Great detail! The pace of the video is appreciated too. I was able to maintain understanding while you moved through each step. Thank you for your hard work!
Thank you for this! Initially I was having issues with the handshake and it ended up being because I was not setting the appropriate addresses on the interface and allowed ips on the peer in the Wireguard client running on my PC and iOS. Once I figured out what was I don't wrong there I was able to successfully make the handshake and browse the public internet while connected to the tunnel but I'm not able to get to my local LAN resources such as Synology DS. I know I'm missing something simple.
Hi Josh, You're welcome! Hopefully you figured out the problem you were having, but if not I'm just curious if you setup your client as a split tunnel or full tunnel? If split tunnel make sure that the AllowedIPs line matches the subnet of your LAN (the subnet that your Synology NAS is on). If you are using a full tunnel then it seems odd that you can get to the internet but not your local LAN. Are you using the IP address of your LAN resources or a local domain name to get to your LAN resources? If you are using a local domain name try the IP address to see if you can get to the resources that way. Hope this helps?
Hi _ImVanh_, You can definitely use another port number if you would like. There are well-known/reserved ports (0 to 1023) that you generally shouldn't use, but other than that I believe it is fine. Good luck with your setup!!
Thank you very much for your very handsome guide. But I have trouble with running a configuration with "Full tunnel" I am running a DS1819+ on DSM7. After setting up I can only reach the IP address of the DSM from my client. Other IPs of the local network are not reachable(e.g. router) as well as internet access is not working. Is there a routing or firewall problem which I have to set up manually?
Hi Johannes, Thanks for the comment on the video! Regarding your problem of being able to connect to DSM, but not being able to access your router or internet, I would double check that you are using the correct interface in your wireguard config (wg0.conf). Run the command "netstat -rn" to display your active routing table, look at the Flags column with the line that has UG in it. On that line look the iFace (interface) and make sure this interface is what you use in your wg0.conf file. For example in the PostUp and PostDown lines you may need to adjust eth0 to something like ovs_eth0 or ovs_eth1. Hope this helps and let me know how things turn out.
I am running it on my physical machine. My interface is ovs_bond0 - in wg0.conf the setup is with the correct interface in the PostUp/PostDown. All config / iptable rules look fine- any other ideas? I might try it on a virtual DSM.
Not really sure what else to suggest. I just tried setting up my DS920+ with link aggregation and everything worked fine using the ovs_bond0 interface. The firewall was disabled on my end, but even after I enabled it I had no issues. For reference below is what I have in my wg0.conf file... Good luck if you try it on Virtual DSM. [Interface] Address = 10.0.1.1/16 PrivateKey = ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_bond0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACOEPT; iptables -t nat -D POSTROUTING -o ovs_bond0 -j MASQUERADE [Peer] PublicKey = AllowedIPs = 10.0.1.2/32 PersistentKeepalive=25
@@alexs2340 I tried many times to repeat all the steps... Thinking I made a mistake. On the end, I guess I rebooted the meantime and out of ab sudden then it worked. Since then no troubles any more. After booting up the service starts automatically and even I confifured complete new interface (10GbE ) is still working.
@RetroMythologist I'm using the vi editor and used :wq in command mode to save the file and exit vi. Here is a cheat sheet for additional commands for vi -> www.thegeekdiary.com/basic-vi-commands-cheat-sheet/. Hope this helps?
@sammywonks404 Good question!! If I go with what I use on a day to day basis then I would answer Tailscale. I like the availability it provides to the services I have setup at multiple locations. For a recommendation though I would ask how comfortable are you to allow a 3rd party service access to your local network? If you are comfortable with that then choose Tailscale. If not, setup Wireguard. Hope this helps?
@@digital_aloha Thanks for following up. Wireguard didnt work for me - for some reason I couldnt get to connect to the internet after enabling it - both on my mac and mobile. So back to Tailscale 🙂
First of all thank you for the great instructions, although it took me 11 hour to configure it works, thanks to your clear instruction i managed it. Could you tell me how to add extra peers for other users/devices. Or maybe show me how the config file would look like?
Hello, thank you very much for sharing. I followed all your steps but it didn't work for me on DSM 6.2, would I have to change something in wg0.conf to make it compatible with DSM 6?
Hi Juanma, I never did try it on DSM6, but I'd assume the wg0.conf file should be the same for both DSM6 and DSM7. Were you able to compile and install the SPK file? If you can give me further details on where you are having problems I'll see if I can point you in the right direction.
Thank you very much for your attention, I used the WireGuard-bromolow-1.0.20201221.spk file downloaded from runfalk github for my HP Proliant Gen8 with Intel Xeon E3-1265L-V2 CPU with DSM 6.2.3 installed and I followed your tutorial steps from "install and setup WireGuard on Virtual DSM7" but neither my mobile nor my laptop can connect and I have the 51820 port forwarded.
Hey, I followed your guide on my DSM7 920+ and it seems like it connects, and I can access the internet, but when I try to access things on my local network it says that the handshake is failing. I don’t know what I did wrong or how to fix this? Could you help, thanks!
