In today’s digital world, where remote work and distributed infrastructure are becoming the norm, secure access to network resources is not so much a luxury as an absolute necessity. Virtual Private Networks (VPNs) have long been the answer to these needs, yet traditional solutions can be complicated and slow. Enter WireGuard—a modern VPN protocol that is revolutionising the way we think about secure tunnels. Combined with the power of the TrueNAS Scale system and the simplicity of the WG-Easy application, we can create an exceptionally efficient and easy-to-manage solution.
This article is a comprehensive guide that will walk you through the process of configuring a secure WireGuard VPN tunnel step by step. We will connect a TrueNAS Scale server, running on your home or company network, with a fleet of public VPS servers. Our goal is to create intelligent “split-tunnel” communication, ensuring that only necessary traffic is routed through the VPN, thereby maintaining maximum internet connection performance.
What Is WireGuard and Why Is It a Game-Changer?
Before we delve into the technical configuration, it’s worth understanding why WireGuard is gaining such immense popularity. Designed from the ground up with simplicity and performance in mind, it represents a breath of fresh air compared to older, more cumbersome protocols like OpenVPN or IPsec.
The main advantages of WireGuard include:
- Minimalism and Simplicity: The WireGuard source code consists of just a few thousand lines, in contrast to the hundreds of thousands for its competitors. This not only facilitates security audits but also significantly reduces the potential attack surface.
- Unmatched Performance: By operating at the kernel level of the operating system and utilising modern cryptography, WireGuard offers significantly higher transfer speeds and lower latency. In practice, this means smoother access to files and services.
- Modern Cryptography: WireGuard uses the latest, proven cryptographic algorithms such as ChaCha20, Poly1305, Curve25519, BLAKE2s, and SipHash24, ensuring the highest level of security.
- Ease of Configuration: The model, based on the exchange of public keys similar to SSH, is far more intuitive than the complicated certificate management found in other VPN systems.
The Power of TrueNAS Scale and the Convenience of WG-Easy
TrueNAS Scale is a modern, free operating system for building network-attached storage (NAS) servers, based on the solid foundations of Linux. Its greatest advantage is its support for containerised applications (Docker/Kubernetes), which allows for easy expansion of its functionality. Running a WireGuard server directly on a device that is already operating 24/7 and storing our data is an extremely energy- and cost-effective solution.
This is where the WG-Easy application comes in—a graphical user interface that transforms the process of managing a WireGuard server from editing configuration files in a terminal to simple clicks in a web browser. Thanks to WG-Easy, we can create profiles for new devices in moments, generate their configurations, and monitor the status of connections.
Step 1: Designing the Network Architecture – The Foundation of Stability
Before we launch any software, we must create a solid plan. Correctly designing the topology and IP addressing is the key to a stable and secure solution.
The “Hub-and-Spoke” Model: Your Command Centre
Our network will operate based on a “hub-and-spoke” model.
- Hub: The central point (server) of our network will be TrueNAS Scale. All other devices will connect to it.
- Spokes: Our VPS servers will be the clients (peers), or the “spokes” connected to the central hub.
In this model, all communication flows through the TrueNAS server by default. This means that for one VPS to communicate with another, the traffic must pass through the central hub.
To avoid chaos, we will create a dedicated subnet for our virtual network. In this guide, we will use 10.8.0.0/24.
| Device Role | Host Identifier | VPN IP Address |
| Server (Hub) | TrueNAS-Scale | 10.8.0.1 |
| Client 1 (Spoke) | VPS1 | 10.8.0.2 |
| Client 2 (Spoke) | VPS2 | 10.8.0.3 |
| Client 3 (Spoke) | VPS3 | 10.8.0.4 |
The Fundamental Rule: One Client, One Identity
A tempting thought arises: is it possible to create a single configuration file for all VPS servers? Absolutely not. This would be a breach of a fundamental WireGuard security principle. Identity in this network is not based on a username and password, but on a unique pair of cryptographic keys. Using the same configuration on multiple machines is like giving the same house key to many different people—the server would be unable to distinguish between them, which would lead to routing chaos and a security breakdown.
Step 2: Prerequisite – Opening the Gateway to the World
The most common pitfall when configuring a home server is forgetting about the router. Your TrueNAS server is on a local area network (LAN) and has a private IP address (e.g., 192.168.0.13), which makes it invisible from the internet. For the VPS servers to connect to it, you must configure port forwarding on your router.
You need to create a rule that directs packets arriving from the internet on a specific port straight to your TrueNAS server.
- Protocol: UDP (WireGuard uses UDP exclusively)
- External Port: 51820 (the standard WireGuard port)
- Internal IP Address: The IP address of your TrueNAS server on the LAN
- Internal Port: 51820
Without this rule, your VPN server will never work.
