Resource icon

wireguard without jail for replication task

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
John Doe submitted a new resource:

wireguard without jail for replication task - wireguard without jail for replication task

hi folks,

just want to share my way of creating a wireguard tunnel for an offsite replication task. This only covers the wireguard part on truenas without its configuration.

since my offsite truenas has no power to open any ports, it needs to call home. so all steps are done at offsite remote end.

via web gui -> shell
Code:
mkdir /mnt/wireguard/
nano /mnt/wireguard/wg0.conf


paste in the standard wireguard config and modify to your needs:
Code:
[Interface]
# The...

Read more about this resource...
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
This doesn't sound like it would survive an update, but from a quick glance the biggest change would be to use a directory on a data pool - it could even be /mnt/wireguard/, but why make it confusing? Perhaps something like poolname/scripts?
 

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
This doesn't sound like it would survive an update, but from a quick glance the biggest change would be to use a directory on a data pool - it could even be /mnt/wireguard/, but why make it confusing? Perhaps something like poolname/scripts?
it seems it even does not survive a reboot :-(
big bummer, need to work that out

unfortunately my current system has no free sata ports and since it is at a remote side, all datasets are encrypted. typically i am logging in and encrypt them manually.

so I have no dataset available. of course using a usb drive might help but its not that ideal.

is /usr/local/etc/rc.d or /usr/local as a location suitable?
 
Last edited:

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Anything backed by the boot pool is, at best, vulnerable at the time of updates.

all datasets are encrypted
So create a dataset that's not encrypted. Not a big deal.
 

neptunus

Cadet
Joined
Dec 25, 2020
Messages
5
Great submitted resource, I was working on the same think.

Question:
Why didn't you follow the steps below to make the reboot safe?

Feedback:
One:
I have put wireguard_check.sh in /root/ like in the as in the explanation above. This means wg0.conf and wireguard_check.sh are both in /root/
Two:
I think there is a small bug in your script.
Original:
Code:
pingip=$(ping -c 1 192.168.10.20 &> /dev/null && echo success || echo fail) #change ip to target server

New:
Code:
pingip=$(ping -c 1 192.168.10.20 > /dev/null 2>&1 && echo success || echo fail) #change ip to target server


Source:
The shortcuts &> and >& are a bit frowned upon because those are "bashism" - they do work with bash shell but are not compatible with some other POSIX compatible shells. The >... 2>&1 ... syntax works in every POSIX compatible shell.
 

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
Great submitted resource, I was working on the same think.

Question:
Why didn't you follow the steps below to make the reboot safe?

Feedback:
One:
I have put wireguard_check.sh in /root/ like in the as in the explanation above. This means wg0.conf and wireguard_check.sh are both in /root/
Two:
I think there is a small bug in your script.
Original:
Code:
pingip=$(ping -c 1 192.168.10.20 &> /dev/null && echo success || echo fail) #change ip to target server

New:
Code:
pingip=$(ping -c 1 192.168.10.20 > /dev/null 2>&1 && echo success || echo fail) #change ip to target server


Source:
The shortcuts &> and >& are a bit frowned upon because those are "bashism" - they do work with bash shell but are not compatible with some other POSIX compatible shells. The >... 2>&1 ... syntax works in every POSIX compatible shell.

thanks for your contribution!

I think the guide you reffered to wasn't available at the time I was writing this. However the way in the guideline works!

updated the resources :smile:
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
FWIW, the MikroTik implementation of S2S Wireguard is really really simple (see ultimate S2S wireguard vpn tutorial from the network berg on YouTube). Dynamic dns endpoints are not a problem, etc. It just works. And once you’ve got that set up, you can also use it to connect to the remote server or other assets.

Best of all, it’s 100% independent of the TrueNAS so there are zero issues associated with NAS system updates, etc.
 
Top