Add support for DSM 7.0

[matige]

This pull request adds support for DSM 7.0. Additionally, a wg-init script has been developed, which allows you to easily add the WireGuard interface to autostart.

This package has been tested on DS220+ (geminilake) with DSM 7.0, and Virtual DSM (kvmx64) with DSM 6.2 and 7.0.

[runfalk]

Really good work! Thank you a lot for contributing this 🎉. I don't have a device that I want to test this on, so I'll take your word that it works on DSM 7.

Before merging I'd like to recompile all packages and try the DSM 6 variant with the new scripts on my own NAS. It'll likely be a week or two before I get the opportunity to do so. If you haven't heard anything from me after that, feel free to bug me here 😅.

[quexten]

Hi there, I tried building the package for my 918+ (which is running DSM 7.0 Beta), using sudo docker run --rm --privileged --env PACKAGE_ARCH=apollolake --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild. However when I try installing it, I get the error message "Invalid file format, please contact the package developer". Here is the build log: https://gist.github.com/quexten/f47f8086ebc83ce88cff19d363b9e37a

[matige]

@quexten After examining the logs, I find that the package was built using the master branch from pkgscripts-ng. Most likely you cloned the synology-wireguard repository incorrectly and continue to use the version for DSM 6.
Follow these steps to build the package correctly:

$ git clone https://github.com/runfalk/synology-wireguard
$ cd synology-wireguard
$ git fetch origin pull/71/head:DSM7.0
$ git checkout DSM7.0
$ sudo docker build -t synobuild .
$ sudo docker run --rm --privileged --env PACKAGE_ARCH=apollolake --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild

Parse argument result for DSM 7.0:

platforms     : apollolake
env_section   : default
env_version   : 7.0
dep_level     : 1
parallel_proj : 1
branch        : master
suffix        : 
collect       : True
collecter     : True
link          : True
update_link   : False
build         : True
install       : True
only_install  : False
parallel      : 12
build_opt     : -J
install_opt   : 
print_log     : True
tee           : True
sdk_ver       : 6.2
package       : WireGuard

Your parse argument result:

env_section  : default
env_version  : 7.0
dep_level    : 1
branch       : master
suffix       : 
collect      : True
update       : True
link         : True
build        : True
install      : True
only_install : False
sign         : False
build_opt    : -J
install_opt  : 
print_log    : True
sdk_ver      : 6.0
package      : WireGuard

[quexten]

@matige Okay so the problem seems to have been that while I did start the build in the DSM7.0 branch, I didn't build the "synobuild" docker image in the DSM7.0 branch, instead I built it in the master. After re-building the synobuild docker image on the DSM7.0 branch and then running the build, the package now installs and runs correctly.

[jaromirrivera]

I am getting the same error as @quexten "Invalid file format, please contact the package developer". I have switched to the DSM7.0 branch and built the synobuild container... I am compiling for a DS1019+ (apollolake)

sudo docker run --rm --privileged --env PACKAGE_ARCH=apollolake --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk -v $(pwd)/sourceforge:/toolkit_tarballs synobuild

here is my parse argument result:

============================================================
                   Parse argument result
------------------------------------------------------------
platforms     : apollolake
env_section   : default
env_version   : 7.0
dep_level     : 1
parallel_proj : 1
branch        : master
suffix        :
collect       : True
collecter     : True
link          : True
update_link   : False
build         : True
install       : True
only_install  : False
parallel      : 6
build_opt     : -J
install_opt   :
print_log     : True
tee           : True
sdk_ver       : 6.2
package       : WireGuard

[runfalk]

It seems that you're using the 6.2 SDK. This should only happen if you haven't rebuilt the Docker image. Try deleting it or build using a different name than synobuild to be sure.

[jaromirrivera]

I tried rebuilding synobuild image with different name and it still doesn't work. Get the same error message: "Invalid file format, please contact the package developer"

My parse arguement result is the same as @matige's above... it also has sdk_ver set to 6.2.

[quexten]

@jaromirrivera Yeah sdk_ver was also 6.2 on the build that works on my DSM 7 Beta 918+. Try cleaning your docker images, and the build directory you have mounted ($(pwd)/artifacts:/result_spk ).

[matige]

@jaromirrivera Will you share the resulting SPK file with us? Maybe I can figure out what is causing the problems.

