Tailscale on a Synology NAS - Secure Remote Connection without Port Forwarding or Firewall Rules
Вставка
- Опубліковано 7 лип 2024
- Synology 2023 NAS Confirmed Releases, Rumours & Predictions - nascompares.com/news/synology...
Synology DSM 7.1 Software Review - GUI, DRIVE, ABB, SS9, OFFICE, HYPER BACKUP, STORAGE, CHAT and More - • Synology DSM 7.1 Softw...
Synology NAS DSM 7.2-63134 Beta Coming Soon - nascompares.com/2023/01/18/sy...
Access Synology NAS from anywhere
Tailscale makes it easy to securely connect to your Synology NAS devices over WireGuard®.
Tailscale is free for most personal uses, including accessing your NAS.
Installation steps
Visit the Synology Package Center (tutorial).
Search for and install the Tailscale app.
Once the app is installed, follow the instructions to Log in using your preferred identity provider. If you don’t already have a Tailscale account, a free account will be created automatically.
Now your Synology NAS is available on your tailnet. Connect to it from your PC, laptop, phone, or tablet by installing Tailscale on another device.
That’s it!
Features
When used with Synology, Tailscale supports these features:
Web-based login to any supported identity provider.
Access your Synology NAS from anywhere, without opening firewall ports.
Share your NAS with designated Tailscale users, using node sharing.
Restrict access to your NAS using ACLs.
Use your NAS as a subnet router to provide external access to your LAN. (Currently requires command-line steps.)
Use your NAS as an exit node for secure Internet access from anywhere. (Currently requires command-line steps.)
Limitations & known issues
Some things to be aware of:
If you upgrade Synology from DSM6 to DSM7, you will need to uninstall and then reinstall the Tailscale app. Do not perform the Synology DSM7 upgrade over Tailscale or you may lose your connection during the upgrade.
Tailscale uses hybrid networking mode on Synology, which means that if you share subnets, they will be reachable over UDP and TCP, but not necessarily pingable.
Other Synology packages cannot make outgoing connections to your other Tailscale nodes by default on DSM7. See instructions below to enable.
Tailscale on Synology currently can do --advertise-routes but not --accept-routes. This means that if you have other subnet routers, devices on those other subnets will not yet be able to reach your NAS or devices on its local subnet.
Advertising subnet routes can only be configured from the command line, not the web GUI.
Tailscale SSH does not run on Synology.
Some of those limitations are imposed on Tailscale by the DSM7 sandbox. Others we intend to fix in future releases of Tailscale.
See our Synology tracking issue on GitHub for the latest status on the above issues.
Manual installation steps
An alternative to the recommended approach of installing Tailscale from the Synology Package Center is to install Tailscale using a downloadable Synology package (SPK). A reason you might want to install from an SPK is to access new Tailscale features that are not yet released in the Tailscale version that is available from the Synology Package Center.
To manually install Tailscale:
Download the SPK for your Synology device from the Tailscale Packages server. Synology SPKs are available from both stable and unstable release tracks. To determine which download is appropriate for your Synology device, visit the Synology and SynoCommunity Package Architectures page and look up your architecture by Synology model. Then, find the SPK download at Tailscale Packages that corresponds to your model.
In the Synology DSM web admin UI, go to Main menu - Package Center.
Click Manual Install, click Browse, select the SPK (.spk) file that you downloaded, and then click Next.
Follow the remaining prompts to confirm settings and complete installation.
At this point tailscaled should be up and running on your Synology device and you can configure it either using the Tailscale package’s Synology web UI or the CLI over SSH.
Video Chapters
00:00 - The Start
00:38 - When did I start using Tailscale on my Synology NAS?
01:14 - What is Tailscale?
01:49 - Why is remote accessing your NAS so dangerous and how is it done?
02:38 - What is Port Forwarding and How does it work?
03:37 - What About a VPN to Conenct to your NAS Remotely?
