synology-wireguard
synology-wireguard copied to clipboard
runfalk
suppress_prefixlength error (ip6 is already disabled)
1513+
my conf [interface] PrivateKey = xxxxxxxxxxxxx= Address = 10.xxxx.3/32
[Peer] PublicKey = VPS wg Key PresharedKey = XXXX AllowedIPs = 0.0.0.0/0 Endpoint = XXXX/57926 PersistentKeepalive = 25
it saves fine, when i run wg-quick up wg0 i get this
[#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.xxx.3/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 Error: argument "suppress_prefixlength" is wrong: Failed to parse rule type [#] ip -4 rule delete table 51820 [#] ip link delete dev wg0
update
changing allowed ip from 0.0.0.0 make the error go away, but i dont have WG access still..not connected to wg
I think this might be because you have a too old version of iproute2 (see this response by the wireguard author: https://www.mail-archive.com/[email protected]/msg02342.html). That's what I gathered from googling that error message. I have not yet tried to bundle iproute2 as part of this package. I don't even know if it's possible or if there is some kernel support that is missing as well.
That Endpoint line looks slightly odd. It should be XXXX:57926 if I remember correctly, not / like you have there.
its : but i wrote / accidently here
this is odd, i managed to get around the error by changing allowed ips, but it doesnt route any traffic through my vps, its like it doesnt exist
What do you use instead for AllowedIPs?
What does the output of sudo wg look like?
It might be each time im running it something stops the process? This has been my nightmare for a week
sudo wgshould show peers even if it doesn't manage to connect to them. If it's blank the tunnel probably never got created.
weird
cat /etc/wireguard/wg0.conf does show the setup, and up wg0 returns no errors, but sudo wg after does nothing
so yea i managed to make it work on windows, and if i copied the exact same setup word for word it wont work for syno
it gives this error [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.66.66.3/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 Error: argument "suppress_prefixlength" is wrong: Failed to parse rule type [#] ip -4 rule delete table 51820 [#] ip link delete dev wg0
UPDATE i got sudo wg to work by changing allowedip to AllowedIPs = 0.0.0.0/1 , 128.0.0.0/1
now my sudo go show
interface: wg0 public key: xxxxx private key: (hidden) listening port: 60876
peer: xxxxxx preshared key: (hidden) endpoint: xxxx:57926 allowed ips: 0.0.0.0/1, 128.0.0.0/1 latest handshake: 9 seconds ago transfer: 92 B received, 136.65 MiB sent persistent keepalive: every 25 seconds but i still dont have vpn wan ip for traffic
in 5 minutes this updated to
transfer: 4.57 KiB received, 3.96 GiB sent persistent keepalive: every 25 seconds
3.9 gig? that cant be right? wg-quick down wg0 for now
ok, f me...so my ip4 is on a vpn as of now, but my ip6 is using my country...ugh
doing
allowedips 0.0.0.1, ::/0 fixes the ip6 for windows, but syno through the supper error
Yeah, unfortunately I don't think IPv6 is supported on the Synology drives (using wg-quick at least). Again because of the iproute2 version.
Weird that you need the mask part of the IP to be non-zero. 0.0.0.0/1, 128.0.0.0/1 is a reasonable workaround though I guess.
Yeah, unfortunately I don't think IPv6 is supported on the Synology drives (using wg-quick at least). Again because of the iproute2 version.
Weird that you need the mask part of the IP to be non-zero.
0.0.0.0/1, 128.0.0.0/1is a reasonable workaround though I guess.
Any thoughts on why it wont route any traffic? Its routing fine on windows/mobile
Hmmm
I think i fixed it but im too tired to check now since i need sleep
It seems turning off ddns is the only way for synology to resolve to the new wan ip for WireGuard
Hmmm
I think i fixed it but im too tired to check now since i need sleep
It seems turning off ddns is the only way for synology to resolve to the new wan ip for WireGuard
Were you able to fix? I added your suggestion of the 128. which works but not able to route traffic and my outbound traffic is insane like within 30 secs it says theres 5 gb!
Hello everyone! Did you find any solution? I have the same problem, without 0.0.0.0/0 it does not allow forwarding the port to dsm from a remote router with an external ip
Hello everyone! I know this issue was open for a long time but I just found the solution today.
AllowedIPs 0.0.0.0/0 doesn't work
So you have to put AllowedIPs: 0.0.0.0/1, 128.0.0.0/1, the only problem is that you also send the traffic to the Public IP of your Wireguard Endpoint Sever...
The only solution I found was to add this at the end of your PostUp rule :
; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0
To get this ip : 172.20.0.1, Use this command line ip a
For me the inet of eth0 is : 172.20.0.2/16 so it gives us 172.20.0.1(the default gateway)
eth0@if300: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0
The sleep 5 might not be needed I need to test that.
It looks like that in my client config on Synology:
[Interface]
Address = 10.0.0.2
PrivateKey = priv_key
ListenPort = 51820
DNS = 8.8.8.8
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; sleep 5; ip route add Endpoint_IP_of_wireguard_server/32 via 172.20.0.1 dev eth0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = pub_key
PresharedKey = preshared_key
Endpoint = Endpoint_IP_of_wireguard_server:port_wireguard_server
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
I tested on my DJ216J and it works. Thank you very much for providing this solution. Just a suggestion: it would be better to put in the PostDown also a statement for clearing the route: route delete Endpoint_IP_of_wireguard_server If you don't do that, if you want to turn up the interface again after turning it down, you get an error because the route is already defined. Or, at least, this is what happen on my NAS.
I tested on my DJ216J and it works. Thank you very much for providing this solution. Just a suggestion: it would be better to put in the PostDown also a statement for clearing the route: route delete Endpoint_IP_of_wireguard_server If you don't do that, if you want to turn up the interface again after turning it down, you get an error because the route is already defined. Or, at least, this is what happen on my NAS.
It might be necessary when you're on a native installation (without containerization). On Docker, I don't have this problem.
I tested on my DJ216J and it works. Thank you very much for providing this solution. Just a suggestion: it would be better to put in the PostDown also a statement for clearing the route: route delete Endpoint_IP_of_wireguard_server If you don't do that, if you want to turn up the interface again after turning it down, you get an error because the route is already defined. Or, at least, this is what happen on my NAS.
How exactly did you modify the PostDown. Issuing a route delete in the CLI removes the route, but no matter how I append it to PostDown it failes -_-.
My PostDown line looks like: PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ; route delete xxx.xxx.xxx.xxx