Skip to content

Tailscale: Remote Access to Synology and Its Services Made Easy

Important or Recent Updates
Historic UpdatesDate
New guide Published18/03/2023
Swapped to using the version direct from Tailscale20/03/2023
Fixed the Routes and Subnets command as seems to run differently depending on some configs27/03/2023
Amended wording relating to exit nodes and DNS09/04/2023
Changed the Tailscale Up command to use the DNS servers specified in the admin console – amended the DNS section accordingly (thanks Roy)10/12/2023
Historic Updates

What is Tailscale?

Tailscale is very clever, it’s a VPN mesh network that allows you to use all your local network resources such as your NAS, all your Docker containers and even other devices on your network remotely.

This guide is based on the official documentation here which covers the basics however I received enough questions via Discord / Matrix and email that I felt it warranted a step-by-step walkthrough.

This will take you through the steps to get Tailscale running on your NAS and then accessing via an Android mobile.

Note: For anyone who likes to follow along in video format this video recently released by Alex from Tailscale is great!


Let’s Begin

The first step is to install the Tailscale Package (believe it or not we are not using Docker!!)

You have a couple of options here, either install the current version via the Package Centre or grab the latest version direct from Tailscale.

We are going to get the latest version in this guide, if you ever want to update either check back on newer versions via the link above or eventually the Package Centre version will catch up!

Open the link above and grab the version of the of package which works with your model of NAS. Most + models will use the version shown in the screenshot (you can find out of what type of CPU your NAS has here)

Once downloaded pen up the Package Centre and Click on ‘Manual Install’ on the top right. Then browse to your downloaded package and click Next.

You will be asked to accept all responsibility by installing this package, of course we will agree!

Once the package has finished either find it in the list or search for it in the top bar and click Open.

A new browser window will open, and it will ask you to Log In to your Tailscale account

Click log in, and you will be taken to the next screen with different options to log in – Tailscale uses sign ins via three providers Google, Microsoft, or GitHub select the one you prefer and login. You will use this to sign in on all devices going forward.

Once you have signed in you will see the screen below which is confirming the details of the device being added to your account. Click ‘Connect’.

You can now visit https://login.tailscale.com/admin/, and you will see your NAS in the list of your devices – I have blurred out my other devices in the screenshot, but you can add up to 25 for free.

You will see that you NAS has been assigned an IP address on the Tailscale network. We want to be able to access all our services via their original IP and ports rather than having to remember a new IP address. So lets carry on…


Enabling Outbound Connections on DSM7 and up

In order for our containers and apps running on DSM to have outbound access to the Tailscale network we need to enable this via a boot up command. This is nice and easy as we can use the Task Scheduler in the Control Panel.

So open up Control Panel > Task Scheduler > Create Task > Triggered Task > User-Defined script

In the Create Task window that appears enter the following information.

SectionSetting
Task Name:tailscale-outbound
User:root
Event:Boot-up
Pre-task:Leave this blank

Now click the ‘Task Settings’ tab and enter the code below in the ‘User-defined Script’ section

Bash
/var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service

Now click ‘OK’ you will be warned about running scripts as a root user, you can safely click the scary Red OK button.

The final step for this section is to run the script, it will then run on each reboot automatically, just select the task from the list and then click ‘Run’ and a then say ‘Yes’ to the pop-up.


Subnets, Routes, and Exit Nodes

So one more step to set up on the NAS side of things, we now need to enable the following items:

  • Subnets – (Advertise Routes) In order for us to access other devices on our network we will allow the Tailscale connection to look across the network
  • Exit Node – By default your internet traffic will go via the connection on the device you are using. For example if you are using your mobile on 4g when you go to Google.com this is going directly from your mobile connection. However, if you enable the Exit Node feature you can route your traffic via your NAS and out of your home internet connection. If you have Ad-Guard or PiHole in place this also means your ad blocking works as well!

You can do this next part in two ways either via SSH or for simplicity I am going to show how via Task Scheduler.

Go back to the Task Scheduler in Control Panel and Click Create > Scheduled Task > User-defined script.

Next we set the following options:

SectionSetting
Task Name:tailscale-routes-exit
User:root
Enabled:Unticked

Nothing need to be amended on the Schedule tab, then in the Task Settings tab enter the code below into the User-defined script section.

Before you do this though you need to edit the –advertise-routes=192.168.0.0/24, this must correspond to your own local subnet! The easiest way to figure out this is by taking your NAS IP address for example 192.168.0.79 and changing the final digit after the . to 0 ( 192.168.0.0)

Also, the –accept-dns=true will tell Tailscale to use the DNS servers set in the Admin Console we will visit this a bit later.

Bash
tailscale up --accept-dns=true --advertise-exit-node --advertise-routes=192.168.0.0/24 --reset

Now press OK and again as per the last section accept the warning. You will then need to run the command by selecting it from the list and pressing ‘Run’. This is everything completed on the NAS side of things!


Tailscale Admin Amendments

We are now going to make a couple of changes in the Tailscale admin panel. Head back to https://login.tailscale.com/admin/ you will notice our NAS shows the extra enabled features of Subnets and Exit node.

Click on the three dots next to your NAS and click on ‘Disable Key Expiry’ this will mean you don’t need to manually renew encryption keys every few months.

Then click the three dots again and select ‘Edit route settings..’ and you will see the screen below. Turn on both the ‘Subnet routes’ and ‘Exit Node.’ These will allow you to access devices and applications on your local network and enable the ability to route your internet traffic through the NAS.


Network wide ad-blocking / DNS

Our final step in the Admin Panel is to make sure we have some DNS servers in place, otherwise you will not have internet access via Tailscale.

In the video below I add local IPs for AdGuard or Pi-hole if you are not using those either add your preferred DNS provider(s) or select from the built-in ones.