Hi Hunter, I think I would want to make sure the WireGuard connection is up and running first and foremost. Run the command `sudo wg show wg0` from your Synology NAS and see what it tells you. Sometimes the client can be misleading if a connection has been established or not. Feel free to follow up here as you work through things. Good luck!!
@@digital_aloha I ended up just using wg-easy in docker, and it comes with a web interface and you don’t have to manage all the keys, but thanks for the response!
@@hunterw9451 Glad you found a solution that worked for you and thanks for letting me know what your solution was!! I'll have to try wg-easy in Docker as well (maybe a possible future video)!!
@@kpyhere I actually did create a video covering what was mentioned in this comment thread -> ua-cam.com/video/Tf74tyE0YjQ/v-deo.html. Hopefully this works for you. Good luck!!
Hi airwolf FPV, It's been a while since trying to compile the SPK file on a Synology NAS and can't remember if I tried it using sudo -i so I just tried it now and still no go.
Hey, I have a rather long question, so thank you in advance if you take the time to read it. I currently have an OpenVPN server on my NAS in order to access my data from outside my network (mainly on smartphones). Now I also want to setup the NAS as a VPN client for more safety (mainly for radarr/usenet downloads). I also already have an ExpressVPN license which I use on other devices. Since I can't use the same VPN protocol for both the server and client (afaik), what method would you recommend in my case? - Keep OpenVPN for the server and use L2TP for the client. - Use L2TP for the server and OpenVPN for the client. - Keep OpenVPN for the server and use Wireguard. - Another option?
Hi Tommy, Interesting setup and one that I've never tried so it may be an idea for a future video. Regarding my thoughts I would actually suggest using OpenVPN for the client because it is both secure and fast so hopefully you get quicker downloads. I'd then use either L2TP or WireGuard for the VPN server you run on your Synology NAS, although I think you could keep using OpenVPN if you don't have overlapping ports with the ExpressVPN client setup. Would be curious to see where you end up in your setup. If you want to post a response here on what you did that would be great. Good luck!!
@@ThomasS17 I've actually tried out a few things since I replied to you and I found that if your Synology NAS is a VPN client (I use Private Internet Access, I had an account) that none of the VPN servers that you run on your Synology NAS (L2TP/IPSec, OpenVPN and even WireGuard) will work when when connected as a VPN client. The only way I found to connect to the Synology NAS remotely while the NAS is connected as a VPN client is using Tailscale. Have a look at my TailScale video if you are interested -> ua-cam.com/video/x7SVbkHaEaA/v-deo.html. Good luck and thanks for sharing your setup. Inspiration for my next video which will be on setting up your Synology NAS as a VPN client :).
QuickConnect works as well if the Synology NAS is connected as a VPN client. Seems like all of these hole punching/cloud connectivity services work fine, but not the direct to your Synology NAS services like VPN servers.
@@digital_aloha Hey, thanks for your efforts and thorough replies! Too bad the NAS cannot be both a client and server. QuickConnect is not secure enough for me to run as a permanent external access solution. But it's not very often that someone needs access from outside our network anyways, so I think I'll leave the NAS as a client and change it to be a server when neccessary. And also thanks for your new video! I learned something new again, did not know about the traceroute command.
Hi i can’t lauch wg0 on my actual ds920+ dsm 7.1 ard# sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 Line unrecognized: `Address=10.0.1.2/16' Configuration parsing error [#] ip link delete dev wg0 Can you help me with this problem ? Thank you
Hi Doniyor, Could it be that your wg0.conf file isn't pointing to the correct ethernet interface? The command you ran and have in your comment/question looks correct to me. Hope this helps? And good luck!!
Thank you very much for the detailed and well done tutorial! If you take the time to read this comment to the end, thank you! I installed Wireguard successfully per this video on my DS716+2 but at the end realized I forgot to set up the port forwarding on the router (Fritzbox 6490 Upnp). So I watched your well done Port Forwarding video and could not communicate with the NAS. After many attempts I got the NAS Router configuration to get the Router to share ports and set up ports on the NAS (5000 TCP, 5001 TCP, 51820 UDP) and turned off the NAS firewall just for testing .. but still no connection with the NAS when I tried to log in from a laptop over wireless data. What did I miss? Thank you in advance for any thoughts.
Hi Vulcan Man, You're welcome and thank you for the compliment on the video!! From what you describe you've done everything properly so it is really hard to say where the issue is. What my hunch is is that WireGuard isn't running properly so I would just double check that portion of the setup. I'd also recommend that you try out the setup from this video -> ua-cam.com/video/Tf74tyE0YjQ/v-deo.html. The setup provides a graphical interface that makes it simpler to figure out if your WireGuard connection is working properly from the server/NAS end of things. Hope this helps and best of luck to you!!
@@digital_aloha Thank you for the help! I appreciate your time! Question: if the connection between the router and the NAS is ok, shouldn´t I be able to log in to DSM via my laptop with wireless data (i.e. not on my network)? I had tried that and it didn´t work so I figured there was something wrong with either the router. Again, I thank you in advance for any ideas.
