Can't access local network of connector in Synology NAS

Hi all, hope whoever reads this is doing well.

I have fair experience in managing NAS and servers, network knowledge and some docker knowledge.

I set up Twingate yesterday, and all went ok. Connector is up and running as docker container on my Synology 918+ NAS, the relay is connected, and I can connect via Android phone or computer to my account. Resources are all set up, the most typical I need is 192.168.0.0/24, but I tried other things too.

The problem is that I cannot access anything in the connector network, nothing on 192.168.0.X. I tried to changed users, tried Android and Windows, change resources (single IP, subnet, single port of single IP, etc., but nothing worked. I inspected the Docker network properties and the container is on a different IP subnet than my 192.168.X.X network:

                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.3",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,

I pinged 172.17.0.3 in the NAS and works, so the container gets the packets.
I tried to get into the running container to see if I can ping something in the 192.168.X.X subnet but can’t do that because there is no /bin/bash in the container.

Other info:
I started the docker container in command line in the NAS, not the interface, but I also saw several videos and pages (including how to run the connector on DSM7/Synology) and I have done nothing wrong. Proof of it is that the connector is properly connected to the relay.

The Docker container network mode is “bridge”; my google search showed that should not be the problem, but I am not sure.

Yesterday I saw some logs on Twingate that the user (myself) could not reach 192.168.0.15 (the IP I was trying to connect), which means the packets are not getting out properly. Yet, the NAS itself can reach that IP without a problem, so why in the world would the container not be able to.

Any help from you guys here?

This is my first try to use Twingate, and the tools seems a piece of cake to use, if I manage to overcome this stupid networking hiccup.

P.s. Bonus question: what do I have to do to pass all traffic through my connector, e.g., how to set up the resource to use Twingate like a VPN?

Hi dopu,

The gateway and IP you’re seeing are part of the Docker network setup, it essentially creates a small private network for the container to run in but it should still be able to go up through that gateway to the rest of your network without an issue.

Just to be clear, when you look at the activity logs in the Twingate Admin Console, does it show that your Client has successfully connected to the Connector and that the Connector can’t connect forward to the Resource? Or do you not see the Client getting to the Connector at all?

And what kind of Resource(s) are you trying to test and how? Are you just trying to ping things, or are these web apps or file shares and you can’t get to the regular ports?

Ben, thanks for replying and sorry for the delay.

YEs, I know the 172.* IP is from the Docker network. And yes, the admin console shows that the client is connected. But the local IP cannot be reached. Here is an example:

XXXXXX@gmail.com requested 192.168.0.40
Protocol: TCP • Client Device IP: 172.58.203.230

Established peer-to-peer connection to Connector
Connector received request
Connector: famous-XXXX

Failed to connect to 192.168.0.40
192.168.0.40 could not be reached

192.168.0.40 is the IP of the NAS itself, where the docker container is deployed, but I also have tried reaching the routers webpage at port 8443 and nothing happens. Basically all local resources are not accessible. I even tried to do a port scan and pinging of local network, which normally works fine from my phone connected to WIFI. But when I switch to 5G and connect to Twingate, all local pings and port scans do not show up.

The strangest thing is that I can add resource 0.0.0.0/0 and this makes all the traffic pass through my connector. I can verify on my phone that the IP is that of my home network instead of the 5G company. But yet, accessing the local network becomes a mess, there is no way to access the local resources. I can’t find out where is the hiccup. I can ping the router from the NAS but I cannot ping it (or access its admin page) from Twingate. Looks like the connector container is isolated from the LAN in Synology. There is no Firewall active on the NAS, so that is excluded, so I can’t find what is preventing the Twingate container from pushing packets destined for 192.168.* outside its 172.* kingdom.

Partially SOLVED.

I tried a few things and some LAN resources are accessible, i.e.,:

  1. Can open the router web page at 192.168.0.5:8443
  2. Can access the NAS web page at 192.168.0.40:5001
  3. Can ping the router successfully at 192.168.0.5 (not sure why this is good now, I ended up using the same docker call at the end)

But:

  1. I cannot open at all my Transmission interface on port 9091, neither from the browser or from the Transmission client.

So, all in all, Twingate is quite a hit and miss experience, not at all the easy smart solution I thought it would be. I tried switching the docker container from --net=bridge to --net=host, and that did not help much. I also disabled the DoS protection on the NAS, after which all the above successes popped up. But I enabled DoS protection again and the connections still work.

I was using Brave browser from the phone which gave weird outcomes as “Empty_Repsonse” when trying to connect to the router’s page. I then opened Firefox which gave a more informative answer: “the connection was interrupted”. So, whatever is happening in this Twingate connection, something is messing up the connections. This is confirmed at least on http port 9091 for me, which works absolutely fine without Twingate or with a VPN.

I am just going back to using the router’s VPN which works great. Twingate is just painful troubleshooting and no direct help from the company, just this forum.

I’m sorry to hear Twingate didn’t work out for you the way you wanted. I am not exactly sure what the problem would have been, especially since it appears to be working now without any major changes.

I am unfamiliar with Transmission so I can’t offer any sort of troubleshooting tips, but I did find an (admittedly old) Forum post suggesting that sometimes the web interface/redirect can misbehave if you’re just accessing http://x.x.x.x:9091 and a suggestion that you should try going directly to http://x.x.x.x:9091/transmission/web/ instead.

Not sure if that changes the behaviour you’re seeing.

Regarding support, I am a Twingate employee, and myself and others on my team do try to actively monitor the forums on a daily basis and help where we can, and we do want to try and help you find a solution, both for yourself and for any future users who may be running the same sort of environment as you.

Either way I understand your frustration and I appreciate that you gave us a try regardless.

Arthur, thank you. If there is a chance to hop on a call and troubleshoot together, I am happy to. The symptoms are weird enough that despite my knowledge I cannot figure where is the hiccup, and I suspect may be in the Twingate protocol or modification of packets (yes, i tried the full Transmission url as well).

Thanks.