How to Set up Tailscale on a Synology NAS

  • Post author:WunderTech
  • Post published:April 21, 2022
  • Post last modified:October 18, 2024
  • Post category:Synology
  • Reading time:9 mins read
  • Post comments:29 Comments

Today we are going to take a look at how to set up Tailscale on a Synology NAS. Tailscale is a zero-configuration VPN. What this means is that without port forwarding, you’re able to access ALL of the devices on your local network. Since Synology devices are almost always online, your Synology NAS is a great device to run Tailscale on.

The best part of Tailscale is that NO port forwarding is required, which means that you don’t have to be a network expert to implement this, and if you’re behind something like a CGNAT, Tailscale will still work.

Tailscale uses the WireGuard protocol, so if you want WireGuard on your Synology NAS, this is the only current option that you have, though it’s not “true” WireGuard.

1. How to Set Up Tailscale on a Synology NAS

1. On your Synology NAS, open the Package Center and search for Tailscale, then, Install the package.

how to set up tailscale on a synology nas - installing the tailscale package

2. When it’s done installing, select Open and a new page will open asking you to log in. Log In (or create an account if you don’t have one).

logging in to the tailscale website

3. After you log in, you can go back to your Synology NAS and open the Tailscale application. You will see that your NAS was assigned an IP address. Move on to the next step to learn what you can do when connected to Tailscale.

viewing the nas that was just connected

2. Connecting to Devices using Tailscale

In the last step, we set up our Synology NAS and it was automatically assigned an IP address. Use a different device (a mobile device is great) and download the Tailscale app. Sign in using the same account you initially signed into, and you’ll see your device listed.

Connect to the Tailscale VPN and use the IP address listed (with the DSM port) to automatically connect to your NAS. You should be brought to the DSM login page. Please keep in mind that if you aren’t connected to the Tailscale VPN, you will not be able to get to the Tailscale IP address for your NAS. 

http(s)://TAILSCALE_NAS_IP:[DSM_PORT]

3. Connecting to Other Devices on your Local Network

While using the process above is great for connecting to the NAS only, you can actually use your NAS to connect to the other devices on your local network. To set this up, you’ll need to SSH into your Synology NAS as it’s the only way to advertise a route as of the writing of this article.

1. SSH into your Synology NAS.

2. Run the command below, substituting your internal IP subnet where the 192.168.1.0/24 is listed below. To be clear, you should only be changing the 192.168.1 portion so that you’re able to connect to all devices on your local network.

sudo tailscale up --advertise-routes 192.168.1.0/24 --advertise-exit-node --reset
running a command to bring the tailscale routes up on a synology nas

4. After you run the command above, log in to the Tailscale admin portal. Under Machines, you should see the two machines that you set up (DSM and your mobile device).

5. Under DSM, you’ll see that the subnet we defined is set, but we need to confirm that we actually want to use it here. Under the three dots next to our DSM instance, select Edit Route Settings.

editing the route settings on the tailscale website

6. Enable both options (subnet routes and exit node). After you enable both options, you’ll be able to connect to devices on your local network by their local IP address. At this point, you should be able to connect to DSM using the local IP address that you normally use at home.

setting an exit node and route settings

4. Exit Node

Using Tailscale as an exit node is using it as a full-tunnel VPN. The image below highlights what a full-tunnel vs split-tunnel VPN is, but the important takeaway is that ALL of your traffic will be routed through Tailscale. Therefore, if you’re on public Wi-Fi, it’s probably a good idea to use this feature as you’re tunneling all traffic.

split-tunnel vs. full-tunnel vpn. full-tunnel routes all traffic through VPN, while split-tunnel only routes local traffic.

On whatever application you’re using, select Use Exit Node and change the exit node to be your Synology NAS. If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you’re able to connect to your local devices.

5. Enabling Outbound Connections

By default, devices can access a Synology NAS running Tailscale, but the Synology NAS will not be able to access devices on Tailscale due to the permission structure in DSM 7. For this reason, we have to set up a startup script that runs every time DSM is rebooted. This is directly in the Tailscale documentation and the code exists there if you’d like to audit exactly what is happening when this script runs.

Open the Control Panel, select Task Scheduler, then create a new User-defined Script Triggered Task.

creating a new task

2. Set the task to run as the root user and give it a name.

running script as root.

