Closed Andy2244 closed 2 years ago
Yes this worked for me too.
Setting up the PostUp, PostDown like other issues wrote about with the extra ip route add
wasn't enough. The extra line:
Table = off
..is required to make it work, at least for me on DSM 6.2 and DS918+ :)
I recommend the Readme be updated again with this solution :)
As i side note, i was not able to install the Wireguard package, compiled by me or precompiled from here, if i didn't fix the broken path first with:
ln -s /usr/bin/ /usr/local/bin
I finally got my WG to work on my Synology, also managed to get the DNS working as mentioned in this issue, however it does not have any practical value for what I would like to achieve:
If I add the gateway and the ip addresses as DNS where the wg is installed I get this behaviour:
So I can log in to the Synology NAS, but not reach any of the other clients in the local network.
It is possible as I have a GLi-Net mini-router which does allow all traffic to go through the wg server on that, it uses 0.0.0.0/0, but that does not work on Synology.
Anybody have a solution for this on Synology?
If you set AllowedIPs = 0.0.0.0/0
and set the DNS to your main router IP, for example DNS = 10.1.0.1
for each client, traffic is routed via the VPN for me. You should check your config :)
On the server side i have Address = 10.0.0.1/24
And this:
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Each client then has AllowedIPs = 10.0.0.X/32
on the server config and Address = 10.0.0.X/32
on the client config, X being the same on both ends.
Thats what I have:
Server
[Interface]
Address = 10.0.1.1/24
PrivateKey = PK
ListenPort = 16600
Table = off
PostUp = iptables -A FORWARD -i i% -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.1.0/24 dev wg0
PostDown = iptables -D FORWARD -i i% -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer] # Macbook
PublicKey = PubK
AllowedIPs = 10.0.1.2/32
[Peer] # iPhone
PublicKey = PubK
AllowedIPs = 10.0.1.3/32
iPhone Client:
[Interface]
PrivateKey = PK
Address = 10.0.1.3/32
DNS = 192.168.1.1, 192.168.1.188
MTU = 1420
[Peer]
PublicKey = PubK
AllowedIPs = 0.0.0.0/0
Endpoint = MYIP:443
PersistentKeepalive = 25
192.168.1.1 is my home router 192.168.1.188 my NAS
I can only approach the NAS and no other clients in my home network from outside I get internet access, but it is not routed through the VPN; if I do a MYIP lookup i get the 4G IP address on my iPhone instead of my home IP address.
@trijethero If you're fine with routing all your traffic via wireguard, I've got an almost similar that works for me on 218+ with latest DSM (only differences):
Table = off
on server Dns
on the client, not bothAllowedIPs = 0.0.0.0/0, ::/0
but not sure if that makes a difference.Unfortunately that does not work for the 918+
Even with the new 1.x release it still will not route traffic via the wireguard connection.
Only the IP address where the WG server is located can be accessed and no internet traffic is routed through the wg server.
Pretty sure it is a quirk on either this WG software or the 918+ or the combination of both, it's not in my network as I have a working WG server on my GLI mini-router which routes all traffic via that server.
I'm really struggling to get this up and running as well could someone advise where I'm going wrong? My Wireguard server is at 10.0.0.75/24 and dns at 10.0.0.3/24 (running pi-hole with mtacvlan on 10.0.0.75). My router is 10.0.0.1/24
wg0.conf
[Interface]
Address=10.0.1.1/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/24 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = ******
Table = off
[Peer]
PublicKey = ******
AllowedIPs = 10.0.1.2/32
Using sudo wg quick-up wg0
I get a message saying:
RTNETLINK answers: File exists
and the system doesn't start after adding ; sleep 5; ip route add 10.0.0.0/24 dev wg0
to my config
wg-client.conf
# /etc/wireguard/wg-client.conf
[Interface]
PrivateKey = xxxxxxx
Address=10.0.1.2/32
DNS = 10.0.0.3, 10.0.0.1
[Peer]
Endpoint = mypublicip.com:51820
PublicKey = xxxxxxx
AllowedIPs = 10.0.1.0/32, 10.0.0.0/24
output of sudo wg
interface: wg0
public key: xxxxxxx
private key: (hidden)
listening port: 51820
peer: xxxxxx
allowed ips: 10.0.1.2/32
The sleep thing is very dependent on the IP-addresses in your actual subnet, The command you should use is probably ; sleep 5; ip route add 10.0.1.0/24 dev wg0
, but I'm not sure of your exact network topology:
10.0.0.*
your normal non-VPN network?@runfalk Thanks for the quick response
Yes - It is running on my Synology DS415+ (I also have OpenVPN server running not sure if this could affect it)
wg0.conf is on my Synology server.
10.0.0.0/24 is my LAN network
wg-client.conf is generated on the Synology then I’m using it on my iPhone with the WireGuard app transferring it using a QR code. It says it is connected on the iPhone app but doesn’t show any information when running sudo wg
on Synology in terms of handshake info.
Added ; sleep 5; ip route add 10.0.1.0/24 dev wg0
to my wg0.conf. It now runs but still not getting server IP address / DNS and not able to access any of my LAN devices remotely.
- Yes - It is running on my Synology DS415+ (I also have OpenVPN server running not sure if this could affect it) ... Added
; sleep 5; ip route add 10.0.1.0/24 dev wg0
to my wg0.conf. It now runs but still not getting server IP address / DNS and not able to access any of my LAN devices remotely.
I know it is a quite silly question, but what IP range is your OpenVPN server using?
I had exactly the same issue: Somehow my OpenVPN (using Synology's VPN server package) got reactivated after a NAS restart.
Then I was only able to connect with Wireguard but did not get any network connections into my LAN. Deactivating the OpenVPN and restarting Wireguard using wg-quick
solved my issue.
@rikroe
I have a VPN installed, but disabling does not help
EUREKA!
After long research I came up with a much simpler solution, credits to lunux https://lunux.net/synology-port-forwarding/
I can now connect to my NAS via wireguard over 4G from my iPhone, have full local network access and full traffic forwarding.
Wireguard exclusively uses UDP trafic, so i forwarded all UDP traffic from the wg server to my NAS.
10.0.1.1 is the wg server 192.168.1.188 is my NAS where wg server is installed 192.168.1.1 DNS/Router
This is the setup:
Server
[Interface]
Address = 10.0.1.1/32
PrivateKey = PrivK Server
ListenPort = 16600
PostUp = iptables -t nat -A PREROUTING -s 10.0.1.1/32 -p udp -j DNAT --to-destination 192.168.1.188
PostDown = iptables -t nat -D PREROUTING -s 10.0.1.1/32 -p udp -j DNAT --to-destination 192.168.1.188
[Peer] # iPhone
PublicKey = PubK iPhone
AllowedIPs = 10.0.1.3/32
Client:
[Interface]
PrivateKey = PrivK iPhone
Address = 10.0.1.3/32
DNS = 192.168.1.1
MTU = 1420
[Peer]
PublicKey = PubK Server
AllowedIPs = 0.0.0.0/0
Endpoint = MYIP:my fwd port
PersistentKeepalive = 25
@trijethero in wich version of DSM works this conf?
@trijethero I try your setting, but when i use on the client
AllowedIPs = 0.0.0.0/0
then i can't connect to a website. When ich remove this then i have access to the internet, but i have no access to my local devices NAS, MacMini Server.
Have you a idea what's wrong?
regrads Roger
Allowed IPs on the client basically says which traffic that should be routed through WireGuard. If you put 0.0.0.0/0 there it means all IPv4 traffic. If the server you're connecting to is not properly configured to forward traffic you'll get this issue. If you just want access to your other devices on the same VPN but don't want to route traffic you need something like 10.0.0.0/16 or something similar depending on your IP range and exact network configuration.
Hello Yes i know with 0.0.0.0/0 it will route all traffic and i think i need this when i will access to my local devices. But what are the right settings for the routing? I think i must redirect the traffic to my DNS server, (my Router) but how make this on the Synology? Regards Roger
Description I could not get the tunnel to work with the given examples/documentation. We want to access our LAN's NAS/Samba + other services (Docker stuff) from external Windows/MacOS clients and Android Phones (4g).
Synology NAS model DS415+ (DSM 6.2.2)
wg0.conf
If there are multiple peers, include their configuration too.
NOTE: The NAS is behind a router (fritz.box/192.168.178.1) and udp port 56111 is forwarded to the NAS ip 192.168.178.2.
With this default configuration from the github page, i could not ping any tunnel endpoint from either side (10.0.10.1), but the wireguard connection was established,
wg show
had established handshake.Here is what actually worked for this setup: wg0.conf
Client Config (Windows10 + local DNS at 192.168.1.1):
This way everything works as expected and we can use both LAN's DNS servers, but you have to use the FQDN aka server.fritz.box (192.168.178.2) vs router.lan (192.168.1.1).
The biggest puzzle piece was the missing route entry
"sleep 5; ip route add 10.0.10.0/24 dev wg0"
without the extra entry and the timeout i could not get anything to work.PS: Also make sure you actually use
ping
on your termux android phone, termux by default will use a special internal DNS via 3/4g andnslookup
will fail, while pings resolve correctly!