@@vulcanman5039 You're welcome! Regarding your question, yeah you should be able to connect to DSM over wireless data with the setup you mentioned. In this case you may want to make sure that your router does a one-to-one mapping of ports (I see you mentioned upnp in your original comment). I've noticed in my limited experience with upnp routers (and not a Fritzbox) that the port mapping wasn't what I expected. For example the internal port 5000 wasn't mapped to the external port 5000, but some high port number that was randomly chosen from what I could tell. I'd also recommend turning of upnp on your router and do manual port forwarding mapping as well. Hope this helps? Let me know how things go.
@@digital_aloha Thank you for your hints. I went back and looked at the setup video and followed that. I got to the end of the process and there are some errors. If you can shed some light on this, it would be appreciated: root@Server1:~# sudo cat /etc/wireguard/wg0.conf [Interface] Address = 10.0.1.1/16 PrivateKey = [private key] ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o -%i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = [public key] AllowedIPs = 10.0.1.2/32 root@Server1:~# sudo wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.0.1.1/16 dev wg0 [#] ip link set mtu 1420 up dev wg0 RTNETLINK answers: Address already in use [#] ip link delete dev wg0 root@Server1:~# sudo wg show wg0 Unable to access interface: No such device
@@vulcanman5039 You're welcome! From the output of the "sudo wg-quick up wg0" command it looks like there was an issue (RTNETLINK answers: Address already in use). You might want to check if the IP address/network you are setting up for WireGuard is not conflicting with the IP address/network that your LAN is using. I found this issue from the runfalk/synology-wireguard GitHub project that had a similar error which may help you as well -> github.com/runfalk/synology-wireguard/issues/106. Hope this helps? Good luck to you!
Hey, thanks a lot for this tutorial, it's very helpful. I've configured wireguard on my DS920+ with DSM 7.0 but I'm struggling at the final steps. On my wireguard app (the client), the client cannot handshake with the server and when I show the connections on the server, no one is connected. On my client (running on windows), i've disabled my firewall. I've also opened the port 51820 on my router for UDP/TCP connections... I think I'm missing something simple. Do you have any idea?
Hi Thibaud, You're welcome on the video tutorial. Regarding your issue it does sound like you did everything right, but when you say you opened port 51820 on your router did you port forward it to your Synology NAS? I'm unclear if you did or didn't. Maybe that is the missing step? Hope this helps and good luck to you in setting things up.
I just released an updated video about a week ago. Here is the link -> ua-cam.com/video/v0Z1m658Xe8/v-deo.html. In your case you probably want to uninstall the WireGuard package. Reboot your NAS. Then install the 7.2 version of WireGuard. After that you should be good to go.
the error tells you to run as root because your user lacks permissions. Can switch to root with sudo -i command and enter your password, you can run again as root and see if that resolves the error by giving the process unrestricted access.
Hi BEEFY JOE, Actually I did use sudo and it still didn't work. It may have changed since I created the video. Did you try it and, if so, did the compiling work for you on your Synology NAS?
Hi Rick, Glad the video was informative and too bad you couldn't get things working. See if the WireGuard-geminilake-1.0.20210606.spk works for your DS220+. I've uploaded the SPK file here -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Good luck!!
Hi Patryk, Looks like your DS1513+ supports Docker and you could use an image like wg-easy (hub.docker.com/r/weejewel/wg-easy ) to set up WireGuard. I'll likely release a video on setting up wg-easy on a Synology NAS before the end of the month so if you haven't yet subscribed please do and you'll get notified when I release that video. In any case good luck in getting WireGuard setup on your NAS.
Hi Patryk, It looks like the link added the closing parentheses character. I updated the link in the original comment, but here it is again. hub.docker.com/r/weejewel/wg-easy
Hi yong, Good question!! Actually I decided to do the video using Virtual DSM7 because I was planning to share the SPK file with the viewers and I thought that I could reach a wider audience that way. There is no reason not to run WireGuard on the actually DSM7, but you just need to compile the SPK file for your specific Synology NAS platform. Good luck which ever way you decide to try to run WireGuard!!
2021-10-16 working on a DS716+ however.. only working to access the local network. need to get it working so VPN lets me through to the internet. Suggestions welcomed
Hi Rob, others have reported the issue to be DNS related if you can access your local network but nothing over the Internet. You can try to ping Google's DNS server (8.8.8.8) while you are on the WireGuard VPN to confirm you are having similar problems. If the ping works confirm access to your DNS server or change it to another DNS server that you do have access to. Hope this helps and please share what ultimately worked if you do resolve the issue. Good luck!!
Hello, I can only access my local network, no internet. however I can see request from clients on pihole. but no ping to internet.Forwarding is enabled. what is the problem?
Hi Andreas, See if adding "sleep 5; ip route add dev wg0" to the end of the PostUp line in your wg0.conf file helps (example in the link below). I read about that entry earlier (can't find the link) and it is also mentioned in an issue directly from the runfalk/synology-wireguard Github page where people are experiencing the same problem as you are (github.com/runfalk/synology-wireguard/issues/78). I haven't ran into your issue so I can't really say for sure what you should try. Good luck!!
