Unable to launch WireGuard

[gmasquelin]

Description Hello,

I tried to install the WireGuard package but it failed. I tried to uninstall it but it failed too. I'd be very grateful if someone could help me to install it, or at least to delete it until a newer version will be released. Thanks for your help !

Synology NAS model DS718+ DSM 6.2.3 Package : WireGuard-apollolake-1.0.20200401.spk

[runfalk]

Interesting, I haven't seen that error before. The installer doesn't install that many files, basically just puts them in a single directory and adds a few symlinks.

If you are able to SSH into your device could you please check that the package files seems to have installed correctly? On my device they appear in /volume1/@appstore/WireGuard/wireguard/wg.

You can check the status of the service (that the kernel module loaded) by doing the following as root:

# synoservice --status pkgctl-WireGuard
Service [pkgctl-WireGuard] status=[enable]
required upstart job: 
	[pkgctl-WireGuard] is start. 
=======================================

You should also check if the binaries properly appear in you PATH using which:

$ ls -l `which wg`
lrwxrwxrwx 1 root root 41 Dec 28 22:27 /usr/local/bin/wg -> /volume1/@appstore/WireGuard/wireguard/wg

You should also do lsmod and check if the kernel module is loaded:

$ lsmod|grep wireguard
wireguard             132560  0 
ip_tunnel              11522  2 sit,wireguard
ipv6                  281035  51 sit,rodsp_ep,wireguard

[gmasquelin]

Hi Andreas,

Thanks for your answer !

Yes they are installed. I created a directory called wireguard in /etc with a wg0.conf

I tried to run it manually but it doesn’t seem to work :

Envoyé de mon iPhone

Le 23 avr. 2020 à 10:46, Andreas Runfalk [email protected] a écrit :  Interesting, I haven't seen that error before. The installer doesn't install that many files, basically just puts them in a single directory and adds a few symlinks.

If you are able to SSH into your device could you please check that the package files seems to have installed correctly? On my device they appear in /volume1/@appstore/WireGuard/wireguard/wg.

You can check the status of the service (that the kernel module loaded) by doing the following as root:

synoservice --status pkgctl-WireGuard

Service [pkgctl-WireGuard] status=[enable] required upstart job: [pkgctl-WireGuard] is start.

You should also check if the binaries properly appear in you PATH using which:

$ ls -l which wg lrwxrwxrwx 1 root root 41 Dec 28 22:27 /usr/local/bin/wg -> /volume1/@appstore/WireGuard/wireguard/wg — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[runfalk]

It'll be more helpful if you run the commands and paste their output here. I don't have any new information to draw any conclusions from.

[gmasquelin]

I'm sorry.

Here it is :

$ ls -l
total 720
-rwxr-xr-x 1 root root 445776 Apr 13 01:51 wg
-rwxr-xr-x 1 root root  13271 Apr 13 01:51 wg-quick
-rwxr-xr-x 1 root root 272864 Apr 13 01:51 wireguard.ko

$ sudo ./wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

$ lsmod|grep wireguard

Nothing is listed with the last command.

[runfalk]

I'm still missing the output of synoservice --status pkgctl-WireGuard. The lsmod output seems to indicate that the kernel module doesn't load. You should probably try synoservice --restart pkgctl-WireGuard as well. Note that these commands must be run as root.

[gmasquelin]

$ sudo synoservice --restart pkgctl-WireGuard
Password: 

$ sudo synoservice --status pkgctl-WireGuard
Service [pkgctl-WireGuard] status=[disable]
required upstart job: 
	[pkgctl-WireGuard] is stop. 
=======================================

[gmasquelin]

With a start command :

$ sudo synoservice --start pkgctl-WireGuard
$ sudo synoservice --status pkgctl-WireGuard
Service [pkgctl-WireGuard] status=[enable]
required upstart job: 
	[pkgctl-WireGuard] is start. 
=======================================

and then :

$ lsmod|grep wireguard
wireguard             206067  0 
ip6_udp_tunnel          1903  2 vxlan,wireguard
udp_tunnel              2355  2 vxlan,wireguard
ipv6                  336006  60 sit,nf_defrag_ipv6,wireguard,nf_conntrack_ipv6

[runfalk]

Ok, then I guess it should work? The kernel module seems to be correctly loaded.

