TrueNAS Scale

You can remotely manage TrueNAS Scale via Wireguard by adding it as a service.

Wireguard is installed by default, though not exposed in the GUI. To add a wg interface, create a config file and add a wg-quick service via systemd. Add iptables port-forwarding to access containerized apps.

Configuration

Add a basic peer config as when setting up a Central Server and save the file on the client as /etc/wireguard/wg1.conf. It’s rumored that wg0 is reserved for the TrueNAS cloud service. Once the config is in place, use wg-quick up wg1 command to test and enable as below.

nano /etc/wireguard/wg1.conf

systemctl enable --now wg-quick@wg1

If you use a domain name for the remote peer this service will fail at system boot rather than wait for DNS. Add a pre-start to the service file to specifically test name resolution.

vi /lib/systemd/system/[email protected]

[Service] 
...
...
ExecStartPre=/bin/bash -c 'until host google.com; do sleep 1; done'

Note: Don’t include a DNS server in your wireguard settings or everything on the NAS will attempt to use your remote DNS and fail if the link goes down.

Accessing Hosted Apps

You can access the TrueNAS web interface via the wg interface, but hosted apps seem specifically bound to the physical NIC address by the way kubernates is forwarding traffic. Selecting host as the network type in the app doesn’t seem to help, but you can add a command like this

iptables -t nat -A PREROUTING --dst 192.168.30.11 -p tcp --dport 20910 -j DNAT --to-destination 192.168.1.129:20910

You may want to make this permanent^[4].

Troubleshooting

Fall-Back Cron Job

If the service proves unreliable, it’s possible to add a cron job as a fall-back.

crontab -e

*/5 * * * * ping -c1 -W5 10.0.0.1 || ( cp /root/wg1.conf /etc/wireguard/ ; wg-quick down wg1 ; wg-quick up wg1 )

The cp command is in case an upgrade removes the config. However, upgrades also remove cron jobs so some other method should be devised.

Cronjob Fails

cronjob kills interface when it can’t ping

/usr/local/bin/wg-quick: line 32: resolvconf: command not found

Calling wg-quick via cron causes a resolvconf issue, even though it works at the command line. One solution is to remove any DNS config from your wg conf file so it doesn’t try to register the remote DNS server.

Nov 08 08:23:59 truenas wg-quick[2668]: Name or service not known: `some.server.org:port' Nov 08 08:23:59 truenas wg-quick[2668]: Configuration parsing error … Nov 08 08:23:59 truenas systemd[1]: Failed to start WireGuard via wg-quick(8) for wg1.

The DNS service isn’t available (yet), despite Requires=network-online.target nss-lookup.target already in the service unit file. One way to solve this is a pre-exec in the Service section of the unit file^[3]. This is hacky, but none of the normal directives worked.

The cron job above will bring the service up eventually, but it’s nice to have it at boot.

Upgrade Kills Connection

The Bluefin upgrade seems to have removed or disabled existing cronjobs and wireguard configs. This might be due to not putting them in through the GUI. You may be able to put a copy of the wg.conf on a pool and use the GUI to add a more persistent cronjob

https://www.truenas.com/docs/scale/scaletutorials/systemsettings/advanced/managecronjobsscale/

Notes

https://www.truenas.com/docs/core/coretutorials/network/wireguard/ https://www.truenas.com/community/threads/no-internet-connection-with-wireguard-on-truenas-scale-21-06-beta-1.94843/#post-693601 [3]:https://serverfault.com/questions/867830/systemd-start-service-only-after-dns-is-available [4]:https://serverfault.com/questions/1046065/how-to-port-forward-from-enp7s0-to-localhost80

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified August 8, 2023: Wireguard update (c35f231)