WireGuard on Synology NAS: ip6tables Initialization Error
Description
I have set up a VPN connection using WireGuard on my Synology NAS (DS220+) and a client on a Mac. However, I'm encountering issues with the configuration. When I set AllowedIPs to 0.0.0.0/0, I get an ip6tables error, and the VPN does not work. Changing AllowedIPs to 10.7.0.0/32 allows the VPN to start, but I cannot ping the Mac client from the NAS.
Steps to reproduce
$ ssh user@nas
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.8.3 (legacy): ip6tables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
Expected behavior
I expected the VPN to start without errors and for the NAS to be able to route all traffic through the VPN.
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT
$ sudo wg show
interface: wg0
public key: <hidden>
private key: (hidden)
listening port: 42384
peer: <hidden>
preshared key: (hidden)
endpoint: <hidden>:61420
allowed ips: 10.7.0.0/32
latest handshake: 33 seconds ago
transfer: 92 B received, 212 B sent
persistent keepalive: every 25 seconds
$ sudo ping 10.7.0.3
PING 10.7.0.3 (10.7.0.3) 56(84) bytes of data.
From 10.7.0.4 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.7.0.4 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.7.0.4 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
...
Issue
Using AllowedIPs = 0.0.0.0/0 results in an ip6tables error. When using AllowedIPs = 10.7.0.0/32, the VPN starts, but I cannot ping the Mac client (10.7.0.3) from the NAS (10.7.0.4). How can I configure WireGuard to route all traffic through the VPN without encountering these issues?
ilya-yarets
commented
1 month ago
WireGuard on Synology NAS: ip6tables Initialization Error
Description
I have set up a VPN connection using WireGuard on my Synology NAS (DS220+) and a client on a Mac. However, I'm encountering issues with the configuration. When I set AllowedIPs to 0.0.0.0/0, I get an ip6tables error, and the VPN does not work. Changing AllowedIPs to 10.7.0.0/32 allows the VPN to start, but I cannot ping the Mac client from the NAS.
Steps to reproduce
Expected behavior
I expected the VPN to start without errors and for the NAS to be able to route all traffic through the VPN.
Synology NAS model
DS220+
wg0.conf
Attempt with AllowedIPs = 10.7.0.0/32
Issue
Using AllowedIPs = 0.0.0.0/0 results in an ip6tables error. When using AllowedIPs = 10.7.0.0/32, the VPN starts, but I cannot ping the Mac client (10.7.0.3) from the NAS (10.7.0.4). How can I configure WireGuard to route all traffic through the VPN without encountering these issues?