Access your Synology NAS and its services remotely using Wireguard Easy

What are we doing?

I already have a guide on how to set up Tailscale on your NAS for remote access. In the interest of choice and as I am currently using this method this is an alternative using WireGuard (WG-Easy).

This guide has a number of key steps. I will take you through each one, if you already followed some of my other VPN related guides you may be able to skip sections!

• Folder Setup
• DDNS Address
• TUN Script
• WireGuard Kernel Module
• Container Setup
• Client Setup

A note on Double NAT or CGNAT
Unfortunately more ISPs are moving to these methods of address allocation as the IPv4 address space is getting low on available addresses.

You can test if this is the case by checking the WAN IP on your Router/Modem settings and then comparing it to the one shown on portchecker.co. If they are different you are likely Double NAT and will either need to see if you can pay your ISP for a standard IPv4 address or use Tailscale (see my other guide) or Cloudflare Tunnels for access.

Let’s Begin

In this guide I will take you through the steps to things up and running in Container Manager. We will be using the new Projects (Docker Compose) feature as it will save you time vs manual setup using the normal UI.

Folder Setup

Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.

/docker/projects/wg-easy-compose
/docker/wg-easy

Next we need to setup a DDNS address in order to get connected.

DDNS and SSL

Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/ If you already have this set up move to the next step.

DDNS (Dynamic Domain Name System)

A DDNS address allows you to get external access to WireGuard via a domain provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a regular basis. This will not put the NAS login screen on the internet by default as we won’t be opening the addition DSM ports on the router.

For some great hints and tips in relation to securing your NAS set Wundertechs recent guide.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

Setting up the TUN start up script

In order for the VPN connection to work we need to make sure the TUN Interface is available. In order to ensure it is available even after a reboot we will set up a small ‘script’.

Please note if you already have GlueTUN running you have already done this 🙂 so jump ahead

Open up Control Panel and then click on Task Scheduler

Next click on Create, Triggered Task then User Defined Script.

Enter the following:

On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

#!/bin/sh -e

insmod /lib/modules/tun.ko

You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.

You can now move on to the next step.

WireGuard Kernel Module (Required)

As DSM uses an older Kernel that does not have the required WireGuard modules we need to load them separately.

BlackVoid.club have put together a Kernel Module for Synology which allows the lower level Kernel to perform WireGuard duties, make sure you drop them a thanks as this would not be possible without them!

https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/

While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own module it tells you how.

The TLDR is below.

1. Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.2) and download the pre compiled .spk file
2. Head into Package Center and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
3. Reboot
4. SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing sudo -i and entering your password
5. Enter this command and press enter to start up the module /var/packages/WireGuard/scripts/start

You should now be able to see the WireGuard package running in Package Center. Please note while I will try my best to support in relation to this module I may have to refer you on to BlackVoid if it is a specific technical issue.

On to the next part.

Container Manager

Next we are going to set up a ‘Project’ in Container Manager. Open up Container Manager and click on Project then on the right-hand side click ‘Create’.

In the next screen we will set up our General Settings, enter the following:

Next we are going to drop in our docker compose configuration, copy all the code in the box below and paste it into line ‘1’ just like the screenshot.

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    environment:
      - LANG=en
      - TZ=Europe/London
      - WG_HOST= #your ddns address
      - WG_PORT=51820 #
      - WG_DEFAULT_DNS=9.9.9.9
      - UI_TRAFFIC_STATS=true
      - UI_CHART_TYPE=1 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)
	    - PASSWORD_HASH= #your bcrypt hash
    volumes:
      - /volume1/docker/wg-easy:/etc/wireguard
    ports:
      - 51820:51820/udp #wireguard port
      - 51821:51821/tcp #wg-easy UI
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: unless-stopped

Environment Variables

We are now going to amend some key variables which define how the WireGuard connection will be set up and behave, I have covered the key settings here to get you up and running. You can find a full list of variables on the WG-Easy GitHub.

Generating the web password

In order to enable the password for the Web UI you need to add a Bcrypt hash of your chosen password into the compose. Go to https://bcrypt.online/ to create the hash.

Enter the password in the ‘Plain Text Input’ box and then press the ‘Generate Hash’ button. Copy the generated hash next to the PASSWORD_HASH= line.

Finally you will need to slightly amend the $ signs in the hash to ensure it is read correctly from the compose by replacing any single $ to double $$ for example

$2y$10$Kpbc.6Ue5WClnHLxCxLOo.lNmJRg8inaNFu9tW03WaZpAGVLQRn76

becomes

$$2y$$10$$Kpbc.6Ue5WClnHLxCxLOo.lNmJRg8inaNFu9tW03WaZpAGVLQRn76

Once you have made the edits you can click ‘Next’

You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again.

On the final screen click ‘Done’ which will begin the download of the container image and once downloaded it will be launched!

The image will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.

Forward the WireGuard Port

Now the container is running it would be a good idea to head into your Routers settings and forward the port your set for the container (51820). Refer to the manual on how to do this, essentially the port will be forwarded to the NAS IP address.

Firewall Exceptions

(Skip if you don’t have the Firewall configured)

If you have the Synology Firewall enabled please see this additional guide for further info on exceptions and correct set up.

Client Set up

WireGuard Easy makes it super easy to set up each client. Go to the Web UI on your NAS IP port 51821

Simply click ‘New Client’ and the config details will be created automatically for you.

You have a couple of choices on how to add the config to your end device, for phones make use of a WireGuard app. For this guide I am using WG Tunnel on the Playstore, for iPhone users there is also a WireGuard app.

Open the App and Tap the + button in the bottom Right, then ‘WireGuard’ in the pop-up menu, then ‘Add from QR Code’. Scan the QR code from WG Easy.

You can now turn on the connection from within the app and when roaming away from home all your locally hosted services will just work like you are on Wi-Fi. Your internet traffic is also routed through the connection. I have found that battery impacts are negligible so leave the connection on 24/7.

Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.