synology-wireguard
synology-wireguard copied to clipboard
runfalk
AllowedIPs = 0.0.0.0/0
Hello everyone! I use DSM wireguard (gray ip) as a client to connect to a keenetic router (white ip). Everything is fine, except for port forwarding and access from the external address of the router. Access will appear if you set the value AllowedIPs = 0.0.0.0/0 (tried on another linux client). Is it possible to avoid this error by setting this value, or are there other access workarounds in this scheme?
sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 172.16.82.5/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 192.168.1.0/24 dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 Error: argument "suppress_prefixlength" is wrong: Failed to parse rule type [#] ip -4 rule delete table 51820 [#] ip link delete dev wg0
I'm seeing the same issue as above (connection up but not working). The reason is that when wg-quick sees 0.0.0.0/0 it adds special default routing rules meant for the "raw" table (https://github.com/WireGuard/wireguard-tools/blob/master/src/wg-quick/linux.bash#L237), which is not supported in Synology (the kernel module iptable_raw.ko is not present in /lib/modules). Changing AllowedIPs to 0.0.0.0/1, 128.0.0.0/1, does not trigger the setup for these default routes, so while no error is thrown no traffic flows either.
Annoyingly, I thought I could get around this initially by using a docker image that contained the userspace version of Wireguard, but even that is reliant on the raw iptable existing. I have no solutions at this point unfortunately.
I have thought about trying to build and enable a version of iptable_raw.ko for Synology using synobuild, similar to how this repo installs kernel modules needed for wireguard itself, but that's beyond me currently.
I know this thread is a little old, but I was running into the same issue and found that Synology seems to have published the 7.0 GPL source from which I seem to be able to successfully build a iptable_raw.ko kernel module for kernel version 4.4.59 kernel, but not for my current kernel version 4.4.180+ (I'm running DSM 7.0.1 patch 3). If anyone is running 7.0 and wishes to test it, I could attempt to build one (I have one built for v1000 arch).
I compiled and loaded the iptable_raw module for armada38x and DSM 7.1, but this does not solve the issue.
I compiled and loaded the iptable_raw module for armada38x and DSM 7.1, but this does not solve the issue.
Are you able to confirm the module loads? Same error on wireguard? Or different?
I compiled and loaded the iptable_raw module for armada38x and DSM 7.1, but this does not solve the issue.
Are you able to confirm the module loads? Same error on wireguard? Or different?
I loaded the module with insmod, then I checked with lsmod and the module is loaded. The error I'm receiving on WireGuard is still the same. BTW: I also tried to load the iptable_mangle.ko module, together with the iptable_raw.ko, but nothing changes.
Here you can find the solution to this issue: https://github.com/runfalk/synology-wireguard/issues/59#issuecomment-1439220671
Tested on my DS216J and working. Many thanks to Maxence-v for providing it.
The proper solution is to build some kernel modules and just use AllowedIPs = 0.0.0.0/0, on DSM 7.1 (DS923+) I needed to provide iptable_raw.ko, xt_comment.ko and xt_connmark.ko. The good news is that you don't really need Synology GPL Linux kernel sourcecode for that (which is not yet available for 7.1, or 7.2 beta), Synology pkgscripts-ng build_env chroot is enough. Here's how I did this for my NAS, hope this will be useful: https://github.com/binhex/arch-delugevpn/issues/303#issuecomment-1474430516
