I have a question on how to best implement an offsite NAS connection to my home network.
I want to place a TrueNAS Scale NAS at an offsite location (in this case my parents house). I have no control over the network there and don’t want to touch their router.
On my home side I run OPNsense. I have a DDNS running, so connecting offsite should be in theory quite simple goal: The offsite TrueNAS connects as a WireGuard client/peer to my OPNsense WireGuard server with a full VPN tunnel, and gets an IP address on my local NAS VLAN.
There are two devices on that VLAN (a local NAS and a Proxmox Backup Server) which need to reach the offsite TrueNAS. This is not a site-to-site setup, it is one device joining an existing network remotely.
Just to avoid confusion: I am not looking for a WireGuard server on TrueNAS. All WG containers I have seen so far make TrueNAS act as WireGuard server, not client.
I am Aware of Tailscale, but I would like to avoid third party services, as a third party is unnecessary in my setup, and keeping it self hosted seems like a better long term approach.
The shell approach using wg-quick seems to work, but from what I can find online the config gets wiped on TrueNAS updates. Since this NAS will be unattended, I’d rather not risk the tunnel silently dropping after an update. I was considering writing a cronjob/startup script to pull the config from a dataset and then reestablish the connection after an update (as described in forum post “Wireguard client o on TrueNAS scale” from the 2nd of July 2023. I can’t use links), but this seems quite hacky, but would be my approach if everything else fails.
Is there a persistent, update-safe way to run TrueNAS Scale as a WireGuard client? Or is there a better approach I’m not aware of?
While I personally have no (recent) experience with any of them have you tried WG easy, zerotier or netbird from the integrated app catalogue? They should survive updates, I suppose. If you are already using Wireguard WG easy might be your choice.
Wireguard does not distinguish client and server. It’s all just peers.
Client/server in WG is more a question of who initiates the connection, who has a static public IP address, what the AllowedIPs and consequently the routes are set to …
Any UI on top of WG might treat things however the devs decide - and I don’t know any of the TrueNAS based implementations. But I am 100% sure there is no client or server. I run dozens of tunnels in enterprise environments.
Client/server in WG is more a question of who initiates the connection, who has a static public IP address, what the AllowedIPs and consequently the routes are set to …
Okay, so the WG easy container establishes a connection. Can I use the container as my full tunnel?
Can I set it up as an interface inside under settings Network? (I can’t test it out right now)
I’d probably use a Debian lxc, mount the datasets where the backups should be stored in to it an then use a wire guard client in it
I guess that would also work, but this feels even more hacky than running a script that just starts wg-quick since wg-quick is installed in TrueNAS.
Tbh I expected me to just be able to set a wireguard or OpenVPN connection somewhere in the GUI. Kind of baffled TrueNAS doesn’t have that feature yet.