[jaromirrivera]

Sure @matige, attached is the SPK I built compressed in a zip file.
WireGuard-apollolake-1.0.20210219.spk.zip

Also of note my DSM 7 version is DSM 7.0-41222

[matige]

@jaromirrivera The package appears to be built correctly. The directory structure and metadata files are correct. Unfortunately, but I can't tell you why you can't install this package. I also don't have the Apollokale platform, so I can't check anything else.

[jaromirrivera]

Ha, I found out what the issue was... I previously had the Wireguard spk installed for DSM 6.2, then upgraded to DSM 7.0 beta. The wireguard package was still "installed" but would not run.

I needed to uninstall the DSM 6.2 version of the WireGuard package before installing the DSM 7.0 one I compiled.

@runfalk That might be something to note for upgraders... Backup wireguard configs, uninstall any previous versions of wireguard and then install DSM 7 version.

[runfalk]

@runfalk That might be something to note for upgraders... Backup wireguard configs, uninstall any previous versions of wireguard and then install DSM 7 version.

Yeah, definitely something that we should list along the release.

[matige]

@nc88keyz The problem is most likely due to an mistake in the comment with the package build instructions. You should run docker build before docker run (the comment has already been corrected).

[nc88keyz]

https://www.dropbox.com/s/z5ae2sjej32rxfl/WireGuard-bromolow-1.0.20210219.zip
DS3615XS Bromolow DSM 7.0
I have an actual DS3615XS and this compiled without error.
If ran from terminal, it stays alive. Since I have not gotten wireguard configured yet, I will refrain from commenting on success. I feel it will work if you know what you are doing. I've only used ovpn in the past and its beginning to show its age with TG

Edit: 03/21/2021 Works with binhex/arch-qbittorrentvpn:4.3.3-1-02 ( Last version to support the Kernel for the DS3615XS) I was having issues because of the kernel support ending in these containers from the devs.

DS3615XS
DSM Beta 7.0-41222
Kernel: 3.10.108
Wireguard Support with attached .spk confirmed successful

[jobhax25]

Sure @matige, attached is the SPK I built compressed in a zip file.
WireGuard-apollolake-1.0.20210219.spk.zip

Also of note my DSM 7 version is DSM 7.0-41222

I tried this package but it fails to runa dn wants to "repair". Unsure why. Also did have the 6.2 package and upgraded but removed it

[jelbo]

Sure @matige, attached is the SPK I built compressed in a zip file.
WireGuard-apollolake-1.0.20210219.spk.zip
Also of note my DSM 7 version is DSM 7.0-41222

I tried this package but it fails to runa dn wants to "repair". Unsure why. Also did have the 6.2 package and upgraded but removed it

You need to follow the instructions you can access through this link. Basically, don't autostart initially and do it manually the first time using sudo /var/packages/WireGuard/scripts/start

[matige]

@jobhax25 The solution can be found in #63. Follow this instruction, pay attention to step 4.
After installing the package run sudo /var/packages/WireGuard/scripts/start

[jelbo]

Sorry to clutter this thread, but I can't find a way to contact @nc88keyz. I see you have binhex/arch-qbittorrentvpn working with this WireGuard implementation. Can you share how? You may e-mail me, it's the last e-mail in this Base64 encoded string.

I've had no luck with --privileged=true, --sysctl="net.ipv4.conf.all.src_valid_mark=1, --cap-add=NET_ADMIN, --cap-add=SYS_MODULE and even --volume /lib/modules:/lib/modules. It can't find the WireGuard interface.

[Baalzaman]

Just a FYI, PR #71 compiles and runs fine on DSM 7 on a DS216j (armada38x). Works very well with excellent performance. Thank you Runfalk and Matige.

[mcdallas]

I compiled the SPK for geminilake (DS220+) but I am getting an error when starting the tunnel:

$ sudo wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.5.15/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.3 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

I am trying to use the NAS as a client. My wg0.conf is

[Interface]
Address = 192.168.5.15/32
PrivateKey = ***
ListenPort = 51820

[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/0
Endpoint = ***:51820

Any idea how to fix this?

[matige]

@mcdallas It seems that the problem was already discussed in #31.

[WeeJeWel]

Hey all! What's the status of this PR?