@@digital_aloha Thank you for a replay, very appreciate your help. It didn't helm but I guess I found the problem. It was a DNS related to my pihole and it didn't work (no internet only local). If I'm changing DNS it works. The question is how to make friends Wireguard with pihole?)))
@@giss69 Glad you figured out that the issue was with pihole, but it is strange because my setup uses pihole as well and it works great for me. My pihole is running on a raspberry pi. Where is your friend's pihole running?
Hi Thom, sorry to hear that you are having problems with your DS718+. I actually have that exact same Synology NAS so I can work through troubleshooting with you. Couple of questions... 1) Are you setting WireGuard up on the hardware itself or through VirtualDSM7? 2) What DSM version are you using... 6.x or 7.0? Let me know and I'll try setting things up on my end.
Hi James, I just tried it right now and it worked fine. Here is my wg0.conf file. [Interface] Address = 10.0.1.1/16 PrivateKey = ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -%i -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth0 -j MASQUERADE [Peer] PublicKey = AllowedIPs = 10.0.1.2/32 Note that the interface I used was ovs_eth0 rather then eth0 as I had in the video. For the client side configuration I set it up as a split tunnel and here is my config. [Interface] PrivateKey = Address = 10.0.1.2/32 [Peer] PublicKey = AllowedIPs = 192.168.81.0/24 # this is my local subnet Endpoint = :51820 One last thing is to make sure you have port forwarding setup on your router (I forgot to set this up on my end and had some head scratching for a few minutes before I realized I missed this step). Hope this helps and good luck to you!!
Hi Andreas, Here is the SPK file I used for my 718+. Hopefully this works for you as well and let me know if you have any problems downloading the file. drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH
Hi! Followed your recipe but couldn't find or compile myself for my DS415play (evansport platform). I get #error "WireGuard requires Linux >= 3.10" when building with sudo docker run --rm --privileged --env PACKAGE_ARCH=evansport --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild
Hi Jesus, unfortunately it seems your DS415play has a kernel that is too old to run WireGuard. Runfalk has an issue specifically on your model that explains things a little further -> github.com/runfalk/synology-wireguard/issues/80. Sorry :(
I'm glad you liked the video!! I've added the WireGuard-geminilake-1.0.20210606.spk file to the Google Drive folder that I've been sharing - drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Hopefully it works for you and let me know how things go.
Hi Update Freak, Thanks for the comment my video. I'm glad you liked it!! Regarding your SPK file request, I actually already compiled one for the Braswell Architecture that your DS716+ uses. You can find it here -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Hope the SPK file works in your setup... Good luck!!
Thank you verry much voor this guide. I have troubles with compiling on a ds216+ with braswell arch, i receive the same error as in the video. Is there anyone here who has this spk?
Hi Harmen, Glad the guide was helpful. I just compiled a Braswell Arch spk file and uploaded it to Google Drive. Here is the link -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Look for the file WireGuard-braswell-1.0.20210606.spk. I have no way to test it but hopefully the spk file works for you. Let me know how it works out.
Thanks for the comment. This should work on a DS720+ but you'll either need to install Virtual DSM7 and use the SPK file I provided for you to download (look in the description) or you will need to compile an SPK file for your DS720+ hardware. I'm also assuming you are running DSM7. Hope this helps and let me know if you have any further questions? This is definitely a challenging setup.
Great detail! The pace of the video is appreciated too. I was able to maintain understanding while you moved through each step. Thank you for your hard work!
Hi Marcus, You're welcome!! I'm glad you liked the video!!
@Digital Aloha Tech Tips , there is a mistake in the video description ("о" missing):
- written: PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -%i -j
- must be: PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j
@mar1boro, Thanks for pointing out the mistake in the description! I've added the missing -o.
Thank you for the guide!
Hi yoghurt, You're welcome!!
Thank you for this! Initially I was having issues with the handshake and it ended up being because I was not setting the appropriate addresses on the interface and allowed ips on the peer in the Wireguard client running on my PC and iOS. Once I figured out what was I don't wrong there I was able to successfully make the handshake and browse the public internet while connected to the tunnel but I'm not able to get to my local LAN resources such as Synology DS. I know I'm missing something simple.
Hi Josh, You're welcome! Hopefully you figured out the problem you were having, but if not I'm just curious if you setup your client as a split tunnel or full tunnel? If split tunnel make sure that the AllowedIPs line matches the subnet of your LAN (the subnet that your Synology NAS is on). If you are using a full tunnel then it seems odd that you can get to the internet but not your local LAN. Are you using the IP address of your LAN resources or a local domain name to get to your LAN resources? If you are using a local domain name try the IP address to see if you can get to the resources that way. Hope this helps?
Can i use different port instead of your 51820 setup port ?
Hi _ImVanh_, You can definitely use another port number if you would like. There are well-known/reserved ports (0 to 1023) that you generally shouldn't use, but other than that I believe it is fine. Good luck with your setup!!
Thank you very much for your very handsome guide. But I have trouble with running a configuration with "Full tunnel" I am running a DS1819+ on DSM7. After setting up I can only reach the IP address of the DSM from my client. Other IPs of the local network are not reachable(e.g. router) as well as internet access is not working. Is there a routing or firewall problem which I have to set up manually?
