Today we are going to take a look at how to set up Tailscale on a Synology NAS.
Tailscale is a zero configuration VPN. What this means is that without port forwarding, you’re able to access ALL of the devices on your local network. Since Synology devices are almost always online, your Synology NAS is a great device to run Tailscale on. The best part of Tailscale is that NO port forwarding is required, which means that you don’t have to be a network expert to implement this, and if you’re behind something like a CGNAT, Tailscale will still work.
Tailscale uses the WireGuard protocol, so if you want WireGuard on your Synology NAS, this is the only current option that you have, though it’s not “true” WireGuard.
1. How to Set Up Tailscale on a Synology NAS
1. On your Synology NAS, open the Package Center and search for Tailscale, then, Install the package.
2. When it’s done installing, select Open and a new page will open asking you to log in. Log In (or create an account if you don’t have one).
3. After you log in, you can go back to your Synology NAS and open the Tailscale application. You will see that your NAS was assigned an IP address. Move on to the next step to learn what you can do when connected to Tailscale.
2. Connecting to Devices using Tailscale
In the last step, we set up our Synology NAS and it was automatically assigned an IP address. Use a different device (a mobile device is great) and download the Tailscale app. Sign in using the same account you initially signed into, and you’ll see your device listed.
Connect to the Tailscale VPN and use the IP address listed (with the DSM port) to automatically connect to your NAS. You should be brought to the DSM login page. Please keep in mind that if you aren’t connected to the Tailscale VPN, you will not be able to get to the Tailscale IP address for your NAS.
3. Connecting to Other Devices on your Local Network
While using the process above is great for connecting to the NAS only, you can actually use your NAS to connect to the other devices on your local network. To set this up, you’ll need to SSH into your Synology NAS as it’s the only way to advertise a route as of the writing of this article.
1. SSH into your Synology NAS.
2. Run the command below, substituting your internal IP subnet where the 192.168.1.0/24 is listed below. To be clear, you should only be changing the 192.168.1 portion so that you’re able to connect to all devices on your local network.
sudo tailscale up --advertise-routes 192.168.1.0/24 --advertise-exit-node --reset
4. After you run the command above, log in to the Tailscale admin portal. Under Machines, you should see the two machines that you set up (DSM and your mobile device).
5. Under DSM, you’ll see that the subnet we defined is set, but we need to confirm that we actually want to use it here. Under the three dots next to our DSM instance, select Edit Route Settings.
6. Enable both options (subnet routes and exit node). After you enable both options, you’ll be able to connect to devices on your local network by their local IP address. At this point, you should be able to connect to DSM using the local IP address that you normally use at home.
4. Exit Node – How to Set Up Tailscale on a Synology NAS
Using Tailscale as an exit node is using it as a full-tunnel VPN. The image below highlights what a full-tunnel vs split-tunnel VPN is, but the important takeaway is that ALL of your traffic will be routed through Tailscale. Therefore, if you’re on public Wi-Fi, it’s probably a good idea to use this feature as you’re tunneling all traffic.
On whatever application you’re using, select Use Exit Node and change the exit node to be your Synology NAS. If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you’re able to connect to your local devices.
5. Tailscale VPN vs. Synology QuickConnect
I am not going to go into a long-winded explanation on why I think that Tailscale is better than QuickConnect, but from a pure usability standpoint, Tailscale offers far more functionality. If you’re interested in just connecting to something like Synology Drive from outside of your local network, QuickConnect is great.
However, as soon as you set up something like Plex Media Server and try and access it from outside of your local network, you’ll see that the scope in which QuickConnect works is extremely minimal.
With this said, if you’re in a circumstance where you need multiple people to connect to your NAS, QuickConnect is still a great option as the “free” tier of Tailscale only supports one account connecting.
6. Conclusion – How to Set Up Tailscale on a Synology NAS
This tutorial looked at how to set up Tailscale on a Synology NAS. Even if you have a VPN working, the simplicity of Tailscale is truly remarkable. Out of all the VPN solutions I’ve tried, it took me less than 10 minutes to set up a fully functional split-tunnel and full-tunnel VPN that allows me to connect to my local network quickly and easily. The performance has been solid, and it works as designed.
Thanks so much for checking out the tutorial on how to set up Tailscale on a Synology NAS. If you have any questions, feel free to leave them in the comments!
This Post Has 29 Comments
Great stuff, as always. With the split tunnel vpn will all dns resolutions go to my local network server? It would be a great advantage to have pihole always on for my devices by staying connected to a home vpn. Also, with quick-connect and tailscale there isn’t a pre shared key like if you set up your own home vpn with port forwarding. Doesn’t this mean that if there is a security flaw on TailScales end or someone gets access to your TailScale account they can get into your home network? Does using a https Cert for your synology still help in this situation to prevent a man in the middle attack?
Thanks! No, split-tunnel will only route internal IP addresses to local servers, so external traffic will automatically be routed to the destination through the network you’re currently connected to. I haven’t tested it, but you should be able to set your DNS server as the local IP address of that Pi-hole server to get DNS resolution to work that way. With that said, you’d have to test performance to ensure it’s acceptable.