[gmasquelin]

Almost :

$ sudo ./wg-quick up wg0Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.100.0.178/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

[runfalk]

What does you WireGuard config look like on your NAS? Mine doesn't do as many commands as yours seems to do.

There are some settings that are not supported since the Synology environment is a bit restricted.

[gmasquelin]

[Interface]
PrivateKey = +++
ListenPort = 51820
Address = 10.100.0.178/32

[Peer]
PublicKey = +++
PresharedKey = +++
AllowedIPs = 0.0.0.0/0
Endpoint = 193.70.12.231:51820

[trijethero]

@gmasquelin

That should be your clients config, not the NAS wg0 config

[runfalk]

You can technically have a topology like that. I have something similar with two different subnets bridged by gateways but this does indeed look a bit odd.

[ivlis]

@runfalk @gmasquelin

I managed to run wireguard from this repo on DS218+. I also had this strange iptables error. I traced what wg-quick is doing and put everything in the PostUp clause. Here is my config:

[Interface]
Address = 1.1.2.4/24
PrivateKey = <...>
Table = 51820
PostUp = ip rule add to 1.1.2.0/24 lookup 51820
PostDown = ip rule del to 1.1.2.0/24 lookup 51820 

[Peer]
PublicKey = <....>
AllowedIPs = 1.1.2.0/24
Endpoint = <...>:1194
PersistentKeepalive = 15

This gives access to the VPN only, if you want NAS to have access to the internet through the VPN (not my use case), you might use:

PostUp = wg set %i fwmark 51820 && ip -4 rule add not fwmark 51820 table 51820 && ip -4 rule add table main suppress_prefixlength 0
PostDown = ip -4 rule del not fwmark 51820 table 51820 && ip -4 rule del table main suppress_prefixlength 0

[Peer]
....
AllowedIPs = 0.0.0.0/0

It is recommended to try this out in the console before adding to the scheduler because messing this up will leave your box unreachable.

[spartanhooah]

I'm getting the same iptables problem:

[#] ip link add nas type wireguard
[#] wg setconf nas /dev/fd/63
[#] ip -4 address add <ip-address> dev nas
[#] ip -6 address add <ip-address> dev nas
[#] ip link set mtu 1420 up dev nas
[#] wg set nas fwmark 51820
[#] ip -6 route add ::/0 dev nas table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.6.0: ip6tables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev nas

My NAS's conf file is

[Interface]
PrivateKey = REDACTED
Address = 10.19.49.7/24 ,fd9d:bc11:4021::7/48

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = REDACTED

I don't know anything about the PostUp or PostDown commands that @ivlis added. Where is a good explanation on what's going on there?

[runfalk]

Have you tried without IPv6?

From the README:

IPv6 is probably not supported (at least not using wg-quick).

[spartanhooah]

I removed the IPv6 addresses and got pretty much the same error:

[#] ip link add nas type wireguard
[#] wg setconf nas /dev/fd/63
[#] ip -4 address add 10.19.49.7/24 dev nas
[#] ip link set mtu 1420 up dev nas
[#] wg set nas fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev nas table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.6.0: iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev nas

[spartanhooah]

@runfalk Do you have any other suggestions or things to try?

[nbyloff]

Synology is using an iptables version from 2015...v1.6.0. I am failing with the same error and this docker image https://github.com/linuxserver/docker-wireguard/issues/60#issuecomment-701636018 lists Synology as the only devices it does not support because of how old everything is. (My NAS is only a few years old and stuck on kernel 3.10).