3. In the Task Settings, paste in this command, save, then reboot the Synology NAS. The script will run and outbound connections will work properly.

/var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service
script to enable outbound connections.

6. Conclusion & Final Thoughts: Should You Use Tailscale?

This tutorial looked at how to set up Tailscale on a Synology NAS. Even if you have a VPN working, the simplicity of Tailscale is truly remarkable. Out of all the VPN solutions I’ve tried, it took me less than 10 minutes to set up a fully functional split-tunnel and full-tunnel VPN that allows me to connect to my local network quickly and easily. The performance has been solid, and it works as designed.

Thanks so much for checking out the tutorial on how to set up Tailscale on a Synology NAS. If you have any questions, feel free to leave them in the comments!

WunderTech

WunderTech is a website that provides tutorials and guides on various NAS, server, networking, and infrastructure-related topics. WunderTech is maintained by Frank Joseph, an IT professional with 14+ years of experience in corporate IT and application management. He focuses on sharing his experience with others on his WunderTech website and YouTube page. Frank holds a Bachelor of Science in Computer Information Systems and a master of Business Administration (MBA).

This Post Has 29 Comments

  1. Kaldeep

    It was me using my daughters/wifes phone…;) from memory I did try using local and tailscale NAS IP… (will try again as I’m doubting myself now)

    So I have setup a tailscale profile for the user but the issue is the address I should use in the Android app…

    If the tailscale solution doesn’t work for remote access on a shared users Android apps… the only viable option for my scenario is Quickconnect which I’m trying to transition away from if poss…

    Once again thanks for sharing your knowledge and experience… Great work…

    Well deserved coffee break I believe … enjoy 😉

    1. WunderTech

      Thank you so much! That was very kind of you – I truly appreciate your generosity.

      From reading Tailscale’s documentation, the Tailscale IP address is the only IP that will work. This is probably not the best solution in that case, as locally, the applications will stop working (you’d have to be connected to Tailscale every time you’d like to use the app).

      I’m afraid if port forwarding isn’t an option, that QuickConnect is probably the “best” option other than this. The other solution that I can think of is to pay $5/month for the Tailscale “Team” membership, so that they would be able to use the local IP address as well. I admit that $60/year for this functionality is probably not ideal, but it is technically an option.

      If I can help at all, please let me know!

  2. Kaldeep

    Great info and questions both..

    After reading a comment on your YouTube video and following all of the steps I did manage to get the Android Apps to work remotely whilst connected to Tailscale but using local IP addresses… absolutely brilliant…

    The only downside I see with this over Quickconnect is that only me as the primary user can use Tailscale to access Android apps remotely.

    I did try to share my Nas (as a machine) with other users in my family. While they can use this mechanism to log into DSM via a browser … I could not get the Android app on a family members phone to log using either local or Tailscale IP addresses…

    Is this possible to do or is not an option using Tailscale currently.

    Note: I cannot set up Open VPN due to some issues with port forwarding/DDNS on my router/mesh router

    1. WunderTech

      This is a problem with VPN’s in general unfortunately. They work great if you want to connect to them, but as soon as you start needing other people to connect, they either need a VPN profile or it’s not a legitimate solution. I haven’t actually tried the “share” feature for Tailscale, but it depends how they are accessing the apps? I imagine that they won’t be able to use the local IP, but did they try with the Tailscale NAS IP?

  3. John

    And a separate question:

    Is there a way to set up the Synology Drive Client on my PC to work outside of my local network (via Tailscale)?
    If I try and create a new connection with the Tailscale IP it sates that this NAS is already set up and to use the current connection (but of course that is connected via the local IP).

    I can of course connect to Drive via the web browser (either directly or via the DSM) but curious if it can be set up on the desktop?

    I am at a loss with troubleshooting this one – any advice would be greatly appreciated.

    1. WunderTech

      Yes, you should be able to get it to work using the local IP address as well (but you’ll have to set up Tailscale that way, which was mentioned in my last comment). Let me know if you have any trouble with it!

      1. John

        And can also confirm that the Drive Client also works with the subnet/exit node settings activated.
        Thanks again!

        1. WunderTech

          Awesome! Thanks for confirming!

          1. John

            OK final follow up question (I promise)…

            I understand the principal concept of using the NAS as an Exit Node – I route all internet traffic via Tailscale (via the NAS) when activated. But where does that functionality fit into this subnet situation?