04:33 - Tailscale vs Port Forwarding vs Synology Quick Connect vs VPNs
06:33 - How to Install Tailscale on your Synology NAS
06:57 - How to Setup Tailscale on your Synology NAS
07:50 - How to Install, Setup and Connect to the NAS over TAILSCALE with your Windows. Mac, Android or iOS system
09:32 - Tailscale to Synology NAS Connection remote connect demonstration
11:28 - Using Tailscale DOES NOT mean you shouldn't be aware of your Synology NAS Security!!!! - Наука та технологія
How the hell did you know I was looking to research this today???
Every time I go looking for info online regarding using my NAS it's always NASCompares that I end up at as a destination. Haha. Keep up the good work!
Surprisingly straight forward 👍
If I understand it correctly you don't need to create an quickconnect ID. But how would you connect the Synology photo&file apps on your mobile then? Or do you still create that ID and still keep the ports closed?
I only have a QNAP TS-231P3, so there is no native support for Tailscale.
However, I was able to set up a Tailscale VPN thanks to an extra help from another UA-cam video about how to setup Tailscale via docker containers (for QNAP there's "ContainerStation")
I'm loving Tailscale so far!! It's so easy!!
great guide! do you know how we can use Tailscale in conjunction with hyperbackup/vault to do secure connections to other Synology NAS's?
Nice one! Been using it on my Asustor NAS a while. Great piece of software! No port forward means less chance of being hacked.
Maybe it is a "Great piece of software", but maybe the user should think about the fact that to make it work, you are actually giving access to the NAS to a third party. Additionally, I saw a comment somewhere on the web that "If you look a bit at the advanced details, it beats those firewalls because they kind of "don't care" what the UDP packet content is as long as it looks like it's going to the correct IP, and that seems pretty dangerous to me". Well... I'm back to using the QVPN protocol with a VPN server on a QNAP QHora router 😎
@@antik06 Yea. I also don't like giving a 3rd party access to my devices. I run my own VPN server and that's the only way you can connect to my network from the outside. Everything else is denied. 😗
Where is tailscale available for Asustor NAS?
@@antik06 R u the owner of QNAP and make too little income? U surely don't sound like an owner of anything other, than 1 old Qnap, but who knows. Maybe u'll share ur reason why u exist, Mr. Qnap NPC.
@@nemiw4429 Did you forget to take your pills?
You mention security at the end - where can I find instructions for adding such security - e.g. you mentioned Lets Encrypt?
Thanks again for yet another great video. I have been using Tailscale for several months now. Yes it was easy to setup, but I would have mentioned their recommendation to add a single line to your NAS Task Scheduler to ensure connection on reboot. That said, my use case was to connect two Synology’s, one onsite and the other offsite to use Hyper Backup supporting my 321 backup strategy. Worked great for about 7 backups, then disconnected and I was never able to reconnect or login through Hyper Backup to Hyper Vault. 😣
Tried asking everywhere, Synology and Tailscale subReddits, Synology and Tailscale themselves. No one has a solution recommendation. Would be great to see if you could get it working and share another video.
Do you have the NAS firewall activated ? I set mine up and then later deactivated it but left the rules in place. At some time later, I got sort of locked out of the NAS; I could login to the desktop with a browser but could not move files to and from my Windows desktop with Windows File Explorer. In frustration, I went into the firewall and deleted all of the rules and turned the firewall on and then off. All was well after that. In frustration, we try almost anything; even those things that shouldn't work but this did for me this time.
One of the best ways to connect remotely to a NAS.
I just set this up! It works great but I was having trouble with ssl certificates while using the synology photos mobile app
Great video- subscribed! What I really need now is to figure out how to make a Tailscale certificate and make reverse proxies for my Docker services (Vaultwarden, Jellyfin, Audiobookshelf, etc)). Or whichever is the best way to access them via Tailscale if that isn't it.
Could I request some content? The title would be "break your cloud provider reliance".
Overall the review/video would provide a guide to using local NAS resources to replace Google/Amazon/Apple/MS cloud services for:
1. Automatic mobile device photograph/video backup #most important I believe
2. Document sharing/editing
3. Sharing of content via common social media, messaging platforms
What with costs of these services constantly increasing, and the helpless feeling of being tied, powerless to their control. How easy is it to use Synology/QNap s/w to truly replicate that 'memories happily backed-up' feeling.
