search

runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
918 stars 131 forks source link

WG up and running - but unable to SSH into server while connected. Why? #139

Open wiffleman opened 2 years ago

wiffleman commented 2 years ago

Description Have WG installed, running - able to connect to my server VPN etc. Even though this works and my "public IP" is now my home IP, when I'm remote I'm unable to SSH into my Synology.

Is this surprising / a known limitation?

Steps to reproduce

$ ssh user@nas
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.2/16 dev wg0
[#] ip link set mtu 1270 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
$ sudo wg show
interface: wg0
  public key: <redacted>
  private key: (hidden)
  listening port: 25565
  fwmark: 0xca6c

Expected behavior A clear and concise description of what you expected to happen.

Synology NAS model E.g. DS218j

wg0.conf

Content of wg0.conf goes here. Remember to redact Private keys!

If there are multiple peers, include their configuration too.

runfalk commented 2 years ago

It's not expected. Is it just SSH or all services? Is the SSH client computer also on the same VPN?

You didn't paste your wireguard config as requested by the template so I can't really help you debug anything.

wiffleman commented 2 years ago

Hey - sorry about that. Posted in a rush and was a bit blind to the support docs.

Someone on a reddit forum suggested that this might be because on my in-law's network, if their subnet mask is also 192.168.x.x, I could be running into issues with the local LAN vs. my VPN lan. Is there some known way to override this so I can browse my local lan?

When connected with my current WG config, I cannot access SSH via Terminal nor can I access any local services via subnet IP:port in browser ie. 192.168.1.152:9000 (my local address for Portainer, for example).

Here's the wg0.conf of my WG setup: Server [Interface] PrivateKey = Address = 10.8.0.1/24 ListenPort = 51820 PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; PostDown =

Client: MBP1 () [Peer] PublicKey = PresharedKey = AllowedIPs = 10.8.0.2/32

Client: iPhone () [Peer] PublicKey = PresharedKey = AllowedIPs = 10.8.0.4/32

Client: MBP2 () [Peer] PublicKey = PresharedKey = AllowedIPs = 10.8.0.3/32

Edit: Tunnel Configurations from "MBP2" which I was trying to access from yesterday: [Interface] PrivateKey = Address = 10.8.0.3/24 DNS = 1.1.1.1

[Peer] PublicKey = PresharedKey = AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = PersistentKeepalive = 0

fabiov64 commented 2 years ago

In the tunnel configuration for MBP2 the address should be 10.8.0.3/32 not 10.8.0.3/24 because it’s a single IP address, not a subnet.