-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Synology DSM 6.2.2-24922 breaking WireGuard? #10
Comments
I can confirm the package is working with DSM 6.2.2-24922 on a DSM981+ I did not upgrade from 6.21. to 6.2.2 with WireGuard installed. I only installed your package yesterday. I had no problems getting it to work. I build the package and did not use one of the precompiled ones. Thank you for sharing the package. Nice work :) |
I experienced the same thing. Installed the latest compiled release and worked perfectly. After update, peers can still connect, but no traffic passes. Uninstalling and reinstalling the package did not help. Edit: Tried building the package myself. Installed fine but having the same issue as precompiled install. |
Just tried a recompile with several wireguard snapshots up to 20190601. Didn't help, problem persists. Wireshark shows packets coming and going between the Wireguard endpoints, but somehow, they don't get any further than wg0. Encryption/decryption problem? Oh, and I asked Synology Support on Twitter for clarification on what has been changed |
Cool, thank you for trying to debug the problem! I find it a bit odd that there is no obvious way to trace/debug wireguard. I tried asking in the IRC on freenode when I discovered the problem, but didn't get much help. Looking forward to your PR. |
Same issue for me, DSM 6.2.2-24922 and installed 0.0.20190227-2 from the pre-built packages. Tried connecting using a Windows and Android client and while the connection engages instantly, no traffic seems to flow from the wg0 interface on the server. Pinging from the clients to the server IP shows packets are arriving at the interface. One observation: the TX channel at the server shows packet errors, perhaps something broke with the encryption/decryption layer?
|
I changed the base version of Wireguard to 0.0.20190601 (latest at the time of writing), rebuilt and re-installed and also made a pull request for it (#16). Unfortunately this did not help. I now also switched Android clients and Windows clients, but the TX errors remain. |
It looks like wireguard is no longer setting the return route. Steps to reproduce:
or |
I was able to add the route manually as you describe and pass traffic successfully. However, I was also unable to add the route automatically via a PostUp rule or in the scheduled task. |
So my understanding is this still doesn't pass internet traffic through? I've written out the |
Hi, I also failed to add the route in the PostUp, however it seems that the scheduled task way works. Simply adding the
I checked the It's still far from a perfect solution, but at least it survives reboots. |
I managed to add the route in the Here is my
I did not need to change the Without the sleep, it complains about I just tested on a fresh restart and it seems to work. Hope it helps. |
Great work! Just tried this and it works for me! |
This is great news. I hope to test this soon and make a new release with updated instructions. |
In my case I am also missing the route and the sleep in the PostUp fixed that. However, I am still getting TX errors but perhaps this is now a configuration issue. Just to be clear, the is the single server IP for the Wireguard wg0 interface correct? This is not a server IP plus netmask? |
Are you referring to the Also in my configuration, the NAS has a “server“ role where my devices are connected to my local network through it. I cannot check the configuration where the NAS is connected to a public VPN provider. By the way, I just noticed that the |
I just can't seem to get it working. I added the ip route manually (I didn't really know which IP I needed to add there so maybe its wrong) and it starts up just fine with the |
@kharveys
The Are you are trying to set up your Synology as the 'server' and have a remote client run all traffic through the VPN link? What does your AllowedIPs section look like in the client config? |
@seanauff I'm trying to use my Synology as a client. The allowedIPs I have set to 0.0.0.0/24. When I try the CIDR adress it gives the following error |
@kharveys Try setting your AllowedIPs to |
@seanauff When I try that I get another error
|
@kharveys If I were you I would open a new issue so this one stays relevant and then post your configs, both for client and server, making sure to redact your keys. |
Confirmed workaround; the server IP is not added to the routing table anymore. Adding this fixed it: Note that |
Sorry guys, and this is my wg0.conf
and this is my client config
but it doesn't works.. Thanks |
@martinorob The route you need to add is for the Wireguard interface, so in your case 10.0.1.1 |
Thanks for the reply I amended it to /16 but get this response:
With /32 i get only this:
Is it possible that the NAS is blocking it somewhere? NAS firewall is off. |
