search

runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
918 stars 131 forks source link

Can ping, has traffic being sent, but cannot access service on port #148

Closed peterhadlaw closed 1 year ago

peterhadlaw commented 2 years ago

Description

I am just trying to access some of the services exposed on my NAS (even just a simple HTTP server for a proof-of-concept) and I cannot get access anything: (e.g. http://<server wireguard IP>:<service port>).

I have tried setting up wireguard on other machines before (although I am a novice when it comes to wireguard) and I was able to successfully achieve the same result (access service on port).

I am able to ping both from server to client and from client to server via ipv6 but not via ipv4. Not sure what that means but I did discover that.

Steps to reproduce

$ ssh user@nas
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.1/24 dev wg0
[#] ip -6 address add fdc3:f7cd:e017::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Expected behavior

Opening http://<server wg ip>:<service port> and the service running on said port should retur it's respective http response.

Synology NAS model E.g. DS416play

wg0.conf

[Interface]
PrivateKey = <redacted server private key>
Address = 10.8.0.1/24, fdc3:f7cd:e017::1/64
ListenPort = 51820

[Peer]
PublicKey = <redated peer public key>
AllowedIPs = 10.8.0.2/32, fdc3:f7cd:e017::2/128
peterhadlaw commented 2 years ago

Peer config:

[Interface]
PrivateKey = <client private key>
Address = 10.8.0.2/32, fdc3:f7cd:e017::2/128

[Peer]
PublicKey = <server public key>
AllowedIPs = 10.8.0.0/24, fdc3:f7cd:e017::/64
Endpoint = <server WAN ip>:51820
PersistentKeepalive = 15

Maybe I'm misunderstanding how this would work, and I don't need this VPN to route all traffic or anything, but I was hoping to just type in http://10.8.0.1:<service port> into my browser and access the service remotely.

runfalk commented 2 years ago

I don't spot any obvious errors, but then again it's been a while since I set up my configuration. Can you SSH to through the Wireguard IP?

fabiov64 commented 2 years ago

Please try to set: MTU = 1280 on client side in the [Interface] section. I had to do that to connect from Mac Os and to use web services. Not required from IOS.

peterhadlaw commented 2 years ago

@runfalk I am able to SSH into the server but only via IPv6

@fabiov64 no luck, added the config change and no difference :(

runfalk commented 2 years ago

I assume you can access the service through IPv6 as well then?

digitalface commented 2 years ago

Fyi I've just tried this and it works fine (I can browse NAS via 10.13.13.1). I had always accessed via the actual NAS IP before, have you tried adding the NAS IP to peer allowed list and trying to browse then?

peterhadlaw commented 1 year ago

I believe I did not set up Port Forwarding on my router properly... Which might explain why IPV6 worked by not IPV4. (NAT? Sorry a little out of my experience.) Everything works now :)