            I don’t really require to use the NAS as an Exit Node and when I remove it from the SSH command (therefore the NAS doesn’t request it) it seems to not make any difference to the subnet set-up.

            Am I missing something obvious (or not obvious for that matter)?

          2. WunderTech

            The full-tunnel VPN (exit node) is really only needed to “secure” your traffic from an untrusted network. This simply creates a secure tunnel between your device and the Synology NAS and routes all traffic through it. As far as if it’s “needed”, it really depends on how often you’re on untrusted Wi-Fi. With that said, it does have a permission issue when connecting to the Synology NAS applications (thanks to the comment from Don), so you’ll have to do some additional setup to get that working. As for the IP addresses, it doesn’t matter if you use the Tailscale IP or local IP of your NAS – they should function the same.

  4. Kaldeep

    Hey Frank.

    Great tutorial (as always)..

    I’m presuming that using Tailscape (with Quickconnect disconnected) I wouldn’t be able to connect to Android apps for Drive and Photos when away from home? I have tried to do this and it didn’t work..

    Is there a way to set this up so I can use Android apps?

    I did read on the tailscale website:
    “Other Synology apps cannot make outgoing connections to your other Tailscale nodes yet. Only incoming connections work right now.”

    But wasn’t sure whether this was a reference to the Android apps

    Any info would be greatly appreciated

    1. WunderTech

      Thanks so much! You should be able to, but you won’t be able to use the QuickConnect URL. The best thing you can do is connect to the Android apps using the local IP address of the Synology NAS, then from the mobile network, connect to Tailscale and see if you can access the applications. When you utilize Tailscale, you are in essence using all of the devices as if you were sitting at home, so the local IP address is what should be used.

      As for the TUN network – I didn’t need to enable TUN when I was using the local IP address of my NAS. Everything (read/write) worked properly, but I admit that I only tested with the local IP address.

      1. John

        First of all, thank you for an amazingly useful and user friendly website!
        Second… I am a bit confused by your response to Kaldeep; I can connect with my android Synology apps outside of my local network via Tailscale but only if I log in to them using the Tailscale IP (which to me makes sense), but if i understand your reply correctly you believe we should be able to connect with the “local” (home) IP address via Tailscale outside of our local network.
        I don’t see how that works (and in practice I can’t get it to work that way).
        Maybe I am misunderstanding your reply.
        Thanks again for your awesome work!

        1. WunderTech

          Thank you! Yes, you can use the local IP address if you configure it that way. This link explains it in the written post, however, it might be a good idea to watch the YouTube video (at the top of the page) as it’s displayed there so you can see how it works. https://www.wundertech.net/how-to-set-up-tailscale-on-a-synology-nas/#3_Connecting_to_Other_Devices_on_your_Local_Network

          Following these instructions will allow you to use the local IP address of your NAS (as well as other devices on your local network) which should bypass any of the issues that the other people were running into.

          1. John

            Amazing, works like a charm! Thank you ever so much,
            With this set up I can confirm that I can connect to my NAS via all the android apps with Tailscale and using my local network address.
            The only app that gave a little trouble was Photos – it didn’t want to back up. But signing out, reconnecting on the LAN then switching to test on Tailscale seems to have done the trick.
            One follow up question – with this set up I can now connect to my DSM outside of my network (via Tailscale) using the NAS’s local network address, is there any disadvantage doing so rather than directly using the designated Tailscale IP address?

          2. WunderTech

            Great! Nope, no disadvantages! Actually, it’s probably better because it allows you to utilize all the apps rather than managing two sets of IP addresses for your systems. It does require an additional step (which I guess can be viewed as a downside), but fortunately, it’s not too bad.

  5. Don

    Yes, I’ve been able to ssh into my NAS (thanks to your excellent short video!) however I am unable to “ssh [my synology user]@[tailscale ip]”. This is required to enable TUN to allow outbound connection

    1. WunderTech

      Got it – I’m sorry, I misunderstood the question. I am not entirely sure why that doesn’t work, but have you tried using the local IP address instead? The commands don’t look like they need to use the Tailscale IP (especially since the Tailscale IP is supposed to just forward to the Synology).

      One other thing to keep in mind is that if you use the local IP of the Synology, I don’t think you need to enable TUN. Everything worked for me (reading/writing) to and from my NAS using the local IP.