@trijethero |
This doesn't work for me : And this generate errors :
I have to use full mask like beyond to make it works properly : |
Mine still does not work. See that there are some difference for instance: for wg0 I have i% but tried wg0 as well From ip a i get:
and
Do I have to do anything with iptables? |
@trijethero Also can take a step back and see if packets are making it to your NAS with: |
Thanks seanauff for the help! I still get the same error when using 10.0.3.0/16
Using /24 I do not get the error, but still fails to connect. using
So it appears the handshake request are coming in; correct ip and outgoing port from the client, but no handshake... |
@trijethero which WireGuard versions do you have (server and client)? Maybe they are by some unlikely chance uncompatible? |
@runfalk, thanks for all the work! Your version 0.0.20190227-2.spk and latest Mac client 0.0.20191105 (16)/backend version: 0.0.20191013. DS918+ DSM version 6.2.2-24922 Update 4 I tried it with iOS wireguard client as well, no joy. Mac client works with commercial Wireguard providers and I have a separate wireguard server on an GL-AR150 mini router, that one works with the macbook client and iOS clients within my network, even when that is completely removed from the network no connection possible, so no interference. Edit: |
@trijethero |
Tried that, unfortunately no change |
Any other suggestions to fix this? |
Mine is also failing. I've used tcpdump and can see traffic, for example DNS requests. What is weird is the source IP used. I have wireguard currently installed on a raspberry Pi and the source IP used is the wg0 interface. Wireguard on the synology the source IP appears to be the client So when i use tcpdump port 53 I can see DNS requests but no reply, i assume because the source IP used is 10.9.0.2/24 My home network is 192.168.0.0/24, my internet router is 192.168.0.1/24, my synology is 192.168.0.200/24. When using wireguard on a raspberry Pi ( 192.168.0.193/24 ) the peer uses IP address 10.9.0.2/24 but the traffic will use source IP 192.168.0.193, so return traffic knows what IP address to use. When using wireguard on the synology the traffic leaves on source IP 10.9.0.2 so doesn't know how to return back |
Bump anyone ? |
I suggest you open a new issue. This one will at most only be seen by those who have posted in this thread. I don't know how to help you but maybe someone else does. |
This was the solution for my problem |
i installed the latest wireguar package, wrote the configs like in the readme:
added startup script. startet client and the tunnel was created. i can ping through the tunnel to a device in my local network. and i can see in an tcpdump for eth0 that that device is trying to answer to my client. But traffic is not routed back into the tunnel. so i tried out, the tips from that thread, but no success. when i try to add the route i get an error: RTNETLINK answers: Invalid argument any idea what i have missed? |
Check that the kernel module is actually loaded: |
thanks @runfalk seems like it is:
it's also possible to ping the server address 10.0.1.1 from the synology. but not the clients and ip route doesn't show any routes for the wireguard net:
|
Some problem here! After synology update wireguard doesn't work anymore. |
@martinorob the instructions above still work for me on DSM 6.2.3-25426. I did compile the latest releases myself via the Docker image so not sure if that makes a difference. My Makefile is patched to look as follows:
|
hi,
----Failed pair---
|
thanks mrutyunjay-patel, this one worked for me.
|
I debugged this issue for a bit and found something interesting. These are the commands that
so I played around with manually issuing these commands and found that switching the last two commands does not expose the issue, meaning when the second last command is issued only after the last command, the following route is correctly added to the routing table as desired (output from
Moreover, I monitored the routing table using
where the first Finally, manually issuing the four commands shows, that the route deletion only happens, when the last command is issued quickly enough after the second last one. So when waiting 3-5 seconds after the In conclusion, it actually seems like |
Thank you so much for this hint! |
Two days ago my NAS restarted and upgraded to 6.2.2-24922 (from 6.2.1-23824-6) by itself. Since then I can no longer connect using WireGuard.
Changelog doesn't seem to list anything obvious (https://www.synology.com/en-global/releaseNote/DS218j#ver_24922). My kernel compile is fresh, but the version is the same
Linux Poseidon 3.10.105 #24922 SMP Fri May 10 02:48:35 CST 2019 armv7l GNU/Linux synology_armada38x_ds218j
.Does anyone else experience the same?
The text was updated successfully, but these errors were encountered: