[Solution] working DNS for a default (Router->Nas) server/client use case.

[Andy2244]

Description I could not get the tunnel to work with the given examples/documentation. We want to access our LAN's NAS/Samba + other services (Docker stuff) from external Windows/MacOS clients and Android Phones (4g).

Synology NAS model DS415+ (DSM 6.2.2)

wg0.conf

[Interface]
Address = 10.0.10.1/24
ListenPort = 56111
PrivateKey = ***********
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ***********
AllowedIPs = 10.0.10.201/32

If there are multiple peers, include their configuration too.

[Interface]
PrivateKey = ***********
Address = 10.0.10.201/32

[Peer]
PublicKey = ***********
AllowedIPs = 10.0.10.0/24
Endpoint = *****:56111

NOTE: The NAS is behind a router (fritz.box/192.168.178.1) and udp port 56111 is forwarded to the NAS ip 192.168.178.2.

With this default configuration from the github page, i could not ping any tunnel endpoint from either side (10.0.10.1), but the wireguard connection was established, wg show had established handshake.

Here is what actually worked for this setup: wg0.conf

[Interface]
Address = 10.0.10.1/24
ListenPort = 56111
PrivateKey = ***********
Table = off
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.10.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ***********
AllowedIPs = 10.0.10.201/32

Client Config (Windows10 + local DNS at 192.168.1.1):

[Interface]
PrivateKey = ***********
Address = 10.0.10.201/32
DNS = 192.168.1.1, 192.168.178.1
[Peer]
PublicKey = ***********
AllowedIPs = 10.0.10.0/24, 192.168.178.0/24
Endpoint = *****:56111

This way everything works as expected and we can use both LAN's DNS servers, but you have to use the FQDN aka server.fritz.box (192.168.178.2) vs router.lan (192.168.1.1).

The biggest puzzle piece was the missing route entry "sleep 5; ip route add 10.0.10.0/24 dev wg0" without the extra entry and the timeout i could not get anything to work.

PS: Also make sure you actually use ping on your termux android phone, termux by default will use a special internal DNS via 3/4g and nslookup will fail, while pings resolve correctly!

[Johnex]

Yes this worked for me too. Setting up the PostUp, PostDown like other issues wrote about with the extra ip route add wasn't enough. The extra line:

Table = off

..is required to make it work, at least for me on DSM 6.2 and DS918+ :)

I recommend the Readme be updated again with this solution :)

As i side note, i was not able to install the Wireguard package, compiled by me or precompiled from here, if i didn't fix the broken path first with:

ln -s /usr/bin/ /usr/local/bin

[trijethero]

I finally got my WG to work on my Synology, also managed to get the DNS working as mentioned in this issue, however it does not have any practical value for what I would like to achieve:

• All traffic routed through the wg connection, with IP lookup from outside showing my local home IP
• Access to the complete local network behind the wg.

If I add the gateway and the ip addresses as DNS where the wg is installed I get this behaviour:

• Traffic is not routed through the wg connection, but instead is only routed locally; IP lookup give the external IP address instead of my local home IP.
• Only the IP address where the wg is installed is accessible, I cannot reach the whole local network.

So I can log in to the Synology NAS, but not reach any of the other clients in the local network.

It is possible as I have a GLi-Net mini-router which does allow all traffic to go through the wg server on that, it uses 0.0.0.0/0, but that does not work on Synology.

Anybody have a solution for this on Synology?

[Johnex]

If you set AllowedIPs = 0.0.0.0/0 and set the DNS to your main router IP, for example DNS = 10.1.0.1 for each client, traffic is routed via the VPN for me. You should check your config :)

On the server side i have Address = 10.0.0.1/24 And this:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Each client then has AllowedIPs = 10.0.0.X/32 on the server config and Address = 10.0.0.X/32 on the client config, X being the same on both ends.

[trijethero]

Thats what I have:

Server

 [Interface]

Address = 10.0.1.1/24
PrivateKey = PK
ListenPort = 16600

Table = off

PostUp = iptables -A FORWARD -i i% -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.1.0/24 dev wg0

PostDown = iptables -D FORWARD -i i% -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer] # Macbook
PublicKey = PubK
AllowedIPs = 10.0.1.2/32

[Peer] # iPhone
PublicKey = PubK
AllowedIPs = 10.0.1.3/32

iPhone Client:

[Interface]
PrivateKey = PK
Address = 10.0.1.3/32
DNS = 192.168.1.1, 192.168.1.188
MTU = 1420

[Peer]
PublicKey = PubK
AllowedIPs = 0.0.0.0/0
Endpoint = MYIP:443
PersistentKeepalive = 25

192.168.1.1 is my home router 192.168.1.188 my NAS

I can only approach the NAS and no other clients in my home network from outside I get internet access, but it is not routed through the VPN; if I do a MYIP lookup i get the 4G IP address on my iPhone instead of my home IP address.

[rikroe]

@trijethero If you're fine with routing all your traffic via wireguard, I've got an almost similar that works for me on 218+ with latest DSM (only differences):

• I don't need Table = off on server
• I just use my home router's IP as Dns on the client, not both
• I also have AllowedIPs = 0.0.0.0/0, ::/0 but not sure if that makes a difference.

[trijethero]

Unfortunately that does not work for the 918+

Even with the new 1.x release it still will not route traffic via the wireguard connection.

Only the IP address where the WG server is located can be accessed and no internet traffic is routed through the wg server.

