search

runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
918 stars 131 forks source link

NAS is not responding to client handshakes #151

Closed rgov closed 2 years ago

rgov commented 2 years ago

I compiled the WireGuard package (version 1.0.20211208) for my Synology DS920+ running DSM 7.0.1-42218 Update 3.

When my iOS 15 client connects, the NAS does not seem to respond to the handshake. I can confirm that it is being received with tcpdump udp port 51820, and that there is no outbound reply.

I confirmed the public keys are correct on both sides. There's seemingly no way to enable the WireGuard debug messages so I'm not sure if the traffic is being rejected for some other reason.

My wg0.conf on the server looks like this:

[Interface]
Address = 192.168.9.1/24
ListenPort = 51820

PrivateKey = Xyzz...

PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# iPhone
[Peer]
PublicKey = AbcD...
AllowedIPs = 192.168.9.6/32
rgov commented 2 years ago

Dumb mistake.

# iPhone
[Peer]
PublicKey = AbcD...
AllowedIPs = 192.168.9.6/32

# Mac
PublicKey = FgJk...
AllowedIPs = 192.168.9.7/32

Without a [Peer] header, the second public key overrides the first. This was visible in the output of wg.