Access Synology NAS from anywhere
Tailscale makes it easy to securely connect to your Synology NAS devices over WireGuard®.
Tailscale is free for most personal uses, including accessing your NAS.
Visit the Synology Package Center (tutorial).
Search for and install the Tailscale app.
Once the app is installed, follow the instructions to Log in using your preferred identity provider. If you don’t already have a Tailscale account, a free account will be created automatically.
Now your Synology NAS is available on your tailnet. Connect to it from your PC, laptop, phone, or tablet by installing Tailscale on another device.
When used with Synology, Tailscale supports these features:
- Web-based login to any supported identity provider.
- Access your Synology NAS from anywhere, without opening firewall ports.
- Share your NAS with designated Tailscale users, using node sharing.
- Restrict access to your NAS using ACLs.
- Use your NAS as a subnet router to provide external access to your LAN. (Currently requires command-line steps.)
- Use your NAS as an exit node for secure Internet access from anywhere. (Currently requires command-line steps.)
Some things to be aware of:
If you upgrade Synology from DSM6 to DSM7, you will need to uninstall and then reinstall the Tailscale app. Do not perform the Synology DSM7 upgrade over Tailscale or you may lose your connection during the upgrade.
Tailscale uses hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not necessarily pingable.
Other Synology packages cannot make outgoing connections to your other Tailscale nodes by default on DSM7. See instructions below to enable.
Tailscale on Synology currently can do
--accept-routes. This means that if you have other subnet routers, devices on those other subnets will not yet be able to reach your NAS or devices on its local subnet.
Advertising subnet routes can only be configured from the command line, not the web GUI.
Tailscale SSH does not run on Synology.
Some of those limitations are imposed on Tailscale by the DSM7 sandbox. Others we intend to fix in future releases of Tailscale.
See our Synology tracking issue on GitHub for the latest status on the above issues.
An alternative to the recommended approach of installing Tailscale from the Synology Package Center is to install Tailscale using a downloadable Synology package (SPK). A reason you might want to install from an SPK is to access new Tailscale features that are not yet released in the Tailscale version that is available from the Synology Package Center.
To manually install Tailscale:
Download the SPK for your Synology device from the Tailscale Packages server. Synology SPKs are available from both stable and unstable release tracks. To determine which download is appropriate for your Synology device, visit the Synology and SynoCommunity Package Architectures page and look up your architecture by Synology model. Then, find the SPK download at Tailscale Packages that corresponds to your model.
In the Synology DSM web admin UI, go to Main menu > Package Center.
Click Manual Install, click Browse, select the SPK (.spk) file that you downloaded, and then click Next.
Follow the remaining prompts to confirm settings and complete installation.
At this point
tailscaledshould be up and running on your Synology device and you can configure it either using the Tailscale package’s Synology web UI or the CLI over SSH. (For instructions on using SSH to access Synology, see How can I sign in to DSM/SRM with root privilege via SSH?).
Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you’re running DSM6, Tailscale runs as root with full permissions and these steps are not required.
By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound Tailscale access from other apps running on your Synology is not enabled.
The reason for this is that the Tailscale package does not have permission to create a TUN device.
To enable TUN, to permit outbound connections from other things running on your Synology:
Make sure you’re running Tailscale 1.22.2 or later, either from the Synology Package Center or a manually installed
*.spkfrom the Tailscale Packages server.
In Synology, go to Control Panel > Task Scheduler, click Create, and select Triggered Task.
Select User-defined script.
When the Create task window appears, click General.
In General Settings, enter a task name, select root as the user that the task will run for, and select Boot-up as the event that triggers the task. Ensure the task is enabled.
Click Task Settings and enter the following for User-defined script.
/var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service
(If you’re curious what it does, you can read the
Click OK to save the settings.
Reboot your Synology. (Alternatively, to avoid a reboot, run the above user-defined script as root on the device and then restart the Tailscale package.)
Your TUN settings should now be persisted across reboots of your device.
By enabling TUN, Tailscale traffic will be subject to Synology’s built-in firewall.
The firewall is disabled by default. However, if you have it enabled, add an exception for the Tailscale subnet, 100.64.0.0/10. In Main menu > Control Panel > Security > Firewall, add a firewall rule in the default profile that allows traffic from the source IP subnet 100.64.0.0 with subnet mask 255.192.0.0.
If you run into problems, contact support or visit the linked GitHub issues.