I have already disconnected my entire family from Google photos and Google Drive for backing up our photos, documents, etc. However, I am still using external hard drives, which are disconnected from the internet, to back up my important data. On my NAS, everything that is exposed to the internet is something that I could live without.
Great video. I am trying to figure out how to use Tailscale to allow 2 Synology NASs on 2 different external networks to each other. My goal is to map remote drives between the two so that I can drop a file in a directory on one NAS into a folder on that device and have it copy to the other...but not "sync." In other words, I want that file to automatically copy to a folder on the other NAS and then be able to delete it from the origin NAS and have it remain on the destination.
I do that but without Tailscale. On each NAS, I have a folder simply called "Transfer". I also have both NAS's running the cloud sync app which bi-directionally syncs that folder to Google Drive ( or OneDrive ). I copy a file on NAS 1 to its Transfer folder. It is then copied to the cloud drive. On NAS 2, its cloud sync detects the folder on Google Drive, and downloads to its local Transfer folder. I know that you said that you don't want to sync files but the sync app is the one this makes this work. If you set it for bi-directional, when you move the file out of the NAS 2's Transfer folder, a bi-directional sync sees the empty folder and then deletes the copy on Google Drive and the same thing happens back on NAS 1. Sounds convoluted but works like a hot damn.
very important
Is there a use case for Tailscale if NAS is behind CGNAT? Just went fullfibre with Befibre and now Plex remote access port forwarding is screwed unless i pay for a static ip fix
how would synology photos, video or music etc services work if used with openvpn?
How does Tailscale compare with Cloudflare Zero Trust Tunnel and/or Twingate??
how can I map the NAS in the file explorer? I can't see it when the devices are discovered.
Hi. Could you help - why my devices cant see each other if they are connected to different networks? Only on the same network they can see each other.
Will this still allow me to access my smb mount in MacOS finder to reach files I want to access/edit that are stored on the NAS?
The only ports I have opened up are 80 and 443, and those are forward to the LSIO swag container, which autoredirects http to https (I only have 80 opened up because I can't be arsed to type before my URLs if I don't), and takes care of reverse proxying requests from all my subdomains to the appropriate Docker containers. I am not sure how secure this is compared to say a Cloudflare tunnel, but I have not had any issues thus far.
Either way, I think I'd need the reverse proxy setup even with a Cloudflare tunnel, because I have my network configured so that requests to my domain don't go out over the internet from inside my network, so I'd need the reverse proxy to handle the local side and I could set up Cloudflare tunnels to handle the remote side without having to open any ports.
Does Tailscale run on all Synology NAses or just the higher end models with the x86 CPU?
Is the connection slow for you when using as a exit node. Mine is slow
does it need to be the same google account to access the NAS? or can other person using other google account access my NAS as long as they know my NAS' IP?
Thanks for the video. I have Tailscale setup and running, I can access my NAS outside of my network using the Tailscale's IP for my NAS, How do I access it using Let's Encrypt Certificate? The certificate name only work within my local network.
I was troubleshooting a port forwarding issue with my NAS until 1 AM yesterday lmao
I'm using TailScale for a while now, but what i have discovered is that especially on my Android device, many other apps (including the web browser) are not working when i'm connected to the Tailnet. Would be great to find an option to just enable it for certain use cases or apps.
that sounds like a dns issue and might be solvable
I started using Tailscale last night , and I’ve found that the speed is a bit slow to watch media .
I can download documents and photos with not problem but when it comes to videos , it’s soo slow compare when connected to the local network .
Is that Normal? Is there anything I could do to improve the speed ?
Thanks heaps
I'm using cloudflare to access my synology, what do you think about cloudflare?
I installed and configured it on my NAS, iPhone nad Laptop.
I can access my NAS on iPhone using Tailscale IP or hostname in public network. No issue al all.
But I am not able to use it for Synology Photos or any other app. It just gives security warning and donesn't work.
Is there a way to limit a device to a single folder on the Nas, rather than full access?
How does this compare with Twingate?
Great i was looking for a guide like this, can this be used for a qnap to Synology file sync?
That was my first question. What now ? Get WinSCP ( free to use ). It's like Windows File Explorer except that it shows your local machine beside your remote machine. I recall that there is some sort of sync feature built in and no idea how configurable it is as I haven't tried it.
Good video. How do you add Tailscale to your NAS certificate to secure the connection? : )
Did you ever find out?
Is this possible on a Qnap aswell?
Thanks for the video I was starting to research solutiosn for my upcoming starlink connection. I have synology NAS which I am currently running open vpn and doing some port forwarding to my Virtual machines hosted on Synology NAS. The virtual machines are server 2003 and also investigating using XP 32 bit due to an old 32bit program I need to run. The issue with this is trying to get Tailscale installed on these machines. Is there a solution that you can think of that I can run on NAS that will give access to all my internal network when connected
I found the option to have one machine advertise the subnet route which fixed my issue
when i enter the ip , just nothing loading
Cloudflare zero trust tunnels, also good for remote access.
Is this service free?
Within a few years, opening a port and port-forwarding for any outside access to your internal network is synonymous with using fax machines and having your password "password".
i disagree
can we remote ssh with it ?
If you limit the access to the port-forwarded portas to your mobile devices public IP address alone, why would it be risky to open ports this way, blocking all other IP addresses??
public IPs always change. How would you setup something like this ? I guess when it comes to having restrictions on who is allowed and not most if not all smartphones are checkmate
for those who want to use thier synology NAS not just for themselve but to make the world a better place:
Snowflake
This tool makes your hardware into a TOR-Entry node...which helps other people around the world.
Docker container is available...so it can be run on a synology NAS as such.
Could this work for Hyper Backup?
Worked for a while for me. Then disconnected and never was able to connect to the Vault again. 😞
From your other videos I had the idea that a NAS could be a substitute for Google Photos and Drive. But yesterday I found a Reddit post with all the security warnings and saying that your NAS shouldn't be exposed to the internet. My idea was to share storage space and photos with family in different countries. And now, I find that this is a big risk not only for the NAS but for all the devices on your network. I feel frustrated and disappointed. If all this is not possible, a NAS is not for me; I prefer Google in that case. Your videos are great but I got the wrong impression from them and I think you should emphasise the problems of exposing the NAS much more. Sorry if I got the wrong ideas and I would love you to correct me and tell me that I am wrong so I can have a bit hope. Thanks for your videos
if i may. A NAS can be a substitute for Google, however i would only use it via VPN. But i have to admit ... since i dont have a smartphone ... i would not know how to configure that. Using a puplic Cloudservice ... for me ... is a big nono.
Another problem is the human being itself and its knowledge of computerstuff.
If your family does not want to invest some time into learning a few things about computerstuff then offering space for them is ... in my eyes ... useless.
How is this better than using quickconnect?
It's 50 times faster
I have Tailscale app on my phone running.
Somehow my Synology-one-drive and Synology-photo-app does not work when I am outside the network.
I can open browser and login to my Synology web interface.
Anything I am missing?
I tried to put correct addresses in both apps as per tailscale.
great, but if you like to share pictures with non users, I think then this isn't gonna work. So you will have to sacrify something
so better not use ?
Bro zerotier is better it works with wol and adding routes is so easy... 🔥
Are you serious really?? What did you talk all those time? None sense really and explanation was really worse on here seen!!!!
@NasCompares
If blog/how-tailscale-works not lies, Tailscale node connections are end-to-end encrypted (a concept called “zero trust networking”).
please interpret your comment for me. I'm kinda dumb when it comes to this
@@dean3184 This means that all traffic between devices is already encrypted and cannot be inspected by someone in the middle. Thus, the tail scale provides almost the same security as a local network. I would not put additional certificates on top for each web UI within trusted local network.
@@MacGyver0 In other words, certificates are not really needed?
Ben loking online for days how to install certificates and it seems like there's no videosshowing how-to. Maybe it is because, at the end, is not reallt that needed?