Open Jerroder opened 3 years ago
Interesting. This does sound similar to issue #54, which is also Apollolake based. So for wireguard to work you must have the kernel module loaded. Normally this is taken care of by https://github.com/runfalk/synology-wireguard/blob/master/scripts/start-stop-status#L26.
Could you try running lsmod|grep wireguard
before and after trying to load wireguard.ko using insmod
?
This is the output on my NAS:
$ lsmod|grep wireguard
wireguard 132560 0
ip_tunnel 11522 2 sit,wireguard
ipv6 281035 51 sit,rodsp_ep,wireguard
If it doesn't show up, could you check the output of dmesg
?
I'm also curious if the startscript loaded the kernel parameters correctly:
$ sudo sysctl -a|grep ip_forward
net.ipv4.ip_forward = 1
This does sound similar to issue #54, which is also Apollolake based.
I looked at it before posting but it's not exactly the same indeed, I don't have the same message in DSM and so on.
Could you try running
lsmod|grep wireguard
No output, but after running insmod
I have:
root@nas:~# lsmod | grep wireguard
wireguard 205419 0
ip6_udp_tunnel 1903 2 vxlan,wireguard
udp_tunnel 2355 2 vxlan,wireguard
ipv6 336006 60 sit,wireguard
If it doesn't show up, could you check the output of
dmesg
?
I don't see anything wireguard related in dmesg
but after running insmod
, I have:
[ 126.121918] wireguard: module verification failed: signature and/or required key missing - tainting kernel
[ 126.133636] wireguard: WireGuard 1.0.20200729 loaded. See www.wireguard.com for information.
[ 126.143222] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
I'm also curious if the startscript loaded the kernel parameters correctly:
The IP forwarding is 0, and when I set it to 1 manually and run ./wg-quick up wg0
, it initiate the connection (I can see on the server that the NAS connects and exchange a few bytes with it) but I then have an iptables error (I know the config file is correct because I copy/pasted it -and changed the key- from another FreeBSD client):
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add x.x.x.x/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
Hm, then it does seem like the start script isn't running.
You could try to perform the steps it does manually and see if it works: https://github.com/runfalk/synology-wireguard/blob/master/scripts/start-stop-status
I think you should be able to copy the script and run it with ./start-stop-status start
as root. Make sure it is executable (chmod +x start-stop-status
).
Then you can try to run wg-quick
again.
Hm, then it does seem like the start script isn't running.
No surprise here I guess, since the package can't be installed
I think you should be able to copy the script and run it with ./start-stop-status start as root
The variable SYNOPKG_PKGDEST
is not set so /sbin/insmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko
returns an error. When I replace it with the absolute path to wireguard.ko
it works but I still have the same error with wg-quick
.
FYI the content of the if statement in the start
case is executed, I have the output for the iptables core and nat modules.
I've seen other people with the same iptables error before (#31). This poster seem to have found a workaround that doesn't use iptables
: https://github.com/runfalk/synology-wireguard/issues/31#issuecomment-593861167.
I wonder if we have the same iptables modules:
$ lsmod|grep iptable_
iptable_nat 2192 1
nf_nat_ipv4 2921 1 iptable_nat
nf_nat 11074 5 ipt_MASQUERADE,nf_nat_ipv4,xt_nat,xt_REDIRECT,iptable_nat
nf_conntrack 49120 5 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
iptable_filter 1057 0
ip_tables 9413 2 iptable_filter,iptable_nat
x_tables 11698 6 ip_tables,ipt_MASQUERADE,xt_LOG,xt_nat,iptable_filter,xt_REDIRECT
We do seem to have the same iptables
version.
My wg conf looks something like this:
[Interface]
Address = 10.0.1.1/16
PrivateKey = <redacted>
ListenPort = 15000
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add 10.0.0.0/16 dev wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <redacted>
AllowedIPs = 10.0.1.2/32
Note that there is no IPv6 going on here, as it was not supported last time I tried.
Looking at the source code of wg-quick
it should be possible to modify it debug print which rules it tries to pipe into iptables-restore
if you're feeling adventerous.
I've seen other people with the same iptables error before (#31). This poster seem to have found a workaround that doesn't use iptables: #31 (comment).
I tried his solution but then I get other errors
I wonder if we have the same iptables modules:
Mine is slightly different:
iptable_nat 1959 0
nf_nat_ipv4 4903 1 iptable_nat
iptable_filter 1592 0
ip_tables 14092 2 iptable_filter,iptable_nat
x_tables 16302 6 ip_tables,ipt_MASQUERADE,xt_LOG,xt_nat,iptable_filter,xt_REDIRECT
I don't use ipv6 nor do I use iptables. Since the NAS is client, I don't have any postup/postdown rules.
If I try to install the interface manually by entering the commands before the iptables, the second one (wg setconf wg0 /dev/fd/63
) blocks fopen: No such file or directory
because /dev/fd/63
doesn't exist
Hm, maybe the the nf modules are essential in some way.
The reason /dev/fd/63
doesn't exist is that wg-quick
creates that file descriptor on the fly. It seems to contain some of the things in your wg0.conf
(https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash#n250).
Again if you're feeling adventerous you could echo the contents of $WG_CONFIG
in set_config
.
Hum ok ..... I compiled wireguard following your guide (and the one on Reddit, since my CPU is x86 and not ARM) and I tried to install both and I had the same installation error.
I gave up and haven't even connected to my NAS since, until 5 minutes ago and ..... WireGuard-apollolake-1.0.20200908.spk install successfully
. I still have the iptables error though but at least it's installed correctly ¯\_(ツ)_/¯
check syntax in scripts/*.sh. That would be a simple missing quotes or anything failing code
I just tried to install wireguard on a fresh install of DSM on a 218+ but it just doesn't want to.
So I downloaded the apollolake package, I tried both the latest 1.0.20200729 and previous 1.0.20200401 but none worked. When I try via DSM, I just have the message "failed to install the package" (the install settings is set on "any publisher") and when I try via the
synopkg
:The other problem (more related to the NAS itself I think) is that I can't uninstall it:
I have to remove all of these in order to do so:
Rebooting doesn't solve anything and I still have the files
wg wg-quick wireguard.ko
in/volume1/@appstore/WireGuard/wireguard/
. When I try to usewg-quick
, I get the message:Did I miss something?