This resource was originally made by user: newguy123 on the TrueNAS Community Forums Archive. Please DM this account or comment in this thread to claim it.
Updated 06Aug2023; thanks neptunus
hi folks,
just want to share my way of creating a wireguard tunnel for an offsite replication task. This only covers the wireguard part on truenas without its configuration.
since my offsite truenas has no power to open any ports, it needs to call home. so all steps are done at offsite remote end.
via web gui → shell
Code:
nano /root/wg0.conf
paste in the standard wireguard config and modify to your needs:
Code:
[Interface] # The address must be unique for each client, use “10.8.0.3/24” for the second client and so on. Address = 10.8.0.4/24 PrivateKey = WIREGUARD-PRIVATE-KEY # Comment the following to preserve the clients default DNS server, or force a desired one. DNS = 8.8.8.8 [Peer] PublicKey = WIREGUARD-PUBLIC-KEY # Tunnel access to server-side local network only: AllowedIPs = 192.168.178.0/24 Endpoint = wireguard.server.net:51820 # Uncomment the following, if you’re behind a NAT and want the connection to be kept alive. PersistentKeepalive = 25
create script, so that wireguard recognize ip changes
Code:
nano /root/wireguard_check.sh
paste the following in the created file and modify IP-of-home-truenas, dyndns-entry-of-your-WG-server, etc.
Code:
#!/bin/bash cip=$(wg show wg0 endpoints | grep -E -o “([0-9]{1,3}[.]){3}[0-9]{1,3}”) echo “Wireguard peer IP from Interface: $cip” pingip=$(ping -c 1 192.168.10.20 > /dev/null 2>&1 && echo success || echo fail) #change ip to target server digIP=$(dig @1.1.1.1 +short dyndns-entry-of-your-WG-server) #the peer address must be set echo “$digIP” if [ “$digIP” != “$cip” ]; then echo “IPs doesn’t match, restarting wireguard” wg-quick down /mnt/wireguard/wg0.conf wg-quick up /mnt/wireguard/wg0.conf elif [ “$pingip” != “success” ]; then echo “Ping failed, restarting wireguard…” wg-quick down /mnt/wireguard/wg0.conf wg-quick up /mnt/wireguard/wg0.conf else echo “OK” # nothing else to do fi
leave the shell
go to tasks → init/shutdown Scripts → add
Description: WireGuard Init
type: command
command: mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start
when: post Init
enabled: yes
timeout: 10
→ save
go to System → Tunables → add
variable: wireguard_enable
Value: YES
type: rc.conf
enabled: yes
→ save
go to System → Tunables → add
variable: wireguard_interfaces
value: wg0
Type: rc.conf
Enabled: yes
→ save
go to tasks → cron jobs → add
description: wireguard_check
command: /bin/bash /root/wireguard_check.sh
run as user: root
schedule: Custom (*/5 * * * *)
Hide standard output: yes
hide standard error: no
enabled: yes
→ save
this should check the connection every 5 minutes and in case it is not successful, it triggers wireguard to re establish the connection.
reboot and see if it works
Enabling WireGuard
Provides instructions on setting up WireGuard on TrueNAS CORE.