Open Maxence-v opened 1 year ago
spcqike
commented
1 year ago If you want to route all traffic through wg interface you need to use 0.0.0.0/0 as allowed IP on this device.
Anyway the allowedip in your diskstation config is wrong and doesn’t match the vpn IP of your oracle vps.
And the allowedip for the peer of your diskstation in the vps config is also wrong.
Maxence-v
commented
1 year ago Thanks for your answer.
When I try : 0.0.0.0/0 Then docker restart wireguard, wireguard logs:
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: setting key "net.ipv4.conf.all.src_valid_mark", ignoring: Read-only file system
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.I don't get why my AllowedIPs of the client are wrong
Maxence-v
commented
1 year ago As stated here: https://github.com/runfalk/synology-wireguard/issues/59#issuecomment-1439220671/
I found the solution.
Hello everyone! I know this issue was open for a long time but I just found the solution today.
AllowedIPs 0.0.0.0/0 doesn't work
So you have to put AllowedIPs: 0.0.0.0/1, 128.0.0.0/1, the only problem is that you also send the traffic to the Public IP of your Wireguard Endpoint Sever...
The only solution I found was to add this at the end of your PostUp rule :
; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0To get this ip : 172.20.0.1, Use this command line ip a
For me the inet of eth0 is : 172.20.0.2/16 so it gives us 172.20.0.1(the default gateway)
eth0@if300: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0The sleep 5 might not be needed I need to test that.
It looks like that in my client config on Synology:
[Interface]
Address = 10.0.0.2
PrivateKey = priv_key
ListenPort = 51820
DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = pub_key
PresharedKey = preshared_key
Endpoint = Endpoint_IP_of_wireguard_server:port_wireguard_server
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
dmillerzx
commented
1 year ago Is AllowedIPs: 0.0.0.0/1, 128.0.0.0/1 a full tunnel like 0.0.0.0/0? If so is there any way to not use the full tunnel setup. Anything else I use for Allowed IPs doesn't allow traffic to pass until the peer pings the server.
dmillerzx
commented
1 year ago Looks adding PersistentKeepalive = 25 will allow the user to use other AllowIP blocks to avoid a full tunnel.
My setup is : Oracle VPS to act as the server, and I wan't to use my synology NAS as the client with docker.
When I curl ifconfig.co, inside the wireguard docker container on my synology, I see the public IP of my router, on which my NAS is connected. Instead of the public IP of my oracle VPS.
My Oracle wireguard server config (wg0.conf) generated by wireguard docker:
My synology client config wg0.conf:
ip routeoutput inside synology wireguard container: