Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Access Synology NAS from anywhere

The best way to install Tailscale on Synology devices is to download and manually install the Tailscale package for DiskStation Manager (DSM). The version of Tailscale that is available in the Synology Package Manager application is updated approximately once per quarter, so downloading the Tailscale app from our package server and installing it on DSM manually will ensure that you can use the most up-to-date version.

Install Tailscale on DSM manually

  1. Download the DSM package from the Tailscale package server site.

    To determine which download is appropriate for your Synology device, visit the Synology and SynoCommunity Package Architectures page and look up your architecture by Synology model. Then, find the SPK download at Tailscale Packages that corresponds to your model. Synology packages (SPKs) are available from both stable and unstable release tracks.

  2. Manually install the DSM package onto your Synology device
  3. After the Tailscale app is installed, follow the instructions to log in to your Tailscale network (known as a tailnet) using your preferred identity provider. If you don't already have a Tailscale account, a free account will be created automatically.
  4. After you authenticate to the tailnet, you can connect to your Synology device from your PC, laptop, phone, or tablet by installing Tailscale on another device.
  5. The Tailscale daemon tailscaled should now be running on your Synology device. You can configure it either using the Tailscale package's Synology web UI or using the Tailscale CLI over SSH. For instructions on using SSH to access Synology, see How can I sign in to DSM/SRM with root privilege via SSH?.

Install using Synology Package Center

If you do not want to manually install or update Tailscale using our package server site, you can install Tailscale from the Synology Package Center.

Synology Package Center updates Tailscale approximately once per quarter. To use the latest version of Tailscale, you should download the package and install manually.

  1. Go to the Synology Package Center (tutorial).

  2. Search for and install the Tailscale app.

    The Synology Package Center user interface.

  3. After the Tailscale app is installed, follow the instructions to log in to your Tailscale network (known as a tailnet) using your preferred identity provider. If you don't already have a Tailscale account, a free account will be created automatically.

    A screenshot of the Synology login

  4. After you authenticate to the tailnet, you can connect to your Synology device from your PC, laptop, phone, or tablet by installing Tailscale on another device.

Features and benefits

When a Synology NAS device is connected, Tailscale supports the following:

Limitations & known issues

  • If you upgrade Synology from DSM6 to DSM7, you will need to uninstall and then reinstall the Tailscale app. Do not perform the Synology DSM7 upgrade over Tailscale or you may lose your connection during the upgrade.

  • If you uninstall then re-install the Tailscale app and the NAS can no longer connect to your tailnet, see the Troubleshooting section for instructions.

  • Tailscale uses hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not necessarily pingable.

  • Other Synology packages cannot make outgoing connections to your other Tailscale nodes by default on DSM7. See instructions below to enable.

  • Tailscale on Synology currently can do --advertise-routes but not --accept-routes. This means that if you have other subnet routers, devices on those other subnets will not yet be able to reach your NAS or devices on its local subnet.

  • Tailscale SSH does not run on Synology. You can use the provided SSH server in DSM instead.

Some of these limitations are imposed on Tailscale by the DSM7 sandbox. See our Synology tracking issue on GitHub for the latest status on the above issues.

Enable outbound connections

Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you're running DSM6, Tailscale runs as root with full permissions and these steps are not required.

By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound Tailscale access from other apps running on your Synology is not enabled.

The reason for this is that the Tailscale package does not have permission to create a TUN device.

To enable TUN, to permit outbound connections from other things running on your Synology device:

  1. Make sure you're running Tailscale v1.22.2 or later

  2. In Synology, go to Control Panel > Task Scheduler, select Create, and select Triggered Task.

  3. Select User-defined script.

  4. When the Create task window appears, select General.

  5. In General Settings, enter a task name, select root as the user that the task will run for, and select Boot-up as the event that triggers the task. Ensure the task is enabled.

  6. Select Task Settings and enter the following for User-defined script.

    /var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service

    If you're curious what it does, you can read the configure-host code.

  7. Select OK to save the settings.

  8. Reboot your Synology device. Alternatively, to avoid a reboot, run the above user-defined script as root on the device to restart the Tailscale package.

Your TUN settings should now be persisted across reboots of your device.

Upgrading the Tailscale package will require the above script to run again. When you upgrade Tailscale, run the above script as root, or reboot your Synology device.

Adjust Synology firewall settings

By enabling TUN, Tailscale traffic will be subject to Synology's built-in firewall.

The firewall is disabled by default. However, if you have it enabled, add an exception for the Tailscale subnet, 100.64.0.0/10. In Main menu > Control Panel > Security > Firewall, add a firewall rule in the default profile that allows traffic from the source IP subnet 100.64.0.0 with subnet mask 255.192.0.0.

Troubleshooting

If your Synology NAS cannot connect to your tailnet after uninstalling and re-installing the Tailscale app, we recommend the following steps:

  1. SSH into your NAS and run the command:

    sudo tailscale up

  2. Enter the password for your NAS (if prompted), then copy the provided URL.

    To authenticate, visit:
https://login.tailscale.com/a/xxxxxxxxxx
Success.

  3. Paste the URL into your web browser, authenticate to your tailnet, then open the Machines page of the admin console to verify that your NAS is connected to the tailnet.

Special thanks

Special thanks to Guilherme de Maio (nirev), who contributed the original Synology-Tailscale package builder. Tailscale now maintains this package builder and produces our official Synology packages.