Closed OfficialMuffin closed 2 years ago
Found the same issue https://github.com/runfalk/synology-wireguard/issues/4. However, I run a PiHole server on that DNS IP. I would much rather keep the config as it is as my PiHole has a recursive DNS resolver.
If I remove the DNS from wg0.conf. I get a different error. This time with iptables.
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.8/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.8.3 (legacy): ip6tables-restore: unable
to initialize table 'raw'
Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for
more information.
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
I have found a temporary workaround by deleting the line AllowedIPs = 0.0.0.0/0, ::0/0
, the wireguard interface sucessfully starts with no errors and handshakes are sent and received by the other peer.
sudo wg
command shows:
interface: wg0
public key: REDACTED
private key: (hidden)
listening port: 51826
peer: REDACTED
preshared key: (hidden)
endpoint: REDACTED:51820
allowed ips: (none)
sudo wg-quick up wg0
shows:
wg-quick: `wg0' already exists
However, if I try pinging the wireguard peer I get this error:
PING 10.6.0.1 (10.6.0.1) 56(84) bytes of data.
From 10.6.0.8 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.6.0.8 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.6.0.8 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.6.0.8 icmp_seq=4 Destination Host Unreachable
ping: sendmsg: Required key not available
Ok, I have specified a specific IP, 10.6.0.1/24
in the AllowedIPs
line. Pinging the wireguard peer works!
However, I get a warning:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Warning: AllowedIP has nonzero host part: 10.6.0.1/24
[#] ip -4 address add 10.6.0.8/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Not too sure if this is fine the way it is. Please advise.
Also, pinging the NAS from another machine connected to the wireguard peer does not work. Probably the NAS iptables firewall but not too sure. Heres the output of sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 2536 packets, 351K bytes)
pkts bytes target prot opt in out source destination
2536 351K DOS_PROTECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2484 packets, 382K bytes)
pkts bytes target prot opt in out source destination
Chain DOS_PROTECT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1000/sec burst 5
0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 10000/sec burst 100
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
try: AllowedIPs = 0.0.0.0/1
try: AllowedIPs = 0.0.0.0/1
Please read my last comment. There is a problem with pinging devices.
I have fixed the issue. It seems like the wireguard did not like the Endpoint I set, which was my DDNS. I tried changing the DDNS name to the public IP address but still did not work. Finally, I tried setting it to the private IP of the local wireguard "server" peer of 192.168.0.25 and it worked! Now I just wish that DNS could be set for PiHole to work.
Ah, I am now unable to access the web interface for synology and SSH does not work. However, pinging the synology does from another peer which I could not do before.
Sounds like you have locked yourself out by only accepting connections through the wireguard interface. AllowedIPs = 0.0.0.0/0, ::0/0
makes it so that you can only run traffic over the wireguard interface.
@OfficialMuffin, you may already be aware of this but to be sure: your original problem was likely due to including a DNS
line; per the synology-wireguard README: wg's DNS option is not supported.
i.e. the reason the tunnel didn't come up is that wg-quick tore it down when the resolvconf step failed.
FTR, I have a DS220j running DSM 7.0.1 and built and installed a wg package per the README, worked out of the box excepting the DNS item. Here's my config on the NAS:
admin@ds220j:~$ sudo cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = ...
Address = 192.168.254.130/24
# DNS: ref. https://github.com/runfalk/synology-wireguard Known Issues
#DNS = 192.168.254.1, blah.home
[Peer]
PublicKey = ...
AllowedIPs = 192.168.254.0/24, 192.168.39.0/24
Endpoint = wg.example.net:55555
Description I have successfully checked and built the wireguard package for my particular NAS. When activating the interface with
wg-quick
, an error shows that resolvconf not found.Steps to reproduce
Expected behavior Wireguard successfully activates the wg0 interface and connects to peer with no error.
Synology NAS model DS220j
wg0.conf