In your Tailscale admin panel click DNS from the top section

Next scroll down to the Nameservers section and as per the video below click ‘Add Nameserver’ then select either from the drop-down list or Custom if you want to add the IP address of your Adguard or Pi-hole instance.


Mobile Setup

We are into the final stretch! Now the NAS is set up and our network running we can start adding more devices, I am using an Android phone as an example in this guide. However, adding an iPhone or Laptop, or any other device such as a remote NAS is pretty much the same.

The first step is to download the Tailscale app from the Google Play Store or you can install directly from Tailscale. I am not showing these steps as they should be self-explanatory.

Once installed open up the app, and it will ask you to sign in, use the same account you used earlier and follow the steps (not showing these as it varies slightly per account type)

Next you will see a screen to add the device to your account just press Connect.

You will now see a list of your devices on the Tailscale network – You can now turn on Tailscale at the top left of the app – accept the permission to set up a VPN connection when it appears.

The final step!

We need to select our exit node and turn on subnet access. Just click the three dots and choose ‘Use exit node…’ In the screen that appears select your NAS and tick the Allow LAN access box. (The Allow LAN access does not appear on iPhone)

– Note some users have reported that using the Exit Node meant that Adblocking did not work for their setup, so you may need to leave this option off. This means that while your Internet traffic will continue via your local 4G/5G or WiFi Connection DNS will be handled by your PiHole or Adguard. –

That’s it! You can now access all your services via a mobile connection or Wi-Fi on someone else’s network – all end-to-end encrypted!


Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.

Published inOther Tools 7.1Other Tools 7.2Remote Access

59 Comments

  1. Aaron Brown Aaron Brown

    First- thanks so much for all of your guides. I have used most of them on my Synology and they are flawless!

    I am just using Tailscale to access my local network and avoid opening up ports on my router. So, I primarily use it to access the docker containers on my Synology (Plex, Radarr, NZBGet, etc.) and to access my desktop PC via RDP. So, I just need to enable exit node and subnet routing, right? It does not seem like I need outbound traffic enabled via Tailscale on the Synology. What is the use case for enabling outbound traffic?

    • Dr_Frankenstein Dr_Frankenstein

      Hey, so the exit node element is really just if you want to mask your current location. For example if you want it to appear like your traffic is via your home internet connection rather than one in a hotel abroad or Public Wi-Fi that you don’t trust. Also, you can get clever with some layering to actually put the exit node traffic via something like GlueTUN so all devices on the Tailnet can use the VPN at the same time…

      • Ronin Ronin

        Super new to all this and been finding your guides so useful.

        Which lead me here. How do you route Tailscale through gluetun? Was hoping to set up a vpn on the exit node

        • Dr_Frankenstein Dr_Frankenstein

          Hey good question, someone on our Discord did this – I will find their example and drop a reply…

  2. Sean Sean

    2 questions:

    1. Did you have to enable IPv6 in order to direct connect (not DERP relay)?
    2. What speeds do you get if you are direct connected?

    My internet should be getting me up to 500mbps based on upload speed but i’ve never been able to achieve higher than 50mbps. Swapping from tailscale to my normal vpn on my phone i get about double the speed.

    Trying to watch things from my media server while out but the speed keeps things buffering so i’ve been trying to iron this out for a bit. iOS unfortunately makes it difficult to check for sure whether I am direct connected or using DERP while out.

    • Dr_Frankenstein Dr_Frankenstein

      It’s a little hard for me to test as my upload speeds on my home connection is only 35Mbps so can easily be saturated, no IPv6 turned on across my network. I am currently testing out just using a pure WireGuard direct connection as found I did not really need all the various Tailscale features. Are you sure it’s not that your upload is good, but your connection is bottlenecked on the phone side… e.g. server sending full 4k, but the phone connection is not fast enough to stream it…

      • Mr. Hanky Mr. Hanky

        The buffer may be CGNAT + DERP combo issue no? Isn’t DERP sort of an inherent bottleneck-like issue when streaming using excrypted connections such as Tailscale or whatever VPN?

        I’m unsure whether Tailscale vs a Cloudflare tunnel route to enable safe remote client access to my plex server. No point if buffering is a premise either way so very curious if you got any ‘real life’ updates on how this works out?

        Anyway, thanks for the great guides mate!

        • Sean Sean

          Do you know if setting up reverse proxy or some other method would avoid the struggle being created by CGNAT and DERP? I’m stuck using the ISP router since we have a fiber connection unfortunately so I can’t really get around the CGNAT issue.

          As of right now the way my home internet is setup I don’t think Tailscale is the solution I want but I haven’t found a good guide for another potential method of remote access.

  3. syreex syreex

    Awesome guide, as most of your guides are!

    Tricky question: I am trying to figure out how to activate https connection with an SSL certificate because certain things like microphone for video doorbell in home assistant require a secure http connection. I read the guide on Tailscale’s website but I am wondering if you could add a section to your guide in your more practical manner. To complicate things more, certificate renewal with lets encrypt every 90 days is not automatic unless you configure caddy which is way beyond my reach. Anyways, thanks for looking into this!

  4. Mark Mark

    Many thanks for this great tutorial. I am in the process of setting up Pi-Hole and Tailscale on Synology NAS. I can currently access my docker containers, externally, via Reverse Proxy do I need to take any additional steps to maintain these connections once Tailscale is configured (per tutorial)? Many thanks in advance.

  5. Ricco Ricco

    Really nice tutorial. When you say to change the subnet up “192.168.0.79 and changing the final digit to 0”, so if my Nas ip is 192.168.0.111, then the subnet would be 192.168.0.110?

    • Dr_Frankenstein Dr_Frankenstein

      Ahh can see that being confusing will amend to last digit after the .

      192.168.0.0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!