runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
956 stars 134 forks source link

the command "wg show" displays my interface but nothing goes through the tunnel #174

Open Maxence-v opened 1 year ago

Maxence-v commented 1 year ago

My setup is : Oracle VPS to act as the server, and I wan't to use my synology NAS as the client with docker.

When I curl ifconfig.co, inside the wireguard docker container on my synology, I see the public IP of my router, on which my NAS is connected. Instead of the public IP of my oracle VPS.

My Oracle wireguard server config (wg0.conf) generated by wireguard docker:

[Interface]
Address = 10.26.26.1
ListenPort = 51820
PrivateKey = PrivKeyServer
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer1
PublicKey = peer1PublicKey
PresharedKey = peer1PresharedKey
AllowedIPs = 10.26.26.3/32

My synology client config wg0.conf:

[Interface]
Address = 10.26.26.3
PrivateKey = PrivKeyClient
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING \
-o eth0 -j MASQUERADE; sleep 5; ip route add 10.26.26.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = peer1PublicKey
PresharedKey = peer1PresharedKey
Endpoint = OracleVPSPublicIP:56000
AllowedIPs = 10.0.1.2/32

ip route output inside synology wireguard container:

default via 172.20.0.1 dev eth0
10.0.1.2 dev wg0 scope link
10.26.26.0/24 dev wg0 proto kernel scope link src 10.26.26.3
172.20.0.0/16 dev eth0 proto kernel scope link src 172.20.0.2
spcqike commented 1 year ago

If you want to route all traffic through wg interface you need to use 0.0.0.0/0 as allowed IP on this device.

Anyway the allowedip in your diskstation config is wrong and doesn’t match the vpn IP of your oracle vps.

And the allowedip for the peer of your diskstation in the vps config is also wrong.

Maxence-v commented 1 year ago

Thanks for your answer.

When I try : 0.0.0.0/0 Then docker restart wireguard, wireguard logs:

[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I don't get why my AllowedIPs of the client are wrong

Maxence-v commented 1 year ago

As stated here: https://github.com/runfalk/synology-wireguard/issues/59#issuecomment-1439220671/

I found the solution.

Hello everyone! I know this issue was open for a long time but I just found the solution today.

AllowedIPs 0.0.0.0/0 doesn't work

So you have to put AllowedIPs: 0.0.0.0/1, 128.0.0.0/1, the only problem is that you also send the traffic to the Public IP of your Wireguard Endpoint Sever...

The only solution I found was to add this at the end of your PostUp rule :

; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0

To get this ip : 172.20.0.1, Use this command line ip a For me the inet of eth0 is : 172.20.0.2/16 so it gives us 172.20.0.1(the default gateway)

eth0@if300: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0

The sleep 5 might not be needed I need to test that.

It looks like that in my client config on Synology:

[Interface]
Address = 10.0.0.2
PrivateKey = priv_key
ListenPort = 51820
DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = pub_key
PresharedKey = preshared_key
Endpoint = Endpoint_IP_of_wireguard_server:port_wireguard_server
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
dmillerzx commented 1 year ago

Is AllowedIPs: 0.0.0.0/1, 128.0.0.0/1 a full tunnel like 0.0.0.0/0? If so is there any way to not use the full tunnel setup. Anything else I use for Allowed IPs doesn't allow traffic to pass until the peer pings the server.

dmillerzx commented 1 year ago

Looks adding PersistentKeepalive = 25 will allow the user to use other AllowIP blocks to avoid a full tunnel.