Hi Johannes, Thanks for the comment on the video!
Regarding your problem of being able to connect to DSM, but not being able to access your router or internet, I would double check that you are using the correct interface in your wireguard config (wg0.conf). Run the command "netstat -rn" to display your active routing table, look at the Flags column with the line that has UG in it. On that line look the iFace (interface) and make sure this interface is what you use in your wg0.conf file. For example in the PostUp and PostDown lines you may need to adjust eth0 to something like ovs_eth0 or ovs_eth1.
Hope this helps and let me know how things turn out.
I am running it on my physical machine. My interface is ovs_bond0 - in wg0.conf the setup is with the correct interface in the PostUp/PostDown. All config / iptable rules look fine- any other ideas? I might try it on a virtual DSM.
Not really sure what else to suggest. I just tried setting up my DS920+ with link aggregation and everything worked fine using the ovs_bond0 interface. The firewall was disabled on my end, but even after I enabled it I had no issues. For reference below is what I have in my wg0.conf file... Good luck if you try it on Virtual DSM.
[Interface]
Address = 10.0.1.1/16
PrivateKey =
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_bond0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACOEPT; iptables -t nat -D POSTROUTING -o ovs_bond0 -j MASQUERADE
[Peer]
PublicKey =
AllowedIPs = 10.0.1.2/32
PersistentKeepalive=25
Did you ever figure this out? Running into the same issue..
@@alexs2340 I tried many times to repeat all the steps... Thinking I made a mistake. On the end, I guess I rebooted the meantime and out of ab sudden then it worked. Since then no troubles any more. After booting up the service starts automatically and even I confifured complete new interface (10GbE ) is still working.
@9:45
How do you "save changes"????
I'm TOTALLY stuck at this point...
@RetroMythologist I'm using the vi editor and used :wq in command mode to save the file and exit vi. Here is a cheat sheet for additional commands for vi -> www.thegeekdiary.com/basic-vi-commands-cheat-sheet/. Hope this helps?
Which one would you recommend - Wireguard or Tailscale
@sammywonks404 Good question!! If I go with what I use on a day to day basis then I would answer Tailscale. I like the availability it provides to the services I have setup at multiple locations. For a recommendation though I would ask how comfortable are you to allow a 3rd party service access to your local network? If you are comfortable with that then choose Tailscale. If not, setup Wireguard. Hope this helps?
@@digital_aloha Thanks that helps. Now onto figuring out how to migrate from Tailscale to Wireguard !!
@@sammywonks404 Just saw your comment. Hopefully all is working now.🤞
@@digital_aloha Thanks for following up. Wireguard didnt work for me - for some reason I couldnt get to connect to the internet after enabling it - both on my mac and mobile. So back to Tailscale 🙂
First of all thank you for the great instructions, although it took me 11 hour to configure it works, thanks to your clear instruction i managed it.
Could you tell me how to add extra peers for other users/devices. Or maybe show me how the config file would look like?
Hello, thank you very much for sharing. I followed all your steps but it didn't work for me on DSM 6.2, would I have to change something in wg0.conf to make it compatible with DSM 6?
Hi Juanma, I never did try it on DSM6, but I'd assume the wg0.conf file should be the same for both DSM6 and DSM7. Were you able to compile and install the SPK file? If you can give me further details on where you are having problems I'll see if I can point you in the right direction.
Thank you very much for your attention, I used the WireGuard-bromolow-1.0.20201221.spk file downloaded from runfalk github for my HP Proliant Gen8 with Intel Xeon E3-1265L-V2 CPU with DSM 6.2.3 installed and I followed your tutorial steps from "install and setup WireGuard on Virtual DSM7" but neither my mobile nor my laptop can connect and I have the 51820 port forwarded.
Hey, I followed your guide on my DSM7 920+ and it seems like it connects, and I can access the internet, but when I try to access things on my local network it says that the handshake is failing. I don’t know what I did wrong or how to fix this? Could you help, thanks!
Hi Hunter, I think I would want to make sure the WireGuard connection is up and running first and foremost. Run the command `sudo wg show wg0` from your Synology NAS and see what it tells you. Sometimes the client can be misleading if a connection has been established or not. Feel free to follow up here as you work through things. Good luck!!
@@digital_aloha I ended up just using wg-easy in docker, and it comes with a web interface and you don’t have to manage all the keys, but thanks for the response!
@@hunterw9451 Glad you found a solution that worked for you and thanks for letting me know what your solution was!! I'll have to try wg-easy in Docker as well (maybe a possible future video)!!
@@digital_aloha This would be great
@@kpyhere I actually did create a video covering what was mentioned in this comment thread -> ua-cam.com/video/Tf74tyE0YjQ/v-deo.html. Hopefully this works for you. Good luck!!
Did you try compiling as root user? sudo -i and you switch to root user in the shell.
Hi airwolf FPV, It's been a while since trying to compile the SPK file on a Synology NAS and can't remember if I tried it using sudo -i so I just tried it now and still no go.