I’m not exactly sure what you mean by “pre-shared key”, but Tailscale isn’t a traditional VPN, so you’re not actually setting up keys/certificates as you would with WireGuard or OpenVPN. You are correct that someone getting access to your Tailscale account would be bad, so it’s a good idea to ensure that two-factor authentication is enabled. As for your final question, I’m not exactly sure what you mean, but HTTPS will ensure that the traffic is encrypted.
Hello! Do you recommend this setup or the OpenVPN setup?
From a purely “ease of use” standpoint, Tailscale is superior. With that said, it’s not a “traditional” VPN, meaning you are relying on Tailscale to maintain their service in order for you to connect to your local network. If you hosted your own VPN, as long as that VPN server is online, you’ll always be able to connect to it and there’s no third-party that you need to worry about. You’re also relying on them for their security practices, etc, where you would control everything by running your own.
I use my own VPN server (I run both, WireGuard and OpenVPN) and that will not change. However, I was INCREDIBLY impressed that you could have a fully functional VPN in a few minutes, and the performance was incredibly similar to my self-hosted VPN’s (couldn’t really notice a difference).
I apologize for the long-winded response, but ultimately, I think that it depends. From my perspective, self-hosted VPN solutions are superior since you’re managing everything, but if you don’t want to port forward, you’re afraid of managing the security, or if you want something that just “works” with a very quick setup, Tailscale is awesome!
I want to set this up but once installed it brings me to a login page, and when I try logging in i get an error message.
bad tailscale-authstate2 cookie: http: named cookie not present
I have gone to their homepage to see if I need to set up an account but the only option is to try it, which brings me back to the login.
Hello! You definitely need to set up and account, so that will stop you in your tracks if you can’t login. To bypass any potential browser issues, you can try in a private (incognito) window? You can log in to DSM, then try and log in to Tailscale from there.
Excellent solution! Recently changed ISP to T-Mobile with 5g Gateway that does not allow port forwarding (OpenVPN no longer an option). I can now once again access my NAS remotely, however only in Split Tunnel mode. The Tailscale website details enabling TUN on the Synology but I am unable to ssh @ into my NAS from Linux. Any thoughts would be appreciated.
Thanks! Do you have SSH enabled in the Control Panel? The command should be “ssh [username]@[NAS_IP]”.
To clarify, I am attempting to run ssh @
Yes, I’ve been able to ssh into my NAS (thanks to your excellent short video!) however I am unable to “ssh [my synology user]@[tailscale ip]”. This is required to enable TUN to allow outbound connection
Got it – I’m sorry, I misunderstood the question. I am not entirely sure why that doesn’t work, but have you tried using the local IP address instead? The commands don’t look like they need to use the Tailscale IP (especially since the Tailscale IP is supposed to just forward to the Synology).
One other thing to keep in mind is that if you use the local IP of the Synology, I don’t think you need to enable TUN. Everything worked for me (reading/writing) to and from my NAS using the local IP.
Thanks again for your quick response. Everything works (reading/writing) to and from my NAS using the local IP when using the Split Tunnel mode. When outside my LAN, the Split Tunnel mode also allows reading/writing to my NAS using my local IP. Your video was extremely helpful. It is when I enable Exit Node I can no longer access my browser or NAS. Split Tunnel with local IP is perfect from any location, Exit Node is not operational. Far from a deal breaker as it is preferable over QuickConnect for my needs. It would be an added plus if Exit Node performed as a full tunnel VPN for browser access from public wifi.
Your videos enabled an easier transition to a 5g Gateway that does not allow port forwarding!
I see what you’re saying, I’m sorry for misunderstanding! I just tested it and you’re absolutely right, with a full-tunnel VPN, it doesn’t work. I will test this out further (as well as Tailscale’s solution) and update the article as soon as I can! Thank you for explaining it!
Great tutorial (as always)..
I’m presuming that using Tailscape (with Quickconnect disconnected) I wouldn’t be able to connect to Android apps for Drive and Photos when away from home? I have tried to do this and it didn’t work..
Is there a way to set this up so I can use Android apps?
I did read on the tailscale website:
“Other Synology apps cannot make outgoing connections to your other Tailscale nodes yet. Only incoming connections work right now.”
But wasn’t sure whether this was a reference to the Android apps
Any info would be greatly appreciated
Thanks so much! You should be able to, but you won’t be able to use the QuickConnect URL. The best thing you can do is connect to the Android apps using the local IP address of the Synology NAS, then from the mobile network, connect to Tailscale and see if you can access the applications. When you utilize Tailscale, you are in essence using all of the devices as if you were sitting at home, so the local IP address is what should be used.
As for the TUN network – I didn’t need to enable TUN when I was using the local IP address of my NAS. Everything (read/write) worked properly, but I admit that I only tested with the local IP address.
First of all, thank you for an amazingly useful and user friendly website!
Second… I am a bit confused by your response to Kaldeep; I can connect with my android Synology apps outside of my local network via Tailscale but only if I log in to them using the Tailscale IP (which to me makes sense), but if i understand your reply correctly you believe we should be able to connect with the “local” (home) IP address via Tailscale outside of our local network.
