry Pi, which is the Server also starts time-controlled. Whether you can configure TrueNAS's built-in wireguard functionality to accept incoming connections is therefore something I haven't tried yet.

The rest of the steps after establishing the VPN connection are then easily done and is perfectly described in the official TrueNAS documentation described. Basically, replication via VPN works the same way as in the local network, an additional encryption is actually not necessary, but can of course be used.

Even if a NAS is still no backup, you sleep better with the distribution of the data on two physically separate places (in my case also several hundred kilometers apart from each other), than if the data is located, for example, at one of the large cloud providers - apart from the fact that several terrabytes of data then become a bit expensive at AWS and an old HP Proliant N36L is perfectly adequate for this purpose.

Update: extended peer IP check script

Sometimes it happens that the Wireguard connection with the correct IP address is available, but there is still no connection to the network behind. To avoid this, I have added a "ping" command to the script, which checks whether the target server is available and reconnects Wireguard if necessary:

#!/bin/bash
# Check status of interface
# wg0-client: name of the interface to check
# meinpeer.dyndns.net: the name of the peer whose IP should be checked
        
cip=$(wg show wg0-client endpoints | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
echo "Wireguard peer IP from Interface: $cip"
pingip=$(ping -c 1 192.168.178.10 &> /dev/null && echo success || echo fail) #change ip to target server
digIP=$(dig +short mypeer.dyndns.net) #the peer address must be set
   echo "$digIP"
     if [ "$digIP" != "$cip" ]
       then
          echo "IPs doesn't match, restarting wireguard"
          wg-quick down /path/to/wg0-client.conf
          wg-quick up /path/to/wg0-client.conf
        elif [ "$pingip" != "success"]
        echo "Ping failed, restarting wireguard..."
          wg-quick down /path/to/wg0-client.conf
          wg-quick up /path/to/wg0-client.conf
        else
          echo "OK"
          #nothing else todo
      fi

3 comments

  1. Hello Falk,
    Your blog post with the DynDNS came at just the right time!

    If I understand you correctly, you also have a TrueNAS at the end, right? At
    mirs is a Qnap, which I use as a backup server. Therefore unfortunately works
    the Zfs-Replication not, but with RSYNC it also works and in the Qnap run additionally regular
    Snapshots.
    Anyway...thanks for your effort.
    Greetings, Volker

  2. Hello! Thanks for the guide, which simplified the steps from what had to be done in FreeNAS 11.3.

    But is it normal that the wg IP is "taking over" and you cannot reach the TrueNAS device with the IP belonging to the NIC?

    1. No, in my setup I can reach the TrueNAS device withing the local network with it's IP - with wireguard and without the wireguard connection, on both ends. Perhabs your setup routes all traffic through the wireguard. Do you use the correct "AllowedIPs" setting? it shouldn't be 0.0.0.0, because that would route all traffic through the vpn.

Leave a Reply

Your email address will not be published. Required fields are marked *