Pretty sure it is a quirk on either this WG software or the 918+ or the combination of both, it's not in my network as I have a working WG server on my GLI mini-router which routes all traffic via that server.

[Troubadoure]

I'm really struggling to get this up and running as well could someone advise where I'm going wrong? My Wireguard server is at 10.0.0.75/24 and dns at 10.0.0.3/24 (running pi-hole with mtacvlan on 10.0.0.75). My router is 10.0.0.1/24

wg0.conf

[Interface]
Address=10.0.1.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = ******
Table = off

[Peer]
PublicKey = ******
AllowedIPs = 10.0.1.2/32

Using sudo wg quick-up wg0 I get a message saying:

RTNETLINK answers: File exists

and the system doesn't start after adding ; sleep 5; ip route add 10.0.0.0/24 dev wg0 to my config

wg-client.conf

# /etc/wireguard/wg-client.conf
[Interface]
PrivateKey = xxxxxxx
Address=10.0.1.2/32
DNS = 10.0.0.3, 10.0.0.1

[Peer]
Endpoint = mypublicip.com:51820
PublicKey = xxxxxxx
AllowedIPs = 10.0.1.0/32, 10.0.0.0/24

output of sudo wg

interface: wg0
  public key: xxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxx
  allowed ips: 10.0.1.2/32

[runfalk]

The sleep thing is very dependent on the IP-addresses in your actual subnet, The command you should use is probably ; sleep 5; ip route add 10.0.1.0/24 dev wg0, but I'm not sure of your exact network topology:

• Are you using your synology device as the "server"?
• Which system does wg0.conf belong to?
• Is 10.0.0.* your normal non-VPN network?
• Which system is wg-client.conf?

[Troubadoure]

@runfalk Thanks for the quick response

1. Yes - It is running on my Synology DS415+ (I also have OpenVPN server running not sure if this could affect it)

2. wg0.conf is on my Synology server.

3. 10.0.0.0/24 is my LAN network

4. wg-client.conf is generated on the Synology then I’m using it on my iPhone with the WireGuard app transferring it using a QR code. It says it is connected on the iPhone app but doesn’t show any information when running sudo wg on Synology in terms of handshake info.

Added ; sleep 5; ip route add 10.0.1.0/24 dev wg0 to my wg0.conf. It now runs but still not getting server IP address / DNS and not able to access any of my LAN devices remotely.

[rikroe]

1. Yes - It is running on my Synology DS415+ (I also have OpenVPN server running not sure if this could affect it) ... Added ; sleep 5; ip route add 10.0.1.0/24 dev wg0 to my wg0.conf. It now runs but still not getting server IP address / DNS and not able to access any of my LAN devices remotely.

I know it is a quite silly question, but what IP range is your OpenVPN server using?

I had exactly the same issue: Somehow my OpenVPN (using Synology's VPN server package) got reactivated after a NAS restart. Then I was only able to connect with Wireguard but did not get any network connections into my LAN. Deactivating the OpenVPN and restarting Wireguard using wg-quick solved my issue.

[trijethero]

@rikroe

I have a VPN installed, but disabling does not help

[trijethero]

EUREKA!

After long research I came up with a much simpler solution, credits to lunux https://lunux.net/synology-port-forwarding/

I can now connect to my NAS via wireguard over 4G from my iPhone, have full local network access and full traffic forwarding.

Wireguard exclusively uses UDP trafic, so i forwarded all UDP traffic from the wg server to my NAS.

10.0.1.1 is the wg server 192.168.1.188 is my NAS where wg server is installed 192.168.1.1 DNS/Router

This is the setup:

Server

[Interface]
Address = 10.0.1.1/32
PrivateKey = PrivK Server
ListenPort = 16600

PostUp = iptables -t nat -A PREROUTING -s 10.0.1.1/32 -p udp -j DNAT --to-destination 192.168.1.188

PostDown = iptables -t nat -D PREROUTING -s 10.0.1.1/32 -p udp -j DNAT --to-destination 192.168.1.188

[Peer] # iPhone
PublicKey = PubK iPhone
AllowedIPs = 10.0.1.3/32

Client:

[Interface]
PrivateKey = PrivK iPhone
Address = 10.0.1.3/32
DNS = 192.168.1.1
MTU = 1420

[Peer]
PublicKey = PubK Server
AllowedIPs = 0.0.0.0/0
Endpoint = MYIP:my fwd port
PersistentKeepalive = 25

[martinorob]

@trijethero in wich version of DSM works this conf?

[suxus-zz]

@trijethero I try your setting, but when i use on the client

AllowedIPs = 0.0.0.0/0

then i can't connect to a website. When ich remove this then i have access to the internet, but i have no access to my local devices NAS, MacMini Server.

Have you a idea what's wrong?

regrads Roger

[runfalk]

Allowed IPs on the client basically says which traffic that should be routed through WireGuard. If you put 0.0.0.0/0 there it means all IPv4 traffic. If the server you're connecting to is not properly configured to forward traffic you'll get this issue. If you just want access to your other devices on the same VPN but don't want to route traffic you need something like 10.0.0.0/16 or something similar depending on your IP range and exact network configuration.

[suxus-zz]

Hello Yes i know with 0.0.0.0/0 it will route all traffic and i think i need this when i will access to my local devices. But what are the right settings for the routing? I think i must redirect the traffic to my DNS server, (my Router) but how make this on the Synology? Regards Roger