Hey, I have a rather long question, so thank you in advance if you take the time to read it. I currently have an OpenVPN server on my NAS in order to access my data from outside my network (mainly on smartphones). Now I also want to setup the NAS as a VPN client for more safety (mainly for radarr/usenet downloads). I also already have an ExpressVPN license which I use on other devices. Since I can't use the same VPN protocol for both the server and client (afaik), what method would you recommend in my case?
- Keep OpenVPN for the server and use L2TP for the client.
- Use L2TP for the server and OpenVPN for the client.
- Keep OpenVPN for the server and use Wireguard.
- Another option?
Hi Tommy, Interesting setup and one that I've never tried so it may be an idea for a future video. Regarding my thoughts I would actually suggest using OpenVPN for the client because it is both secure and fast so hopefully you get quicker downloads. I'd then use either L2TP or WireGuard for the VPN server you run on your Synology NAS, although I think you could keep using OpenVPN if you don't have overlapping ports with the ExpressVPN client setup.
Would be curious to see where you end up in your setup. If you want to post a response here on what you did that would be great. Good luck!!
@@digital_aloha Thanks for your thoughts! I haven't played around and set something up yet, but I will let you know when I got a working solution.
@@ThomasS17 I've actually tried out a few things since I replied to you and I found that if your Synology NAS is a VPN client (I use Private Internet Access, I had an account) that none of the VPN servers that you run on your Synology NAS (L2TP/IPSec, OpenVPN and even WireGuard) will work when when connected as a VPN client. The only way I found to connect to the Synology NAS remotely while the NAS is connected as a VPN client is using Tailscale. Have a look at my TailScale video if you are interested -> ua-cam.com/video/x7SVbkHaEaA/v-deo.html. Good luck and thanks for sharing your setup. Inspiration for my next video which will be on setting up your Synology NAS as a VPN client :).
QuickConnect works as well if the Synology NAS is connected as a VPN client. Seems like all of these hole punching/cloud connectivity services work fine, but not the direct to your Synology NAS services like VPN servers.
@@digital_aloha Hey, thanks for your efforts and thorough replies! Too bad the NAS cannot be both a client and server. QuickConnect is not secure enough for me to run as a permanent external access solution. But it's not very often that someone needs access from outside our network anyways, so I think I'll leave the NAS as a client and change it to be a server when neccessary.
And also thanks for your new video! I learned something new again, did not know about the traceroute command.
Hi i can’t lauch wg0 on my actual ds920+ dsm 7.1
ard# sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `Address=10.0.1.2/16'
Configuration parsing error
[#] ip link delete dev wg0
Can you help me with this problem ?
Thank you
Hi Doniyor, Could it be that your wg0.conf file isn't pointing to the correct ethernet interface? The command you ran and have in your comment/question looks correct to me. Hope this helps? And good luck!!
@@digital_aloha Thank you i forget add in first [interface]
@@abdullahonov You're welcome. I'm happy to hear you got things sorted out!
Thank you very much for the detailed and well done tutorial! If you take the time to read this comment to the end, thank you! I installed Wireguard successfully per this video on my DS716+2 but at the end realized I forgot to set up the port forwarding on the router (Fritzbox 6490 Upnp). So I watched your well done Port Forwarding video and could not communicate with the NAS. After many attempts I got the NAS Router configuration to get the Router to share ports and set up ports on the NAS (5000 TCP, 5001 TCP, 51820 UDP) and turned off the NAS firewall just for testing .. but still no connection with the NAS when I tried to log in from a laptop over wireless data. What did I miss? Thank you in advance for any thoughts.
Hi Vulcan Man, You're welcome and thank you for the compliment on the video!! From what you describe you've done everything properly so it is really hard to say where the issue is. What my hunch is is that WireGuard isn't running properly so I would just double check that portion of the setup. I'd also recommend that you try out the setup from this video -> ua-cam.com/video/Tf74tyE0YjQ/v-deo.html. The setup provides a graphical interface that makes it simpler to figure out if your WireGuard connection is working properly from the server/NAS end of things. Hope this helps and best of luck to you!!
@@digital_aloha Thank you for the help! I appreciate your time! Question: if the connection between the router and the NAS is ok, shouldn´t I be able to log in to DSM via my laptop with wireless data (i.e. not on my network)? I had tried that and it didn´t work so I figured there was something wrong with either the router. Again, I thank you in advance for any ideas.
@@vulcanman5039 You're welcome! Regarding your question, yeah you should be able to connect to DSM over wireless data with the setup you mentioned. In this case you may want to make sure that your router does a one-to-one mapping of ports (I see you mentioned upnp in your original comment). I've noticed in my limited experience with upnp routers (and not a Fritzbox) that the port mapping wasn't what I expected. For example the internal port 5000 wasn't mapped to the external port 5000, but some high port number that was randomly chosen from what I could tell. I'd also recommend turning of upnp on your router and do manual port forwarding mapping as well. Hope this helps? Let me know how things go.