[max19751]

I try to compile (on a DS720 DSM 7.0 machine) a DSM7.0 package for a DS216+II braswell architecture and get the following error:

sudo docker run --rm --privileged --env PACKAGE_ARCH=braswell --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk -v $(pwd)/toolkit_tarballs_download:/toolkit_tarballs synobuild

WireGuard version: 1.0.20210606
WireGuard tools version: 1.0.20210424
libmnl version: 1.0.4

Cloning into 'pkgscripts-ng'...
[2021-08-11 16:04:37,130] INFO: tar -xhf /toolkit_tarballs/base_env-7.0.txz -C /build_env/ds.braswell-7.0
[2021-08-11 16:06:21,092] INFO: tar -xhf /toolkit_tarballs/ds.braswell-7.0.env.txz -C /build_env/ds.braswell-7.0
[2021-08-11 16:07:02,385] INFO: tar -xhf /toolkit_tarballs/ds.braswell-7.0.dev.txz -C /build_env/ds.braswell-7.0
[2021-08-11 16:07:40,027] INFO: All task finished.

               Parse argument result                    

---

platforms : braswell
env_section : default
env_version : 7.0
dep_level : 1
parallel_proj : 1
branch : master
suffix :
collect : True
collecter : True
link : True
update_link : False
build : True
install : True
only_install : False
parallel : 4
build_opt : -J
install_opt :
print_log : True
tee : True
sdk_ver : 6.2
package : WireGuard

Processing [7.0-42176]: braswell

          Start to run "Traverse project"               

---

Projects: WireGuard

============================================================
Start to run "Link Project"

Link /pkgscripts-ng -> /build_env/ds.braswell-7.0/pkgscripts-ng
Link //source/WireGuard -> /build_env/ds.braswell-7.0/source/WireGuard

============================================================
Start to run "Build Package"

[braswell] env PackageName=WireGuard /pkgscripts-ng/SynoBuild --braswell -c --min-sdk 6.2 -J WireGuard
/pkgscripts-ng/include/check: line 93: /dev/null: Permission denied
ERROR: This script must be run as root
Traceback (most recent call last):
File "/pkgscripts-ng/include/python/exec_env.py", line 76, in execute
output = commandrunner.run(cmd, display=display, **kwargs)
File "/pkgscripts-ng/include/python/commandrunner.py", line 39, in run
raise RunShellFailed(p.returncode, cmd, output)
commandrunner.RunShellFailed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/pkgscripts-ng/include/python/parallel.py", line 15, in call
result = self.__callable(*args, **kwargs)
...

what is this "ERROR: This script must be run as root" about?

[alie2n]

I just built a spk for a DS920+ on geminilake.
WireGuard-geminilake-1.0.20210606.spk.zip

[HavermansStef]

Hi. Any updates on the status of this PR and when we might see it release?

[runfalk]

I've been putting it off since I haven't touched my Synology since this PR was created. It does seem a lot of people are having success with so I'm just going to merge it.

I apologize for the huge delay, and a big thanks to @matige for implementing it.

[runfalk]

Things are merged, but I haven't built any packages yet.

[nohnaimer]

@runfalk Hi,
Maybe add release with build WireGuard-* for DSM7?

[vihu]

I just built a spk for a DS920+ on geminilake.
WireGuard-geminilake-1.0.20210606.spk.zip

Thank you for building this! Disappointing that there is no official support for wireguard on synology.
I tried this on my DS920+ but it keeps failing asking to "Repair", did you do anything particularly special (user perms/kernel module etc) to get it going?

[M4rt1n12]

I just built a spk for a DS920+ on geminilake.
WireGuard-geminilake-1.0.20210606.spk.zip

Thank you for building this! Disappointing that there is no official support for wireguard on synology.
I tried this on my DS920+ but it keeps failing asking to "Repair", did you do anything particularly special (user perms/kernel module etc) to get it going?

Thanks, installation worked for me! (DS 720+)

You have to run "sudo /var/packages/WireGuard/scripts/start" to start the package

[cchhat01]

@matige @runfalk
I still can't get this work on my DS713+ (cedarview platform).
What am I doing wrong ?

$ git clone https://github.com/runfalk/synology-wireguard
$ cd synology-wireguard
$ sudo docker build -t synobuild .

...

Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container 93c0ad8efe84
 ---> d59ec74cc93c
Step 5/6 : COPY . /source/WireGuard
 ---> ff54c16fc6e1
Step 6/6 : ENTRYPOINT exec /source/WireGuard/build.sh
 ---> Running in af9a2f55e818
Removing intermediate container af9a2f55e818
 ---> 13251f8c2429
Successfully built 13251f8c2429
Successfully tagged synobuild:latest


$ sudo docker run --rm --privileged --env PACKAGE_ARCH=cedarview --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild
docker: Error response from daemon: Bind mount failed: '/volume1/downloads/synology-wireguard/artifacts' does not exists.

