Access Synology NAS from anywhere
Tailscale makes it easy to securely connect to your Synology NAS devices over WireGuard®.
Tailscale is free for most personal uses, including accessing your NAS.
Visit the Synology Package Center (tutorial).
Search for and install the Tailscale app.
Once the app is installed, follow the instructions to Log in using your preferred identity provider. If you don’t already have a Tailscale account, a free account will be created automatically.
Now your Synology NAS is available on your tailnet. Connect to it from your PC, laptop, phone, or tablet by installing Tailscale on another device.
When used with Synology, Tailscale supports these features:
- Web-based login to any supported identity provider.
- Access your Synology NAS from anywhere, without opening firewall ports.
- Share your NAS with designated Tailscale users, using node sharing.
- Restrict access to your NAS using ACLs.
- Use your NAS as a subnet router to provide external access to your LAN. (Currently requires command-line steps.)
- Use your NAS as an exit node for secure Internet access from anywhere. (Currently requires command-line steps.)
The first release of our Synology package (1.9.156) has a few limitations you should be aware of:
If you upgrade Synology from DSM6 to DSM7, you will need to uninstall and then reinstall the Tailscale app. Do not perform the Synology DSM7 upgrade over Tailscale or you may lose your connection during the upgrade.
We always use hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not pingable.
Other Synology apps cannot make outgoing connections to your other Tailscale nodes yet. Only incoming connections work right now.
Tailscale on Synology currently can do
--accept-routes. This means that if you have other subnet routers, devices on those other subnets will not yet be able to reach your NAS or devices on its local subnet.
Subnet routing and exit nodes can only be configured from the command line right now, not the web GUI.
The Tailscale package configures Synology port forwarding for port 443. This can lead to conflict with other services that also require port 443 like nginx.
We intend to fix all these issues in subsequent releases.
See our Synology tracking issue on GitHub for the latest status on the above issues.
An alternative to the recommended approach of installing Tailscale from the Synology Package Center is to install Tailscale using a downloadable Synology package (SPK). A reason you might want to install from an SPK is to access new Tailscale features that are not yet released in the Tailscale version that is available from the Synology Package Center.
To manually install Tailscale:
Download the SPK for your Synology device from the Tailscale Packages server. Synology SPKs are available from both stable and unstable release tracks. To determine which download is appropriate for your Synology device, visit the Synology and SynoCommunity Package Architectures page and look up your architecture by Synology model. Then, find the SPK download at Tailscale Packages that corresponds to your model.
In the Synology DSM web admin UI, go to Main menu > Package Center.
Click Manual Install, click Browse, select the SPK (.spk) file that you downloaded, and then click Next.
Follow the remaining prompts to confirm settings and complete installation.
At this point
tailscaledshould be up and running on your Synology device.
SSH into the Synology device. For
<ip-address>, use the Tailscale IP address if your Synology device is already on your tailnet; otherwise use the IP address as recognized by Synology.
(For instructions on using SSH to access Synology, see How can I sign in to DSM/SRM with root privilege via SSH?).
Authenticate with Tailscale by running:
sudo tailscale up
Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you’re running DSM6, Tailscale runs as root with full permissions and these steps are not required.
By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound access is not enabled.
The reason for this is that the Tailscale package does not have permission
to create the
/dev/net/tun TUN device.
But starting with Tailscale 1.12.4, the Synology uses
/dev/net/tun if it’s already present on the device.
To enable TUN:
Make sure you’re running Tailscale 1.12.4 or higher, either from the Synology Package Center or a manually installed
*.spkfrom the Tailscale Packages server.
# Add CAP_NET_ADMIN to the binary; required if manually installing the # Tailscale *.spk file. # This step is required every time you upgrade Tailscale. sudo setcap cap_net_admin+eip /var/packages/Tailscale/target/bin/tailscaled # These three commands are only needed once and persist over restarts. sudo mkdir -p /dev/net sudo mknod /dev/net/tun c 10 200 sudo chmod 0666 /dev/net/tun
Restart Tailscale using the Synology web UI.
You should now be able to
sudo ping <other-tailscale-IPs>from your Synology. Note that on Synology,
sudois required to ping.
When Synology reboots, the TUN permissions need to be restored. You can create a scheduled task that restores the permissions on boot-up.
To create the task:
Make sure your device is running Tailscale 1.22 or higher, either from the Synology Package Center or a manually installed
*.spkfrom the Tailscale Packages server.
In Synology, go to Control Panel > Task Scheduler, click Create, and select Triggered Task.
Select User-defined script.
When the Create task window appears, click General.
In General Settings, enter a task name, select root as the user that the task will run for, and select Boot-up as the event that triggers the task. Ensure the task is enabled.
Click Task Settings and enter the following for User-defined script.
Click OK to save the settings.
Your TUN settings should now be persisted across reboots of your device.
If you run into problems, contact support or visit the linked GitHub issues.