I don’t see how that works (and in practice I can’t get it to work that way).
Maybe I am misunderstanding your reply.
Thanks again for your awesome work!
Thank you! Yes, you can use the local IP address if you configure it that way. This link explains it in the written post, however, it might be a good idea to watch the YouTube video (at the top of the page) as it’s displayed there so you can see how it works. https://www.wundertech.net/how-to-set-up-tailscale-on-a-synology-nas/#3_Connecting_to_Other_Devices_on_your_Local_Network
Following these instructions will allow you to use the local IP address of your NAS (as well as other devices on your local network) which should bypass any of the issues that the other people were running into.
Amazing, works like a charm! Thank you ever so much,
With this set up I can confirm that I can connect to my NAS via all the android apps with Tailscale and using my local network address.
The only app that gave a little trouble was Photos – it didn’t want to back up. But signing out, reconnecting on the LAN then switching to test on Tailscale seems to have done the trick.
One follow up question – with this set up I can now connect to my DSM outside of my network (via Tailscale) using the NAS’s local network address, is there any disadvantage doing so rather than directly using the designated Tailscale IP address?
Great! Nope, no disadvantages! Actually, it’s probably better because it allows you to utilize all the apps rather than managing two sets of IP addresses for your systems. It does require an additional step (which I guess can be viewed as a downside), but fortunately, it’s not too bad.
And a separate question:
Is there a way to set up the Synology Drive Client on my PC to work outside of my local network (via Tailscale)?
If I try and create a new connection with the Tailscale IP it sates that this NAS is already set up and to use the current connection (but of course that is connected via the local IP).
I can of course connect to Drive via the web browser (either directly or via the DSM) but curious if it can be set up on the desktop?
I am at a loss with troubleshooting this one – any advice would be greatly appreciated.
Yes, you should be able to get it to work using the local IP address as well (but you’ll have to set up Tailscale that way, which was mentioned in my last comment). Let me know if you have any trouble with it!
And can also confirm that the Drive Client also works with the subnet/exit node settings activated.
Awesome! Thanks for confirming!
OK final follow up question (I promise)…
I understand the principal concept of using the NAS as an Exit Node – I route all internet traffic via Tailscale (via the NAS) when activated. But where does that functionality fit into this subnet situation?
I don’t really require to use the NAS as an Exit Node and when I remove it from the SSH command (therefore the NAS doesn’t request it) it seems to not make any difference to the subnet set-up.
Am I missing something obvious (or not obvious for that matter)?
The full-tunnel VPN (exit node) is really only needed to “secure” your traffic from an untrusted network. This simply creates a secure tunnel between your device and the Synology NAS and routes all traffic through it. As far as if it’s “needed”, it really depends on how often you’re on untrusted Wi-Fi. With that said, it does have a permission issue when connecting to the Synology NAS applications (thanks to the comment from Don), so you’ll have to do some additional setup to get that working. As for the IP addresses, it doesn’t matter if you use the Tailscale IP or local IP of your NAS – they should function the same.
Great info and questions both..
After reading a comment on your YouTube video and following all of the steps I did manage to get the Android Apps to work remotely whilst connected to Tailscale but using local IP addresses… absolutely brilliant…
The only downside I see with this over Quickconnect is that only me as the primary user can use Tailscale to access Android apps remotely.
I did try to share my Nas (as a machine) with other users in my family. While they can use this mechanism to log into DSM via a browser … I could not get the Android app on a family members phone to log using either local or Tailscale IP addresses…
Is this possible to do or is not an option using Tailscale currently.
Note: I cannot set up Open VPN due to some issues with port forwarding/DDNS on my router/mesh router
This is a problem with VPN’s in general unfortunately. They work great if you want to connect to them, but as soon as you start needing other people to connect, they either need a VPN profile or it’s not a legitimate solution. I haven’t actually tried the “share” feature for Tailscale, but it depends how they are accessing the apps? I imagine that they won’t be able to use the local IP, but did they try with the Tailscale NAS IP?
It was me using my daughters/wifes phone…;) from memory I did try using local and tailscale NAS IP… (will try again as I’m doubting myself now)
So I have setup a tailscale profile for the user but the issue is the address I should use in the Android app…
If the tailscale solution doesn’t work for remote access on a shared users Android apps… the only viable option for my scenario is Quickconnect which I’m trying to transition away from if poss…
Once again thanks for sharing your knowledge and experience… Great work…
Well deserved coffee break I believe … enjoy 😉
Thank you so much! That was very kind of you – I truly appreciate your generosity.
From reading Tailscale’s documentation, the Tailscale IP address is the only IP that will work. This is probably not the best solution in that case, as locally, the applications will stop working (you’d have to be connected to Tailscale every time you’d like to use the app).
I’m afraid if port forwarding isn’t an option, that QuickConnect is probably the “best” option other than this. The other solution that I can think of is to pay $5/month for the Tailscale “Team” membership, so that they would be able to use the local IP address as well. I admit that $60/year for this functionality is probably not ideal, but it is technically an option.
If I can help at all, please let me know!
Comments are closed.