      1. Don

        Thanks again for your quick response. Everything works (reading/writing) to and from my NAS using the local IP when using the Split Tunnel mode. When outside my LAN, the Split Tunnel mode also allows reading/writing to my NAS using my local IP. Your video was extremely helpful. It is when I enable Exit Node I can no longer access my browser or NAS. Split Tunnel with local IP is perfect from any location, Exit Node is not operational. Far from a deal breaker as it is preferable over QuickConnect for my needs. It would be an added plus if Exit Node performed as a full tunnel VPN for browser access from public wifi.
        Your videos enabled an easier transition to a 5g Gateway that does not allow port forwarding!

        1. WunderTech

          I see what you’re saying, I’m sorry for misunderstanding! I just tested it and you’re absolutely right, with a full-tunnel VPN, it doesn’t work. I will test this out further (as well as Tailscale’s solution) and update the article as soon as I can! Thank you for explaining it!

  6. Don

    To clarify, I am attempting to run ssh @

  7. Don

    Excellent solution! Recently changed ISP to T-Mobile with 5g Gateway that does not allow port forwarding (OpenVPN no longer an option). I can now once again access my NAS remotely, however only in Split Tunnel mode. The Tailscale website details enabling TUN on the Synology but I am unable to ssh @ into my NAS from Linux. Any thoughts would be appreciated.

    1. WunderTech

      Thanks! Do you have SSH enabled in the Control Panel? The command should be “ssh [username]@[NAS_IP]”.

  8. John

    Hi Frank,

    I want to set this up but once installed it brings me to a login page, and when I try logging in i get an error message.

    bad tailscale-authstate2 cookie: http: named cookie not present

    I have gone to their homepage to see if I need to set up an account but the only option is to try it, which brings me back to the login.

    Any thoughts?

    JD

    1. WunderTech

      Hello! You definitely need to set up and account, so that will stop you in your tracks if you can’t login. To bypass any potential browser issues, you can try in a private (incognito) window? You can log in to DSM, then try and log in to Tailscale from there.

  9. Jason

    Hello! Do you recommend this setup or the OpenVPN setup?

    1. WunderTech

      From a purely “ease of use” standpoint, Tailscale is superior. With that said, it’s not a “traditional” VPN, meaning you are relying on Tailscale to maintain their service in order for you to connect to your local network. If you hosted your own VPN, as long as that VPN server is online, you’ll always be able to connect to it and there’s no third-party that you need to worry about. You’re also relying on them for their security practices, etc, where you would control everything by running your own.

      I use my own VPN server (I run both, WireGuard and OpenVPN) and that will not change. However, I was INCREDIBLY impressed that you could have a fully functional VPN in a few minutes, and the performance was incredibly similar to my self-hosted VPN’s (couldn’t really notice a difference).

      I apologize for the long-winded response, but ultimately, I think that it depends. From my perspective, self-hosted VPN solutions are superior since you’re managing everything, but if you don’t want to port forward, you’re afraid of managing the security, or if you want something that just “works” with a very quick setup, Tailscale is awesome!

  10. paul

    Great stuff, as always. With the split tunnel vpn will all dns resolutions go to my local network server? It would be a great advantage to have pihole always on for my devices by staying connected to a home vpn. Also, with quick-connect and tailscale there isn’t a pre shared key like if you set up your own home vpn with port forwarding. Doesn’t this mean that if there is a security flaw on TailScales end or someone gets access to your TailScale account they can get into your home network? Does using a https Cert for your synology still help in this situation to prevent a man in the middle attack?

    1. WunderTech

      Thanks! No, split-tunnel will only route internal IP addresses to local servers, so external traffic will automatically be routed to the destination through the network you’re currently connected to. I haven’t tested it, but you should be able to set your DNS server as the local IP address of that Pi-hole server to get DNS resolution to work that way. With that said, you’d have to test performance to ensure it’s acceptable.

      I’m not exactly sure what you mean by “pre-shared key”, but Tailscale isn’t a traditional VPN, so you’re not actually setting up keys/certificates as you would with WireGuard or OpenVPN. You are correct that someone getting access to your Tailscale account would be bad, so it’s a good idea to ensure that two-factor authentication is enabled. As for your final question, I’m not exactly sure what you mean, but HTTPS will ensure that the traffic is encrypted.

Leave a Reply