@@digital_aloha Thank you for your hints. I went back and looked at the setup video and followed that. I got to the end of the process and there are some errors. If you can shed some light on this, it would be appreciated:
root@Server1:~# sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.1.1/16
PrivateKey = [private key]
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o -%i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = [public key]
AllowedIPs = 10.0.1.2/32
root@Server1:~# sudo wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.1.1/16 dev wg0
[#] ip link set mtu 1420 up dev wg0
RTNETLINK answers: Address already in use
[#] ip link delete dev wg0
root@Server1:~# sudo wg show wg0
Unable to access interface: No such device
@@vulcanman5039 You're welcome! From the output of the "sudo wg-quick up wg0" command it looks like there was an issue (RTNETLINK answers: Address already in use). You might want to check if the IP address/network you are setting up for WireGuard is not conflicting with the IP address/network that your LAN is using. I found this issue from the runfalk/synology-wireguard GitHub project that had a similar error which may help you as well -> github.com/runfalk/synology-wireguard/issues/106. Hope this helps? Good luck to you!
Hey, thanks a lot for this tutorial, it's very helpful. I've configured wireguard on my DS920+ with DSM 7.0 but I'm struggling at the final steps.
On my wireguard app (the client), the client cannot handshake with the server and when I show the connections on the server, no one is connected.
On my client (running on windows), i've disabled my firewall. I've also opened the port 51820 on my router for UDP/TCP connections... I think I'm missing something simple. Do you have any idea?
Hi Thibaud, You're welcome on the video tutorial. Regarding your issue it does sound like you did everything right, but when you say you opened port 51820 on your router did you port forward it to your Synology NAS? I'm unclear if you did or didn't. Maybe that is the missing step? Hope this helps and good luck to you in setting things up.
@@digital_aloha Yes I forwarded it to my NAS... I also tried several times to reconfigure the whole configuration file but without success
@@digital_aloha I finally managed to find the issue.... It was the firewall of the NAS... Thanks anyway :)
@@thibaudbourgeois4406 Just wanted to make sure the forwarding was setup properly.
@@thibaudbourgeois4406 Glad you figured it out!! Hopefully WireGuard works well for you!!
Does the procedure works with DSM 7.1? Anyone tried upgrade with running Wireguard installation?
Hi Johannes, I haven't tried this with DSM 7.1 just yet, but will keep you posted when I do.
Update? my system say it need repair.
I just released an updated video about a week ago. Here is the link -> ua-cam.com/video/v0Z1m658Xe8/v-deo.html. In your case you probably want to uninstall the WireGuard package. Reboot your NAS. Then install the 7.2 version of WireGuard. After that you should be good to go.
the error tells you to run as root because your user lacks permissions. Can switch to root with sudo -i command and enter your password, you can run again as root and see if that resolves the error by giving the process unrestricted access.
Hi BEEFY JOE, Actually I did use sudo and it still didn't work. It may have changed since I created the video. Did you try it and, if so, did the compiling work for you on your Synology NAS?
@@digital_aloha I'm using Dan 6.2.3 and ds3617xs so this wasn't a problem, I grabbed the pre compiled package
Really good explanations but sadly I couldn't get it to work. Could you provide the current SPK file for Synology DS220+ on DSM 7 please? Thanks
Hi Rick, Glad the video was informative and too bad you couldn't get things working. See if the WireGuard-geminilake-1.0.20210606.spk works for your DS220+. I've uploaded the SPK file here -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Good luck!!
@@digital_aloha Thank you so much!
Hi, as on the DS1513+ there is no support for VM, how can I run wireguard on this Nas with DSM 7 ? many thanks
Hi Patryk, Looks like your DS1513+ supports Docker and you could use an image like wg-easy (hub.docker.com/r/weejewel/wg-easy ) to set up WireGuard. I'll likely release a video on setting up wg-easy on a Synology NAS before the end of the month so if you haven't yet subscribed please do and you'll get notified when I release that video. In any case good luck in getting WireGuard setup on your NAS.
@@digital_aloha I will try, thank you. Tip is on the way !
@@digital_aloha the link provided is not working
Hi Patryk, It looks like the link added the closing parentheses character. I updated the link in the original comment, but here it is again. hub.docker.com/r/weejewel/wg-easy
Good luck to you!!
why install spk to virtual dsm7?but not real dsm7?
Hi yong, Good question!! Actually I decided to do the video using Virtual DSM7 because I was planning to share the SPK file with the viewers and I thought that I could reach a wider audience that way. There is no reason not to run WireGuard on the actually DSM7, but you just need to compile the SPK file for your specific Synology NAS platform. Good luck which ever way you decide to try to run WireGuard!!
2021-10-16 working on a DS716+
however.. only working to access the local network. need to get it working so VPN lets me through to the internet. Suggestions welcomed
Hi Rob, others have reported the issue to be DNS related if you can access your local network but nothing over the Internet. You can try to ping Google's DNS server (8.8.8.8) while you are on the WireGuard VPN to confirm you are having similar problems. If the ping works confirm access to your DNS server or change it to another DNS server that you do have access to. Hope this helps and please share what ultimately worked if you do resolve the issue. Good luck!!
Hello, I can only access my local network, no internet. however I can see request from clients on pihole. but no ping to internet.Forwarding is enabled. what is the problem?
Hi Andreas, See if adding "sleep 5; ip route add dev wg0" to the end of the PostUp line in your wg0.conf file helps (example in the link below). I read about that entry earlier (can't find the link) and it is also mentioned in an issue directly from the runfalk/synology-wireguard Github page where people are experiencing the same problem as you are (github.com/runfalk/synology-wireguard/issues/78). I haven't ran into your issue so I can't really say for sure what you should try. Good luck!!
@@digital_aloha Thank you for a replay, very appreciate your help. It didn't helm but I guess I found the problem. It was a DNS related to my pihole and it didn't work (no internet only local). If I'm changing DNS it works. The question is how to make friends Wireguard with pihole?)))
@@giss69 Glad you figured out that the issue was with pihole, but it is strange because my setup uses pihole as well and it works great for me. My pihole is running on a raspberry pi. Where is your friend's pihole running?
@@digital_aloha pihole and fireguard are running on a DS718.
DS718+ Everything looks to be OK up to the last part of the video. Sadly no internet connection. Don't understand what is wrong.
Hi Thom, sorry to hear that you are having problems with your DS718+. I actually have that exact same Synology NAS so I can work through troubleshooting with you. Couple of questions... 1) Are you setting WireGuard up on the hardware itself or through VirtualDSM7? 2) What DSM version are you using... 6.x or 7.0? Let me know and I'll try setting things up on my end.
Did you get this working on your 718+? I am trying to get it going too.
Hi James, I just tried it right now and it worked fine. Here is my wg0.conf file.
[Interface]
Address = 10.0.1.1/16
PrivateKey =
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ovs_eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -%i -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth0 -j MASQUERADE
[Peer]
PublicKey =
AllowedIPs = 10.0.1.2/32
Note that the interface I used was ovs_eth0 rather then eth0 as I had in the video.
For the client side configuration I set it up as a split tunnel and here is my config.
[Interface]
PrivateKey =
Address = 10.0.1.2/32
[Peer]
PublicKey =
AllowedIPs = 192.168.81.0/24 # this is my local subnet
Endpoint = :51820
One last thing is to make sure you have port forwarding setup on your router (I forgot to set this up on my end and had some head scratching for a few minutes before I realized I missed this step).
Hope this helps and good luck to you!!
@@digital_aloha Hello, could you share please a SPK file for 718+ please? Thank you!
Hi Andreas, Here is the SPK file I used for my 718+. Hopefully this works for you as well and let me know if you have any problems downloading the file.
drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH
Hi! Followed your recipe but couldn't find or compile myself for my DS415play (evansport platform). I get #error "WireGuard requires Linux >= 3.10" when building with sudo docker run --rm --privileged --env PACKAGE_ARCH=evansport --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk synobuild
Hi Jesus, unfortunately it seems your DS415play has a kernel that is too old to run WireGuard. Runfalk has an issue specifically on your model that explains things a little further -> github.com/runfalk/synology-wireguard/issues/80. Sorry :(
Hello, great video. I have your same nas ds920 +. Could I have the SPK file ready to use? Thank you very much
I'm glad you liked the video!! I've added the WireGuard-geminilake-1.0.20210606.spk file to the Google Drive folder that I've been sharing - drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Hopefully it works for you and let me know how things go.
great video! Could you provide the current SPK file for Synology DS716+ please? Thanks
Hi Update Freak, Thanks for the comment my video. I'm glad you liked it!!
Regarding your SPK file request, I actually already compiled one for the Braswell Architecture that your DS716+ uses. You can find it here -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH.
Hope the SPK file works in your setup... Good luck!!
@@digital_aloha THANKS a LOT! That makes this WAY WAY Easier.... you should add that link in the video description!
Thank you verry much voor this guide. I have troubles with compiling on a ds216+ with braswell arch, i receive the same error as in the video. Is there anyone here who has this spk?
Hi Harmen, Glad the guide was helpful. I just compiled a Braswell Arch spk file and uploaded it to Google Drive. Here is the link -> drive.google.com/drive/folders/1Ci-8oWZ_gW8tH3mv5wKL19nKE1pR8ZfH. Look for the file WireGuard-braswell-1.0.20210606.spk. I have no way to test it but hopefully the spk file works for you. Let me know how it works out.
@@digital_aloha Thanks for the file. I'm going to test it this week and let you know if it works.
Hi Harmen, You're welcome and good luck to you. I hope it works!!
@@digital_aloha Thanks a lot! it works fine.
@@harmenstoffers9143 You're welcome. I'm glad the spk file worked for you!!
First thanks is this work for dsm 720+
Thanks for the comment. This should work on a DS720+ but you'll either need to install Virtual DSM7 and use the SPK file I provided for you to download (look in the description) or you will need to compile an SPK file for your DS720+ hardware. I'm also assuming you are running DSM7. Hope this helps and let me know if you have any further questions? This is definitely a challenging setup.
@@digital_aloha Thank you for your replay and keep going in your videos
Thanks for the encouragement!! I'll definitely be pushing on with more videos.