Access your self-hosted services remotely using WireGuard VPN on a Synology NAS

What are we doing?

I already have a guide on how to set up Tailscale on your NAS for remote access. In the interest of choice this is an alternative method using WireGuard.

This guide has a number of key steps—I will take you through each one, if you already followed some of my other VPN related guides you may be able to skip sections!

• Folder Setup
• DDNS Address
• TUN Script
• WireGuard Kernel Module
• Container Setup
• Client Setup

Let’s Begin

In this guide I will take you through the steps to things up and running in Container Manager. We will be using the new Projects (Docker Compose) feature to get this running as it will save you time vs manual setup using the normal UI.

If you have followed my other guides this one is a little different as there is not as much pre setup required just make sure you have followed the guide below to set up a restricted docker user first.

• Step 2: Setting up a restricted Docker user

Folder Setup

Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.

/docker/projects/wireguard-compose
/docker/wireguard

DDNS and SSL

Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/ If you already have this set up move to the next step.

DDNS (Dynamic Domain Name System)

A DDNS address allows you to get external access to WireGuard via a domain provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a regular basis. This will not put the NAS login screen on the internet by default as we won’t be opening the addition DSM ports on the router.

For some great hints and tips in relation to securing your NAS set Wundertechs recent guide.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

Setting up the TUN start up script

In order for the VPN connection to work we need to make sure the TUN Interface is available to make the connection to a VPN provider. In order to ensure it is available even after a reboot we will set up a small ‘script’.

Please note if you already have GlueTUN running you have already done this 🙂 so jump ahead

Open up Control Panel and then click on Task Scheduler

Next click on Create, Triggered Task then User Defined Script.

Enter the following:

On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

#!/bin/sh -e

insmod /lib/modules/tun.ko

You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.

You can now move on to the next step.

WireGuard Kernel Module (Required)

As DSM uses an older Kernel that does not have the required WireGuard modules we need to load them separately.

BlackVoid.club have put together a Kernel Module for Synology which allows the lower level Kernel to perform WireGuard duties, make sure you drop them a thanks as this would not be possible without them!

https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/

While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own module it tells you how.

The TLDR is below.

1. Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.2) and download the pre compiled .spk file
2. Head into Package Manager and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
3. Reboot
4. SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing sudo -i and entering your password
5. Enter this command and press enter to start up the module /var/packages/WireGuard/scripts/start

You should now be able to see the WireGuard package running in Package Manager. Please note while I will try my best to support in relation to this module I may have to refer you on to BlackVoid if it is a specific technical issue.

On to the next part.

Container Manager

Next we are going to set up a ‘Project’ in Container Manager. Open up Container Manager and click on Project then on the right-hand side click ‘Create’.

In the next screen we will set up our General Settings, enter the following:

Next we are going to drop in our docker compose configuration, copy all the code in the box below and paste it into line ‘1’ just like the screenshot.

services:
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1234 #change-me
      - PGID=65432 #change-me
      - TZ=Europe/London #change-me
      - SERVERURL=youraddress.dscloud.me
      - SERVERPORT=51820
      - PEERS=MYPHONE 
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
      - PERSISTENTKEEPALIVE_PEERS=MYPHONE
      - LOG_CONFS=false
    volumes:
      - /volume1/docker/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Environment Variables

We are now going to amend some key variables which define how the WireGuard connection will be set up and behave, I have covered the basic settings here to get you up and running. You can find full details for each setting on the LinuxServer support pages.

Once you have made the edits you can click ‘Next’

You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again.

On the final screen click ‘Done’ which will begin the download of the container image and once downloaded it will be launched!

The image will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.

Now the container is running it would be a good idea to head into your Routers settings and forward the port your set for the container. Refer to the manual on how to do this, essentially the port will be forwarded to the NAS IP address.

Firewall Exceptions

(Skip if you don’t have the Firewall configured)

If you have enabled and configured the Synology Firewall you will need to create exceptions for any containers that have a Web UI or have any incoming or outgoing connections. This section covers the basics of how to add these. (Please note this is a generic section and will not show the specific ports used in this guide however it applies in the same way)

Also, I would like to refer people to the great guide on getting the Firewall correctly configured over on WunderTechs site.

Head into the Control Panel> Security > Firewall, from here click Edit Rules for the profile you set up when you enabled the Firewall.

Next click on Create and you will see the screen below. Source IP and Action will be automatically selected to All and Allow, I will leave it up to you as to your own preference on whether you want to lock down specific Source IPs from having access. In this example we will leave as All.

You will now choose ‘Custom‘ and then the Custom button

Now select Destination from the drop-down menu, most web based containers require TCP access but check the guide as it will show the port and protocol. Then add comma separated ports. Then press OK.

Click OK a couple of times to get back to the main screen. You will see by default the new rule is added to the bottom of the list. You must always have your Block All rule last in the list as the rules are applied top down so move your container up.

You have now completed the Firewall changes and can continue with the guide.

Client Set up

Once the server has started we can get our phone connected to the server, I am demonstrating this on Android using the WireGuard app, this is also available for iPhones

The config files for the named devices you specified in the environment variables are located in /docker/wireguard/peer_nameofdevice

The connection details are individual files, however as we are setting up a phone we can use the really convenient QR code!

Open the App and Tap the + button in the bottom Right, then ‘Scan from QR code’ in the pop-up menu, scan the QR code you wish to use for this phone, and it will pull in all the connection details. Once scanned it will also ask for a Tunnel Name.

You can now turn on the connection from within the app and when roaming away from home all your locally hosted services will just work like you are on Wi-Fi. Your internet traffic is also routed through the connection. I have found that battery impacts are negligible so leave the connection on 24/7.

Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.