search

runfalk / synology-wireguard

WireGuard support for some Synology NAS drives
MIT License
920 stars 131 forks source link

No wg0 interface #31

Open electronmoss-gitter opened 4 years ago

electronmoss-gitter commented 4 years ago

Hi runfalk,

Thanks for the wg synology package!

I have a synology DS218+ and with DSM 6.2.2 installed.

I have uploaded the apollolake package manually, have ran sudo ip link add wg0 type wireguard and sudo wg which outputs; interface: wg0.

When i look for the wg0 interface nothing is showing.. Am i missing a critical step? Do I need to create the /etc/wireguard/wg0.conf file (which i have done with now luck)?

Sorry if this is a noob question.

runfalk commented 4 years ago

Hi there.

Your post does not contain enough information for me to give good advice. I need to exactly which commands you've run and the output of them.

The way you set up Wireguard on your NAS is similar to how you would do it on any Linux computer. So you can follow any guide you want on how to do that. I recommend using wg0.conf and the wg-quick command. I don't think you want to tinker with the ip command directly unless you know what you're doing.

I can't link you any good tutorial since it depends on how you want your VPN to work.

electronmoss-gitter commented 4 years ago

Thanks for your response runfalk!

The exact steps I took were:

  1. I manually uploaded the apollolake package via DSM package manager
  2. I created the folder and file for /etc/wireguard/wg0.conf with standard wg config (same as used in my existing VPN setups, with different ip addr and keys etc..)
  3. ran 'sudo wg-quick up wg0' which outputs: wg-quick: `wg0' already exists
  4. ran 'sudo wg show' which outputs: interface: wg0

Since my first comment, I ran the command: sudo wg-quick down wg0 The I ran the up command again with the following response: user@server:/$ sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.5.10/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] resolvconf -a wg0 -m 0 -x /usr/local/bin/wg-quick: line 31: resolvconf: command not found [#] ip link delete dev wg0

Is there any additional information I can provide?

Thanks for your help!!

electronmoss-gitter commented 4 years ago

Just re read the github page and read that DNS is not supported.

I removed the DNS setting in the config file and now getting the following error when ran sudo wg-quick up wg0:

[#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.5.10/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 [#] iptables-restore -n iptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [#] ip -4 rule delete table 51820 [#] ip -4 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0

Any idea?

electronmoss-gitter commented 4 years ago

Hi runfalk, Just wondering if you had any idea about this one? Thanks in advance!

runfalk commented 4 years ago

Hi @electronmoss-gitter, I don't know how to solve your problem. I do track all issues, but I won't reply unless I can contribute with something. I'm very much a WireGuard novice, who happened to know how to cross-compile it for Synology devices :smile:. I'm a bit lost when it comes to anything but the most basic configuration.

The reason why the Dns configuration option is not supported is that the resolvconf program is not available (at least on my device a year ago when I tested it). There may have been changes in WireGuard that allows this to work.

electronmoss-gitter commented 4 years ago

Hi Runfalk, No problem, thanks for your response and help. Im guessing its a kernel issue, which I have no clue on how to fix. Cheers.

stvhay commented 4 years ago

I am getting the same error on a DS1019+. I think I've loaded all the kernel modules I need per galaxysd. Oddly, I also cannot just iptables-restore something I just iptables-save'd ... So it definitely seems like an iptables issue.

stvhay commented 4 years ago

I am going to guess that @electronmoss-gitter may have been setting up wireguard for a default route, and this was causing wg-quick to use iptables. At least that is what was happening to me. I ended up taking two approaches to solve the issue:

  1. I set up the wireguard device manually.
  2. I used network namespaces to create an explicit tunnel namespace. I then specified DNS for this namespace only.

Example Script:

#!/bin/bash

ip link add wg0 type wireguard
ip netns add tunnel
ip link set wg0 netns tunnel
ip netns exec tunnel wg set wg0 \
    private-key /etc/wireguard/privatekey \
    peer <public_key> \
    endpoint x.x.x.x:51820 \
    allowed-ips 10.250.0.0/24,0.0.0.0/0
ip netns exec tunnel ip addr add 10.250.0.6/24 dev wg0
ip netns exec tunnel ip link set mtu 1420 up dev wg0
ip netns exec tunnel ip route add default dev wg0

tunnel_exec() { sudo -E ip netns exec tunnel sudo -E -u \#$(id -u) -g \#$(id -g) "$@"; }

Example resolv.conf:

root@clio:~# cat /etc/netns/tunnel/resolv.conf 
nameserver 1.0.0.1
nameserver 1.1.1.1

Now if you want to ping through the tunnel (for example) you can do:

tunnel_exec ping www.google.com

Credit where credit is due. I got this idea from the Wireguard website. https://www.wireguard.com/netns/#the-new-namespace-solution

The solution posted on the site does it the other way. Everything is set up to tunnel and the namespace is set up for the exception.

s00500 commented 4 years ago

@tablador BINGO!

rjcds commented 4 years ago

I am going to guess that @electronmoss-gitter may have been setting up wireguard for a default route, and this was causing wg-quick to use iptables. At least that is what was happening to me. I ended up taking two approaches to solve the issue:

I'm having the same issue as electronmoss-glitter

When I try your namespace solution here, I get a 'Temporary failure in name resolution:' error when it looks up the endpoint name.

I've set up a resolv.conf as in your example, but that doesn't change the above error.

I'd actually prefer to have everything set up to tunnel (as document in https://www.wireguard.com/netns/#the-new-namespace-solution), but I don't know how to get this to work on a NAS

rjcds commented 4 years ago

Interestingly, if I load the previous release (Mar 2019), I don't get theiptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw' error But without a DNS entry in the conf file (due to the lack of resolvconf), nothing loads...

runfalk commented 4 years ago

The new release is based on the rewrite of WireGuard that Jason did in order to get it merged into Linux 5.6. There was some dispute about whether to use the kernel's built in crypto or if WireGuard could roll their own. It wouldn't surprise me that the two releases are very different. However, I made very few changes to how the build process works between those releases.

Unfortunately I don't know how to solve your issue.

jonozzz commented 3 years ago

You could get some inspiration from OpenVPN's solution: Change:

AllowedIPs = 0.0.0.0/0

To:

AllowedIPs = 0.0.0.0/1,128.0.0.0/1