Most Suitable VPN Solutions for FreeNAS
When running FreeNAS (now known as TrueNAS Core), you’re working on a FreeBSD-based appliance that’s optimised for ZFS storage, headless operation and managed via a web UI or iocage jails. The primary package manager is pkg, and desktop environments aren’t typically involved—administrators access the system remotely over SSH or the built-in GUI. That means any VPN solution must integrate smoothly into a jail, respect ZFS snapshots and play nicely with the built-in network configuration.
Below are three VPN protocols that stand out in this environment:
- OpenVPN: Built-in plugin support, battle-tested, highly configurable.
- WireGuard: Minimal codebase, high performance, gaining official FreeBSD support.
- IPsec (StrongSwan): Industry standard for site-to-site links, well-supported in FreeBSD via ports.
Comparison Table
| VPN | Native Plugin | Jail Friendly | Protocol Type | Official Site |
|---|---|---|---|---|
| OpenVPN | Yes (Plugin) | Excellent | SSL/TLS | OpenVPN Project |
| WireGuard | No (Manual Jail) | Very Good | Modern Crypto | WireGuard |
| IPsec (StrongSwan) | No (Ports/Jail) | Good | IKEv2/IPsec | StrongSwan |
Installation and Configuration
1. OpenVPN
FreeNAS includes an OpenVPN plugin, making setup a breeze via the web UI or CLI.
- Create a new jail named
openvpn-jail:
iocage fetch release=12.2-RELEASE iocage create -n openvpn-jail -r 12.2-RELEASE ip4_addr=vnet0192.168.1.50/24 defaultrouter=192.168.1.1
- Install the OpenVPN package inside that jail:
iocage exec openvpn-jail pkg update iocage exec openvpn-jail pkg install -y openvpn easy-rsa
- Set up a CA and server keys:
iocage exec openvpn-jail bash -c easyrsa init-pki easyrsa build-ca nopass easyrsa gen-req server nopass easyrsa sign-req server server easyrsa gen-dh openvpn --genkey --secret ta.key
- Create
/usr/local/etc/openvpn/server.confwith your network settings:
port 1194 proto udp dev tun ca pki/ca.crt cert pki/issued/server.crt key pki/private/server.key dh pki/dh.pem tls-auth ta.key 0 server 10.8.0.0 255.255.255.0 push route 192.168.1.0 255.255.255.0 keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
- Enable and start the service:
iocage exec openvpn-jail sysrc openvpn_enable=YES iocage exec openvpn-jail service openvpn start
2. WireGuard
WireGuard isn’t bundled as a plugin, but you can roll your own jail. The FreeBSD port has matured, so installation is straightforward.
- Create a new jail:
iocage create -n wireguard-jail -r 12.2-RELEASE ip4_addr=vnet0192.168.1.60/24 defaultrouter=192.168.1.1
- Install WireGuard tools:
iocage exec wireguard-jail pkg update iocage exec wireguard-jail pkg install -y wireguard
- Generate keys and configure
/usr/local/etc/wireguard/wg0.conf:
# Inside the jail wg genkey tee privatekey wg pubkey > publickey cat > /usr/local/etc/wireguard/wg0.conf << EOF [Interface] PrivateKey = (cat privatekey) Address = 10.9.0.1/24 ListenPort = 51820 # Peer example [Peer] PublicKey =AllowedIPs = 10.9.0.2/32 EOF
- Enable IPv4 forwarding in
/etc/rc.confand start WireGuard:
# In-jnside jail sysrc gateway_enable=YES sysrc net.inet.ip.forwarding=1 sysrc wireguard_enable=YES service wireguard start
With either OpenVPN or WireGuard set up in a dedicated jail, your FreeNAS box can securely tunnel remote clients or branch offices through your ZFS storage environment without compromising the integrity of your pools or making changes to the base system. Cheers!
Leave a Reply