So I learned about Twingate through the following tutorial:
I’m subscribed to that Channel as he knows a lot about Synology NAS devices. Note that this works with a native Docker app, so not Docker CLI.
After deploying/installing the container I see in the log things like: DNS error, failed to get an access token, connection error etc. I think I set it up correctly. I followed the tutorial above step by step, now I’m no network/Docker wizard but it seems almost impossible to mess this up… Though my connectors remain on ‘Not yet connected’.
I have (parts of) the log available to share, but before cluttering this (opening) post. Does have anybody tips for posting logs here on the forum? I don’t know if this forum has formatting options to ‘hide’ a bunch of text in an expandable line/box or something? Or I read about something called like ‘pastebin’ or something to copy/paste code (or a bunch of text).
Yeah you can send them via pastebin or just email to me if you have anything in there that is private (jhuber@twingate.com).
Can you check that the docker container has DNS out? All the connector needs is 443 and 30000-31000 out. Nothing inbound. So if you can DNS out to your tenant (.twingate.com) you should be ok.
Thank you for your quick reply. I don’t think there’s anything private in there so I’ll just post it here:
This is only a part though, I can’t seem to copy paste the whole log in there. At some point I also get a repeated:
[ERROR] [libsdwan] Core::healthy: controller is not healthy
So if you feel you need more of the log, please let me know and I will be happy to provide it.
“Can you check that the docker container has DNS out? All the connector needs is 443 and 30000-31000 out.”
I’m pretty newbie with this stuff, so I have no clue how I could check this. My NAS has it’s own firewall, but I assume this is about the ports and should be configured in the router right? The device is at my parents house, so it’s just a regular private internet connection from a home address.
You should be able to SSH into the container itself and then try to ping or tracert out to msn.com or similar.
Can you share the script you used to create the container?
We have seen that switching which network it attaches to corrects this ourbound connectivity issue by adding --net host to the end of the command.
I want to help you place that in the right spot though as well.
I have honestly no clue how to SSH into the container, Synology has its own native app which works with a GUI. There is also a Terminal window/tab in the Synology app though, but I never used it before. If I remember correctly it’s just a ‘black box’, not like with Linux’ terminal for instance where you have ‘user@namePC:~$’. This probably does not matter at all, but it makes it feel really awkward and unfamiliar to me.
I’m also not familiar with standard Docker commands, since the app works with a GUI. So I didn’t use a script. I used the following package (or whatever it’s called): https://registry.hub.docker.com/r/twingate/connector/
Maybe the tutorial in my opening post will give you a better idea of what I’m talking about and what my situation is. You can basically start at 6 minutes and 40 seconds of the video, since all the other info is obviously known to you.
The only thing that came to mind just now, is the ‘bridge network’ option SpaceRex talks about in his tutorial. In the past this created problems with my firewall, with all my other containers I don’t use the bridge. But he mentions it so distinctly, that I did use/enable it. I could try to temporarily disable my firewall. I was planning on trying this when I go to my parents on Monday or Tuesday, but I just realized that I can probably do this remotely right?
Ok, I’m just stupid. Just tested it with the firewall disabled and it instantly connected. So I guess I just have to add port 30000 to 31000 to the firewall exceptions. Is allowing TCP enough or UDP or both/all?
And 443 is just http(s) right? So I assume that’s not blocked by default?
edit: I just added port 30000 to 31000 (TCP) to the firewall exceptions, no additional rule for port 443 and it works now!
That is great. I see. So you were blocking outgoing 30000-31000 which would make sense.
Just TCP is fine!
Yeah 443 outgoing shouldn’t be blocked or you would see other issues. Glad you got this resolved!
Good idea to have a tight firewall. Glad you found the issue!
