Access Synology NAS from anywhere
Tailscale lets you remotely access your Synology NAS. In the video below, Alex covers the basics you need know to get up and running.
Features and benefits
When a Synology NAS device is connected, Tailscale supports the following:
Installation from the Synology Package Center is the easiest way to get started.
We recommend that you schedule automatic updates as the version published in the Synology app store may not always reflect the most recently released Tailscale version.
You can create a scheduled task to check for Tailscale client updates and install them automatically.
Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you're running DSM6, Tailscale runs as root with full permissions and these steps are not required.
By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound Tailscale access from other apps running on your Synology is not enabled.
The reason for this is that the Tailscale package does not have permission to create a TUN device.
To enable TUN, to permit outbound connections from other things running on your Synology device:
Upgrading the Tailscale package will require the above script to run again. When you upgrade Tailscale, run the above script as root, or reboot your Synology device.
Adjust Synology firewall settings
By enabling TUN, Tailscale traffic will be subject to Synology's built-in firewall.
The firewall is disabled by default. However, if you have it enabled, add an exception for the Tailscale subnet, 100.64.0.0/10. In Main menu > Control Panel > Security > Firewall, add a firewall rule in the default profile that allows traffic from the source IP subnet 100.64.0.0 with subnet mask 255.192.0.0.
Troubleshooting
If your Synology NAS cannot connect to your tailnet after uninstalling and re-installing the Tailscale app, we recommend the following steps:
Synology Package Center updates Tailscale approximately once per quarter. To use the latest version of Tailscale, you may either configure automatic scheduled updates or manually install the package.
Tailscale lets you remotely access your Synology NAS. In the video below, Alex covers the basics you need know to get up and running.
Features and benefits
When a Synology NAS device is connected, Tailscale supports the following:
- Log in using a supported identity provider.
- Access your Synology device from anywhere, without opening firewall ports.
- Share your Synology device with designated Tailscale users, using node sharing.
- Restrict and control access to your Synology device using ACLs.
- Use your Synology device as a subnet router to provide external access to your LAN.
- Designate your Synology device as an exit node for secure internet access for your other tailnet devices from anywhere.
Installation from the Synology Package Center is the easiest way to get started.
We recommend that you schedule automatic updates as the version published in the Synology app store may not always reflect the most recently released Tailscale version.
- Go to the Synology Package Center (tutorial).
- Search for and install the Tailscale app.
- After the Tailscale app is installed, follow the instructions to log in to your Tailscale network (known as a tailnet) using your preferred identity provider. If you don't already have a Tailscale account, a free account will be created automatically.
- After you authenticate to the tailnet, you can connect to your Synology device from your PC, laptop, phone, or tablet by installing Tailscale on another device.
You can create a scheduled task to check for Tailscale client updates and install them automatically.
- In Synology, go to Control Panel > Task Scheduler, select Create, and select Scheduled Task.
- Select User-defined script.
- In the General Settings tab, enter a task name and select the User: as root.
- Go to the Schedule tab, select Run on the following days, then Run on the follow days, and choose an increment such as Daily.
- Go to the Task Settings tab and enter the following for User-defined script:
tailscale update --yes
- Select OK to save the settings.
Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you're running DSM6, Tailscale runs as root with full permissions and these steps are not required.
By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound Tailscale access from other apps running on your Synology is not enabled.
The reason for this is that the Tailscale package does not have permission to create a TUN device.
To enable TUN, to permit outbound connections from other things running on your Synology device:
- Make sure you're running Tailscale v1.22.2 or later
- In Synology, go to Control Panel > Task Scheduler, select Create, and select Triggered Task.
- Select User-defined script.
- When the Create task window appears, select General.
- In General Settings, enter a task name, select root as the user that the task will run for, and select Boot-up as the event that triggers the task. Ensure the task is enabled.
- Select Task Settings and enter the following for User-defined script.
/var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service
If you're curious what it does, you can read the configure-host code. - Select OK to save the settings.
- Reboot your Synology device. Alternatively, to avoid a reboot, run the above user-defined script as root on the device to restart the Tailscale package.
Upgrading the Tailscale package will require the above script to run again. When you upgrade Tailscale, run the above script as root, or reboot your Synology device.
Adjust Synology firewall settings
By enabling TUN, Tailscale traffic will be subject to Synology's built-in firewall.
The firewall is disabled by default. However, if you have it enabled, add an exception for the Tailscale subnet, 100.64.0.0/10. In Main menu > Control Panel > Security > Firewall, add a firewall rule in the default profile that allows traffic from the source IP subnet 100.64.0.0 with subnet mask 255.192.0.0.
Troubleshooting
If your Synology NAS cannot connect to your tailnet after uninstalling and re-installing the Tailscale app, we recommend the following steps:
- SSH into your NAS and run the command:
sudo tailscale up
- Enter the password for your NAS (if prompted), then copy the provided URL.
To authenticate, visit:
https://login.tailscale.com/a/xxxxxxxxxx
Success.
- Paste the URL into your web browser, authenticate to your tailnet, then open the Machines page of the admin console to verify that your NAS is connected to the tailnet.
Synology Package Center updates Tailscale approximately once per quarter. To use the latest version of Tailscale, you may either configure automatic scheduled updates or manually install the package.
- Download the DSM package from the Tailscale package server site.
- Manually install the DSM package onto your Synology device
- After the Tailscale app is installed, follow the instructions to log in to your Tailscale network (known as a tailnet) using your preferred identity provider. If you don't already have a Tailscale account, a free account will be created automatically.
- After you authenticate to the tailnet, you can connect to your Synology device from your PC, laptop, phone, or tablet by installing Tailscale on another device.
- The Tailscale daemon tailscaled should now be running on your Synology device. You can configure it either using the Tailscale package's Synology web UI or using the Tailscale CLI over SSH. For instructions on using SSH to access Synology, see How can I sign in to DSM/SRM with root privilege via SSH?.
- If you upgrade Synology from DSM6 to DSM7, you will need to uninstall and then reinstall the Tailscale app. Do not perform the Synology DSM7 upgrade over Tailscale or you may lose your connection during the upgrade.
- If you uninstall then re-install the Tailscale app and the NAS can no longer connect to your tailnet, see the Troubleshooting section for instructions.
- Tailscale uses hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not necessarily pingable.
- Other Synology packages cannot make outgoing connections to your other Tailscale nodes by default on DSM7. See instructions below to enable.
- Tailscale on Synology currently can do --advertise-routes but not --accept-routes. This means that if you have other subnet routers, devices on those other subnets will not yet be able to reach your NAS or devices on its local subnet.
- Tailscale SSH does not run on Synology. You can use the provided SSH server in DSM instead.