This is probably my last Synology device

[spartanhooah]

Synology is using an iptables version from 2015...v1.6.0. I am failing with the same error and this docker image linuxserver/docker-wireguard#60 (comment) lists Synology as the only devices it does not support because of how old everything is. (My NAS is only a few years old and stuck on kernel 3.10).

This is probably my last Synology device

Oh, dang. Thanks for the information; that's unfortunate.

[isaacsu]

I encountered exactly this error too when trying to run wireguard on my Synology with DSM 7.0.

[#] iptables-restore -n
iptables-restore v1.8.3 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

As far as I can tell, this was caused by my using AllowIPs = 0.0.0.0/0 to forward all traffic through wireguard. Wireguard seems to want to use a special "iptables raw table" kernel feature that is not present in the DSM 7.0 linux kernel when it encounters 0.0.0.0/0.

To workaround it, I used AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 (which is functionally equivalent to 0.0.0.0/0). It stopped erroring, and started connecting successfully.

Hope this helps someone. cc @nbyloff @spartanhooah.

[loons1k]

Hello. With the data AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, the connection rises but does not work.

[mitchharvey]

Any more info on fixes for the 0.0.0.0/0 issue? I am running into the same issue, where when using 0.0.0.0/1, 128.0.0.0/1 i do not get the raw table error, but the connection does not actually work

[jpnoehre]

Any more info on fixes for the 0.0.0.0/0 issue? I am running into the same issue, where when using 0.0.0.0/1, 128.0.0.0/1 i do not get the raw table error, but the connection does not actually work

I have the same problem and I'm about ready to tear my hair out.

The bizarre thing is if I do something like AllowedIPs = 1.1.1.1 it works (for that one external address).

[Eamourinho]

I'm having the same problem.

I'm running a Synology DS1621+ on DSM 7.1, it resides on a local network (192.168.0.0/24). Through Portainer I'm running the linuxserver.io build of wireguard, it is sitting on it's own network (172.69.0.0/16).

I've configured the AllowedIPs to 0.0.0.0/1, 128.0.0.0/1 and I don't get the iptables raw error any more, but I still can't seem to establish the connection. Calling upon the wisdom of the ancients (this thread) to see if anyone's found a fix :D

VPN /etc/wireguard/wg0.conf:

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <VPN Priv Key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

# Forwarding 443 from wireguard client to local network
PostUp = iptables -t nat -A PREROUTING -p tcp -i ens3 --dport 443 -j DNAT --to 10.13.13.2:443
PostDown = iptables -t nat -D PREROUTING -p tcp -i ens3 --dport 443 -j DNAT --to 10.13.13.2:443

[Peer]
# peer1
PublicKey = <Local Pub Key>
AllowedIPs = 10.13.13.2/32

Local Wireguard container:

root@fe0cca1e3b64:/# cat /config/wg0.conf
[Interface]
Address = 10.13.13.2
ListenPort = 51820
PrivateKey = <Local Priv Key>
DNS = 10.13.13.1

PostUp = ip -4 route add 192.168.0.0/24 dev eth0
PostUp = iptables -t nat -A PREROUTING -p tcp -i wg0 --dport 443 -j DNAT --to 192.168.0.69:443
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_tunnel
PublicKey = <VPS Pub Key>
Endpoint = <VPN IP>:51820
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1

VPN wg-quick up wg0:

user@vpn-host:~$ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.1 dev wg0
[#] ip link set mtu 8920 up dev wg0
[#] ip -4 route add 10.13.13.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[#] iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to 10.13.13.2:443

Local Wireguard container on build:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.2 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 128.0.0.0/1 dev wg0
[#] ip -4 route add 0.0.0.0/1 dev wg0
[#] ip -4 route add 192.168.0.0/24 dev eth0
[#] iptables -t nat -A PREROUTING -p tcp -i wg0 --dport 443 -j DNAT --to 192.168.0.18:443
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE