How To Enable Wireguard on FreeNAS 11.3

WireGuard is quickly gaining popularity in the VPN marketplace due to its speed, simplicity, and modern cryptography standards. Starting with FreeNAS version 11.3-RC1, it is possible to connect your NAS directly to a WireGuard network with a few easy steps.

We get started on this by creating some custom tunables to enable the WireGuard service and give it a default interface. To do this you must first navigate to System -> Tunables -> Add.

Enable the WireGuard service by adding “wireguard_enable” -> “YES” in rc.conf.

Next, create another tunable and add “wireguard_interfaces” -> “wg0” in rc.conf.

When finished, you should have the following two variables set and enabled.

Next, we will need to create a post-init script that will place the WireGuard config into the correct location at startup. Navigate to Tasks -> Init/Shutdown Scripts -> Add.

Create the following command and set it to run at post-init:

“mkdir /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start”

You can configure the /root/wg0.conf file and apply a WireGuard configuration to attach to whatever WireGuard network you define. It can be a single point-to-point to anything running WG, or even with full routing. Example use cases are:

  • Access data on a NAS from your Remote Laptop
  • Linking NAS to NAS for replication
  • Attaching a managed NAS to a remote network
  • Access to your NAS from your smartphone

We need to create the /root/wg0.conf which will contain the specific WireGuard configuration to apply at boot. This configuration is beyond the scope of this article, but there are quickstart guides and tutorials available online as well as the built-in ‘wg-quick’manpage.

Once you have a valid /root/wg0.conf, rebooting the system should bring up the WireGuard interface, and you’ll see a ‘wg0’ device in the output of ‘ifconfig’.

Congratulations, you have successfully linked your FreeNAS system to a secure WireGuard tunnel!

16 Comments

  1. Isaiah Ritter

    I have followed this guide exactly as described. However, when starting WG, I keep getting the following report. I do not understand why iptables command is not found.

    [#] wireguard-go wg0
    INFO: (wg0) 2020/02/09 17:02:47 Starting wireguard-go version 0.0.20190908
    [#] wg setconf wg0 /tmp/tmp.6DEHwN79/sh-np.yZM9jB
    [#] ifconfig wg0 inet 10.100.100.1/24 10.100.100.1 alias
    [#] ifconfig wg0 mtu 1420
    [#] ifconfig wg0 up
    [#] route -q -n add -inet 10.100.100.2/32 -interface wg0
    [+] Backgrounding route monitor
    [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    /usr/local/bin/wg-quick: line 379: iptables: command not found
    [#] rm -f /var/run/wireguard/wg0.sock

    Reply
    • Joon Lee

      Isaiah,

      iptables is for Linux. FreeNAS is a FreeBSD based system so that command won’t work.

      Reply
  2. Brian

    Will these changes in 11.3 allow similar procedures work for ZeroTier instead of Wireguard?

    Reply
    • Joon Lee

      Unfortunately, no. This is a tutorial on how to set up Wireguard, not ZeroTier.

      Please try posting your question on the forums! http://www.ixsystems.com/community

      Reply
  3. Andrew Alles

    Anyone have any luck with DNS resolution over the tunnel with these instructions for a DNS server hosted on a different subnet? Point-to-point traffic works fine across the tunnel; I’ve already got IP forwarding on, so I’m wondering if there’s some NAT stuff I have to do in addition to that.

    Reply
    • Joe

      Might want to try adding the remote DNS as a second DNS in network manager on Linux or editing the /etc/resolv.conf file with another nameserver.

      Reply
  4. Shogoki

    Following the exact steps above did not work for me in FreeNAS 11.3 U2.1
    Seems like /usr/local/etc/wireguard is already existing after reboot, when the Post INIT command is running.
    Therefore the „mkdir /usr/local/etc/wireguard“ command is failing and the following ones are not executed.
    I simply changed the full command to be:

    “mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start”
    (Note the „-p“ behind mkdir), which will make mkdir silently continue if the directory is already there.
    Maybe the post can be updated, or at least my comment may helps some others wondering about that.

    Reply
    • Shogoki

      Uh, emm. actually i do not have a question. just found out, that the blog post my be outdated or is not working like described and provided the fix already.
      So, no Question, just a hint for future readers. And maybe we have a chance to update the blog post?

      Reply
  5. merkle.id

    the script “mkdir /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start”
    has to be modified to
    “cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start” after the first reboot otherwise /usr/local/etc/wireguard/wg0.conf will be deleted at every boot and wireguard won’t start.
    change the script, reboot, and it wg0 will spawn every time.

    Reply
  6. Damian

    Got as far as init scripts but really need a lot of hand holding after this. Am confused as to where to go from here. I created a wg0.conf file, but on reboot ifconfig does not show wg0 interface. Grateful for any help, thanks.

    Reply
  7. Duke

    Will this wg0 interface be visible in the gui network-interfaces after this configuration is done?
    If not, how do I make it visible?

    Reply
  8. Todd Martin

    I have this as a preinit sommand:
    cp /mnt/TANK/apps/wireguard/wg0.conf /usr/local/etc/wireguard/

    Keeping it in wireguard folder on my permanent storage in apps dataset.
    As a preinit the file is there when the tuneable starts the wireguard service.

    It has worked flawless for me from 11.3-beta to now 12.0.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

ESG Labs: TrueNAS Technical Report
Download Enterprise Storage Guide Button
iXsystems values privacy for all visitors. Learn more about how we use cookies and how you can control them by reading our Privacy Policy.