[oschmidteu]

@cchhat01

docker: Error response from daemon: Bind mount failed: '/volume1/downloads/synology-wireguard/artifacts' does not exists.

[cchhat01]

@oschmidteu Yes I know, but why?
So where is the process failing ?
sudo docker build -t synobuild .
OR
sudo docker run ...

[oschmidteu]

sudo docker run ... -v $(pwd)/artifacts:/result_spk synobuild

You are trying to mount a folder which does not exist...
Just create the folder and you should be fine.

[cchhat01]

Nevermind i figured it out... I was attempting to do this on my synology NAS...
I am now performing this on my ubuntu VM and things seem to be moving along much further...

[cchhat01]

well that didn't get me anywhere either, the built .spk fails to run on my DS713+.
As soon as the spk is installed and attempts to start, it dies and I am only left with the option to "Repair" which does nothing but Stops the service from running.
If anyone has any luck in building for my cedarview device DS713+ (I am not sure why I am not able to build the image on my synology nas but on my amd64 based ubuntu VM), please let me know and I can give it a shot.
Not sure what logs I can provide since I don't know where to look.

[oschmidteu]

Well you should read and follow the installation guide.
You probably didn't got step 4 which starts with (Only for DSM 7).

Your problem was already discussed a few times, you could try to use the search function.

[nohnaimer]

@matige @runfalk
I still can't get this work on my DS713+ (cedarview platform).
What am I doing wrong ?

$ git clone https://github.com/runfalk/synology-wireguard
$ cd synology-wireguard
$ sudo docker build -t synobuild .

...

Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container 93c0ad8efe84
 ---> d59ec74cc93c
Step 5/6 : COPY . /source/WireGuard
 ---> ff54c16fc6e1
Step 6/6 : ENTRYPOINT exec /source/WireGuard/build.sh
 ---> Running in af9a2f55e818
Removing intermediate container af9a2f55e818
 ---> 13251f8c2429
Successfully built 13251f8c2429
Successfully tagged synobuild:latest


$ sudo docker run --rm --privileged --env PACKAGE_ARCH=cedarview --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild
docker: Error response from daemon: Bind mount failed: '/volume1/downloads/synology-wireguard/artifacts' does not exists.

Compile for cedarview - https://cloud.mail.ru/public/13QD/cstYBiMby

[cchhat01]

@nohnaimer This build had the exact same effect as my build, I can install and attempt to run it but it fails to start according to synology logs.
I even have my wg0 configured as per my VPN provider all setup in /etc/wireguard/wg0.conf so this should have worked.
I think there may be something more and I can help debug if I knew what else I could do...
Thanks.

[matige]

@cchhat01 compilation of the package should be done outside the DSM environment. Cross compilation is used, so the fact that the compilation is done on an amd64 platform is not a problem.
If you have upgraded DSM to version 7, uninstall the previous version of the package before installing the new version. Then follow the installation instruction. Pay attention to step 4:
after installing the package run sudo /var/packages/WireGuard/scripts/start

[cchhat01]

@matige holy crap that worked (and my apologies for overlooking that step)...
Now how do I verify that the VPN is working through Wireguard and how do I route traffic through it ?

[M4rt1n12]

@matige holy crap that worked (and my apologies for overlooking that step)...
Now how do I verify that the VPN is working through Wireguard and how do I route traffic through it ?

Maybe... I don't know... ping the other endpoint? :D And RTFM ;)

[cchhat01]

Looks like I have a DNS entry in my wg0.conf as per the file provided by my VPN provider (WindScribe)

$ sudo wg-quick up wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 100.x.x.x/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
/usr/local/bin/wg-quick: line 32: resolvconf: command not found
[#] ip link delete dev wg0

Is there anything that I can do to resolve this (pun intended)? I searched for solutions but most of the solutions are for non-synology users.

[M4rt1n12]

How about remove the DNS entry from wg0.conf?

[cchhat01]

How about remove the DNS entry from wg0.conf?

Would that not leak DNS ?

[Dark1886]

@matige holy crap that worked (and my apologies for overlooking that step)...
Now how do I verify that the VPN is working through Wireguard and how do I route traffic through it ?

Explain like I’m dumb. Does this just mean you need to compile it on a different PC than the synology itself?

[runfalk]

Yes. You run follow the steps in the compilation section of the README on your normal computer (not your NAS). That generates a package that can then be installed on your Synology NAS through the web UI. Don't forget to read all the instructions because it's a bit more involved on DSM 7.