search

runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
918 stars 131 forks source link

Trying to use it as a Wireguard "client" to replace Synology's built-in OpenVPN client, but other devices cannot see internet #165

Closed seemebreakthis closed 1 year ago

seemebreakthis commented 1 year ago

I have Surfshark as my VPN service provider, and I have been using their OpenVPN connection all along. Recently they added Wireguard support.

With Synology's OpenVPN client, I establish the connection, then in my local network I can have other devices point to my Synology as the gateway IP, and these devices will connect to the internet through the OpenVPN connection.

I want to do the same with Wireguard, but can't.

So far I have managed to successfully establish a Wireguard connection, and the NAS itself uses the Wireguard connection to talk to the outside word (as can be validated with a 'curl icanhazip.com' command). BUT EVEN FOR THIS TO WORK, I had to manually add an entry to my NAS's routing table with this command:

ip route add <Surfshark Wireguard VPN server's IP address> via 192.168.1.254 dev ovs_eth0

Where 192.168.1.254 is the IP of my gateway router. I have ovs_eth0 and not eth0 because I have a virtual machine running on my NAS.

With the manual entry, this is what an 'ip route' command returns:

0.0.0.0/1 dev wg0  scope link
default via 192.168.1.254 dev ovs_eth0  src 192.168.1.3
128.0.0.0/1 dev wg0  scope link
156.146.45.151 via 192.168.1.254 dev ovs_eth0
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown
192.168.1.0/24 dev ovs_eth0  proto kernel  scope link  src 192.168.1.3

(192.168.1.3 is the IP address of my NAS, and 192.168.1.254 is my gateway router address)

I tried for an entire day and I could not get other devices to use my NAS as the gateway and route traffic via Wireguard to the outside world in any shape or form, and I have tried to tweak the ip route table in many ways.

Any help appreciated !!

EDIT: This is the wg0.conf file:

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <redacted>
[Peer]
PublicKey = <redacted>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = hk-hkg.prod.surfshark.com:51820
seemebreakthis commented 1 year ago

README.md says this GitHub user galaxysd made a guide on how to enable iptables NAT support.

Followed the guide, and it seems to have done something that got me closer but definitely not 100% working:

ping from local network devices to any internet destination work (good) 'curl icanhazip.com' from local network clients show VPN IP as the address (good) 'curl' to some URLs (e.g. www.microsoft.com) shows connectivity, while some URLs (e.g. www.google.com) don't work browser connection to SOME websites would work sometimes but not others, and SOME websites do not work at all

Yeah the behavior is really strange. I am starting to give up. Maybe I will add Wireguard to my old and overloaded OpenWrt gateway router instead...

seemebreakthis commented 1 year ago

Closing this as I see the same strange behavior when I set up Wireguard client on my OpenWrt router. I now suspect this new Wireguard service from Surfshark is still pretty buggy.... may not have anything to do with synology-wireguard.