Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ip6tables Initialization Error #193

Open
ilya-yarets opened this issue Jul 18, 2024 · 1 comment
Open

ip6tables Initialization Error #193

ilya-yarets opened this issue Jul 18, 2024 · 1 comment

Comments

@ilya-yarets
Copy link

ilya-yarets commented Jul 18, 2024
edited
Loading

WireGuard on Synology NAS: ip6tables Initialization Error

Description
I have set up a VPN connection using WireGuard on my Synology NAS (DS220+) and a client on a Mac. However, I'm encountering issues with the configuration. When I set AllowedIPs to 0.0.0.0/0, I get an ip6tables error, and the VPN does not work. Changing AllowedIPs to 10.7.0.0/32 allows the VPN to start, but I cannot ping the Mac client from the NAS.

Steps to reproduce

$ ssh user@nas
$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
ip6tables-restore v1.8.3 (legacy): ip6tables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

Expected behavior
I expected the VPN to start without errors and for the NAS to be able to route all traffic through the VPN.

Synology NAS model
DS220+

wg0.conf

[Interface]
PrivateKey = <hidden>
Address = 10.7.0.4/24
# DNS = 1.1.1.1
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT

[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = <hidden>:61420

Attempt with AllowedIPs = 10.7.0.0/32

$ sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT
$ sudo wg show
interface: wg0
  public key: <hidden>
  private key: (hidden)
  listening port: 42384

peer: <hidden>
  preshared key: (hidden)
  endpoint: <hidden>:61420
  allowed ips: 10.7.0.0/32
  latest handshake: 33 seconds ago
  transfer: 92 B received, 212 B sent
  persistent keepalive: every 25 seconds

$ sudo ping 10.7.0.3
PING 10.7.0.3 (10.7.0.3) 56(84) bytes of data.
From 10.7.0.4 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.7.0.4 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.7.0.4 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
...

Issue
Using AllowedIPs = 0.0.0.0/0 results in an ip6tables error. When using AllowedIPs = 10.7.0.0/32, the VPN starts, but I cannot ping the Mac client (10.7.0.3) from the NAS (10.7.0.4). How can I configure WireGuard to route all traffic through the VPN without encountering these issues?
@ilya-yarets
Copy link
Author

my Nas is a client

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ilya-yarets