Can't install on DS218+

[Jerroder]

I just tried to install wireguard on a fresh install of DSM on a 218+ but it just doesn't want to.

root@nas:~# uname -a
Linux nas 4.4.59+ #25426 SMP PREEMPT Wed Jul 8 03:21:29 CST 2020 x86_64 GNU/Linux synology_apollolake_218+

So I downloaded the apollolake package, I tried both the latest 1.0.20200729 and previous 1.0.20200401 but none worked. When I try via DSM, I just have the message "failed to install the package" (the install settings is set on "any publisher") and when I try via the synopkg:

root@nas:~# synopkg install WireGuard-apollolake-1.0.20200729.spk
Failed to install package WireGuard-apollolake-1.0.20200729.spk, error = [263]

The other problem (more related to the NAS itself I think) is that I can't uninstall it:

root@nas:~$ synopkg uninstall WireGuard
Failed to uninstall package: WireGuard, 0

I have to remove all of these in order to do so:

root@nas:~# rm -rf /usr/syno/etc/packages/WireGuard
root@nas:~# rm -rf /var/packages/WireGuard
root@nas:~# rm -rf /var/cache/pkglist.tmp/icon/INST/WireGuard

Rebooting doesn't solve anything and I still have the files wg wg-quick wireguard.ko in /volume1/@appstore/WireGuard/wireguard/. When I try to use wg-quick, I get the message:

RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported

Did I miss something?

[runfalk]

Interesting. This does sound similar to issue #54, which is also Apollolake based. So for wireguard to work you must have the kernel module loaded. Normally this is taken care of by https://github.com/runfalk/synology-wireguard/blob/master/scripts/start-stop-status#L26.

Could you try running lsmod|grep wireguard before and after trying to load wireguard.ko using insmod?

This is the output on my NAS:

$ lsmod|grep wireguard
wireguard             132560  0 
ip_tunnel              11522  2 sit,wireguard
ipv6                  281035  51 sit,rodsp_ep,wireguard

If it doesn't show up, could you check the output of dmesg?

I'm also curious if the startscript loaded the kernel parameters correctly:

$ sudo sysctl -a|grep ip_forward
net.ipv4.ip_forward = 1

[Jerroder]

This does sound similar to issue #54, which is also Apollolake based.

I looked at it before posting but it's not exactly the same indeed, I don't have the same message in DSM and so on.

Could you try running lsmod|grep wireguard

No output, but after running insmod I have:

root@nas:~# lsmod | grep wireguard
wireguard             205419  0
ip6_udp_tunnel          1903  2 vxlan,wireguard
udp_tunnel              2355  2 vxlan,wireguard
ipv6                  336006  60 sit,wireguard

If it doesn't show up, could you check the output of dmesg?

I don't see anything wireguard related in dmesg but after running insmod, I have:

[  126.121918] wireguard: module verification failed: signature and/or required key missing - tainting kernel
[  126.133636] wireguard: WireGuard 1.0.20200729 loaded. See www.wireguard.com for information.
[  126.143222] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.

I'm also curious if the startscript loaded the kernel parameters correctly:

The IP forwarding is 0, and when I set it to 1 manually and run ./wg-quick up wg0, it initiate the connection (I can see on the server that the NAS connects and exchange a few bytes with it) but I then have an iptables error (I know the config file is correct because I copy/pasted it -and changed the key- from another FreeBSD client):

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add x.x.x.x/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

[runfalk]

Hm, then it does seem like the start script isn't running.

You could try to perform the steps it does manually and see if it works: https://github.com/runfalk/synology-wireguard/blob/master/scripts/start-stop-status

I think you should be able to copy the script and run it with ./start-stop-status start as root. Make sure it is executable (chmod +x start-stop-status).

Then you can try to run wg-quick again.

[Jerroder]

Hm, then it does seem like the start script isn't running.

No surprise here I guess, since the package can't be installed

I think you should be able to copy the script and run it with ./start-stop-status start as root

The variable SYNOPKG_PKGDEST is not set so /sbin/insmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko returns an error. When I replace it with the absolute path to wireguard.ko it works but I still have the same error with wg-quick.

FYI the content of the if statement in the start case is executed, I have the output for the iptables core and nat modules.

[runfalk]

I've seen other people with the same iptables error before (#31). This poster seem to have found a workaround that doesn't use iptables: https://github.com/runfalk/synology-wireguard/issues/31#issuecomment-593861167.

I wonder if we have the same iptables modules:

$ lsmod|grep iptable_
iptable_nat             2192  1 
nf_nat_ipv4             2921  1 iptable_nat
nf_nat                 11074  5 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,xt_REDIRECT,iptable_nat
nf_conntrack           49120  5 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
iptable_filter          1057  0 
ip_tables               9413  2 iptable_filter,iptable_nat
x_tables               11698  6 ip_tables,ipt_MASQUERADE,xt_LOG,xt_nat,iptable_filter,xt_REDIRECT

We do seem to have the same iptables version.

My wg conf looks something like this:

[Interface]
Address = 10.0.1.1/16
PrivateKey = <redacted>
ListenPort = 15000
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/16 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <redacted>
AllowedIPs = 10.0.1.2/32

Note that there is no IPv6 going on here, as it was not supported last time I tried.

[runfalk]

Looking at the source code of wg-quick it should be possible to modify it debug print which rules it tries to pipe into iptables-restore if you're feeling adventerous.

[Jerroder]

I've seen other people with the same iptables error before (#31). This poster seem to have found a workaround that doesn't use iptables: #31 (comment).

I tried his solution but then I get other errors

I wonder if we have the same iptables modules:

Mine is slightly different:

iptable_nat             1959  0
nf_nat_ipv4             4903  1 iptable_nat
iptable_filter          1592  0
ip_tables              14092  2 iptable_filter,iptable_nat
x_tables               16302  6 ip_tables,ipt_MASQUERADE,xt_LOG,xt_nat,iptable_filter,xt_REDIRECT

I don't use ipv6 nor do I use iptables. Since the NAS is client, I don't have any postup/postdown rules.

If I try to install the interface manually by entering the commands before the iptables, the second one (wg setconf wg0 /dev/fd/63) blocks fopen: No such file or directory because /dev/fd/63 doesn't exist

[runfalk]

Hm, maybe the the nf modules are essential in some way.

The reason /dev/fd/63 doesn't exist is that wg-quick creates that file descriptor on the fly. It seems to contain some of the things in your wg0.conf (https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash#n250).

Again if you're feeling adventerous you could echo the contents of $WG_CONFIG in set_config.

[Jerroder]

Hum ok ..... I compiled wireguard following your guide (and the one on Reddit, since my CPU is x86 and not ARM) and I tried to install both and I had the same installation error.

I gave up and haven't even connected to my NAS since, until 5 minutes ago and ..... WireGuard-apollolake-1.0.20200908.spk install successfully. I still have the iptables error though but at least it's installed correctly ¯\_(ツ)_/¯

[vikulin]

check syntax in scripts/*.sh. That would be a simple missing quotes or anything failing code