Step 3: Hub Configuration – Launching the Server on TrueNAS
Launch the WG-Easy application on your TrueNAS server. The configuration process boils down to creating a separate profile for each client (each VPS server).
Click “New” and fill in the form for the first VPS, paying special attention to the fields below:
| Field Name in WG-Easy | Example Value (for VPS1) | Explanation |
| Name | VPS1-Public | A readable label to help you identify the client. |
| IPv4 Address | 10.8.0.2 | A unique IP address for this VPS within the VPN, according to our plan. |
| Allowed IPs | 192.168.0.0/24, 10.8.0.0/24 | This is the heart of the “split-tunnel” configuration. It tells the client (VPS) that only traffic to your local network (LAN) and to other devices on the VPN should be sent through the tunnel. All other traffic (e.g., to Google) will take the standard route. |
| Server Allowed IPs | 10.8.0.2/32 | A critical security setting. It informs the TrueNAS server to only accept packets from this specific client from its assigned IP address. The /32 mask prevents IP spoofing. |
| Persistent Keepalive | 25 | An instruction for the client to send a small “keep-alive” packet every 25 seconds. This is necessary to prevent the connection from being terminated by routers and firewalls along the way. |
After filling in the fields, save the configuration. Repeat this process for each subsequent VPS server, remembering to assign them consecutive IP addresses (10.8.0.3, 10.8.0.4, etc.).
Once you save the profile, WG-Easy will generate a .conf configuration file for you. Treat this file like a password—it contains the client’s private key! Download it and prepare to upload it to the VPS server.
Step 4: Spoke Configuration – Activating Clients on the VPS Servers
Now it’s time to bring our “spokes” to life. Assuming your VPS servers are running Linux (e.g., Debian/Ubuntu), the process is very straightforward.
- Install WireGuard tools:
sudo apt update && sudo apt install wireguard-tools -y - Upload and secure the configuration file: Copy the previously downloaded wg0.conf file to the /etc/wireguard/ directory on the VPS server. Then, change its permissions so that only the administrator can read it:
# On the VPS server:
sudo mv /path/to/your/wg0.conf /etc/wireguard/wg0.conf
sudo chmod 600 /etc/wireguard/wg0.conf - Start the tunnel: Use a simple command to activate the connection. The interface name (wg0) is derived from the configuration file name.
sudo wg-quick up wg0 - Ensure automatic start-up: To have the VPN tunnel start automatically after every server reboot, enable the corresponding system service:
sudo systemctl enable wg-quick@wg0.service
Repeat these steps on each VPS server, using the unique configuration file generated for each one.
Step 5: Verification and Diagnostics – Checking if Everything Works
After completing the configuration, it’s time for the final test.
Checking the Connection Status
On both the TrueNAS server and each VPS, execute the command:
sudo wg show
Look for two key pieces of information in the output:
- latest handshake: This should show a recent time (e.g., “a few seconds ago”). This is proof that the client and server have successfully connected.
- transfer: received and sent values greater than zero indicate that data is actually flowing through the tunnel.
The Final Test: Validating the “Split-Tunnel”
This is the test that will confirm we have achieved our main goal. Log in to one of the VPS servers and perform the following tests:
- Test connectivity within the VPN: Try to ping the TrueNAS server using its VPN and LAN addresses.
ping 10.8.0.1 # VPN address of the TrueNAS server
ping 192.168.0.13 # LAN address of the TrueNAS server (use your own)
If you receive replies, it means that traffic to your local network is being correctly routed through the tunnel. - Test the path to the internet: Use the traceroute tool to check the route packets take to a public website.
traceroute google.com
The result of this command is crucial. The first “hop” on the route must be the default gateway address of your VPS hosting provider, not the address of your VPN server (10.8.0.1). If this is the case—congratulations! Your “split-tunnel” configuration is working perfectly.
Troubleshooting Common Problems
- No “handshake”: The most common cause is a connection issue. Double-check the UDP port 51820 forwarding configuration on your router, as well as any firewalls in the path (on TrueNAS, on the VPS, and in your cloud provider’s panel).
- There is a “handshake”, but ping doesn’t work: The problem usually lies in the Allowed IPs configuration. Ensure the server has the correct client VPN address entered (e.g., 10.8.0.2/32), and the client has the networks it’s trying to reach in its configuration (e.g., 192.168.0.0/24).
- All traffic is going through the VPN (full-tunnel): This means that in the client’s configuration file, under the [Peer] section, the Allowed IPs field is set to 0.0.0.0/0. Correct this setting in the WG-Easy interface, download the new configuration file, and update it on the client.
Creating your own secure and efficient VPN server based on TrueNAS Scale and WireGuard is well within reach. It is a powerful solution that not only enhances security but also gives you complete control over your network infrastructure.
Leave a Reply