Updated 06Aug2023; thanks neptunus
hi folks,
just want to share my way of creating a wireguard tunnel for an offsite replication task. This only covers the wireguard part on truenas without its configuration.
since my offsite truenas has no power to open any ports, it needs to call home. so all steps are done at offsite remote end.
via web gui -> shell
paste in the standard wireguard config and modify to your needs:
create script, so that wireguard recognize ip changes
paste the following in the created file and modify IP-of-home-truenas, dyndns-entry-of-your-WG-server, etc.
leave the shell
go to tasks -> init/shutdown Scripts -> add
Description: WireGuard Init
type: command
command: mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start
when: post Init
enabled: yes
timeout: 10
-> save
go to System -> Tunables -> add
variable: wireguard_enable
Value: YES
type: rc.conf
enabled: yes
-> save
go to System -> Tunables -> add
variable: wireguard_interfaces
value: wg0
Type: rc.conf
Enabled: yes
-> save
go to tasks -> cron jobs -> add
description: wireguard_check
command: /bin/bash /root/wireguard_check.sh
run as user: root
schedule: Custom (*/5 * * * *)
Hide standard output: yes
hide standard error: no
enabled: yes
-> save
this should check the connection every 5 minutes and in case it is not successful, it triggers wireguard to re establish the connection.
reboot and see if it works
hi folks,
just want to share my way of creating a wireguard tunnel for an offsite replication task. This only covers the wireguard part on truenas without its configuration.
since my offsite truenas has no power to open any ports, it needs to call home. so all steps are done at offsite remote end.
via web gui -> shell
Code:
nano /root/wg0.conf
paste in the standard wireguard config and modify to your needs:
Code:
[Interface] # The address must be unique for each client, use "10.8.0.3/24" for the second client and so on. Address = 10.8.0.4/24 PrivateKey = WIREGUARD-PRIVATE-KEY # Comment the following to preserve the clients default DNS server, or force a desired one. DNS = 8.8.8.8 [Peer] PublicKey = WIREGUARD-PUBLIC-KEY # Tunnel access to server-side local network only: AllowedIPs = 192.168.178.0/24 Endpoint = wireguard.server.net:51820 # Uncomment the following, if you're behind a NAT and want the connection to be kept alive. PersistentKeepalive = 25
create script, so that wireguard recognize ip changes
Code:
nano /root/wireguard_check.sh
paste the following in the created file and modify IP-of-home-truenas, dyndns-entry-of-your-WG-server, etc.
Code:
#!/bin/bash
cip=$(wg show wg0 endpoints | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
echo "Wireguard peer IP from Interface: $cip"
pingip=$(ping -c 1 192.168.10.20 > /dev/null 2>&1 && echo success || echo fail) #change ip to target server
digIP=$(dig @1.1.1.1 +short dyndns-entry-of-your-WG-server) #the peer address must be set
echo "$digIP"
if [ "$digIP" != "$cip" ]; then
echo "IPs doesn't match, restarting wireguard"
wg-quick down /mnt/wireguard/wg0.conf
wg-quick up /mnt/wireguard/wg0.conf
elif [ "$pingip" != "success" ]; then
echo "Ping failed, restarting wireguard..."
wg-quick down /mnt/wireguard/wg0.conf
wg-quick up /mnt/wireguard/wg0.conf
else
echo "OK"
# nothing else to do
fileave the shell
go to tasks -> init/shutdown Scripts -> add
Description: WireGuard Init
type: command
command: mkdir -p /usr/local/etc/wireguard && cp /root/wg0.conf /usr/local/etc/wireguard/wg0.conf && /usr/local/etc/rc.d/wireguard start
when: post Init
enabled: yes
timeout: 10
-> save
go to System -> Tunables -> add
variable: wireguard_enable
Value: YES
type: rc.conf
enabled: yes
-> save
go to System -> Tunables -> add
variable: wireguard_interfaces
value: wg0
Type: rc.conf
Enabled: yes
-> save
go to tasks -> cron jobs -> add
description: wireguard_check
command: /bin/bash /root/wireguard_check.sh
run as user: root
schedule: Custom (*/5 * * * *)
Hide standard output: yes
hide standard error: no
enabled: yes
-> save
this should check the connection every 5 minutes and in case it is not successful, it triggers wireguard to re establish the connection.
reboot and see if it works