Access your Synology NAS and its services remotely using Wireguard Easy

What Are We Doing?

In this guide, we will explore using WireGuard (WG-Easy) as a self-hosted VPN solution on your NAS. If you’ve already followed some of my other VPN-related guides, feel free to skip through sections you’re familiar with. Let’s dive in!

Getting Started with Self-Hosting WireGuard

• Folder Setup
• DDNS Address Configuration
• TUN Script Setup
• WireGuard Kernel Module Installation
• Container Setup
• Client Configuration

Understanding Double NAT and CGNAT

Many ISPs are adopting Double NAT or Carrier-Grade NAT (CGNAT) due to the diminishing availability of IPv4 addresses. You can verify if you are behind Double NAT by comparing the WAN IP found on your router with the IP shown on a service like portchecker.co. If they differ, consult your ISP for a dedicated IPv4 address or consider using solutions like Tailscale or Cloudflare Tunnels for remote access.

Let’s Begin: Setting Up Your NAS

This guide focuses on utilizing the Projects (Docker Compose) feature in Container Manager, saving you setup time compared to manual configurations.

Step 1: Folder Setup

The first step is to create designated folders in File Station for the containers you’ll be using. This organization will enhance efficiency and access:

/docker/projects/wg-easy-compose
/docker/wg-easy

Step 2: Configuring DDNS and SSL

Create a Synology Account for the DDNS service. If you’ve previously registered, you can proceed to set up your DDNS address, which will allow external access to WireGuard without compromising your NAS login screen.

Complete the DDNS configuration as follows:

• Service Provider: Synology
• Hostname: Create a unique domain identifier for your NAS (e.g. myawesomenas.synology.me)
• Email: Login to your Synology account
• External Address (IPv4): Should auto-fill
• Get a Cert from Let’s Encrypt: Check this box

Following the configuration, a warning may appear regarding the SSL certificate; accept this to continue.

Step 3: Setting Up the TUN Script

This script ensures that the TUN interface is operational after reboots, critical for your VPN connection. Utilize the Task Scheduler in Control Panel and create a User Defined Script as follows:

#!/bin/sh -e
insmod /lib/modules/tun.ko

Step 4: Installing the WireGuard Kernel Module

Since Synology DSM utilizes an older kernel, install the required WireGuard modules. Download the pre-compiled .spk file from BlackVoid.club and follow their installation guide to implement the kernel module.

Step 5: Deploying Container Manager

Access Container Manager, initiate a project named wg-easy, and link it to the directory created earlier. Insert this docker-compose configuration at line ‘1’:

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    environment:
      - LANG=en
      - TZ=Europe/London
      - WG_HOST=#your DDNS address
      - WG_PORT=51820
      - WG_DEFAULT_DNS=9.9.9.9
      - UI_TRAFFIC_STATS=true
      - UI_CHART_TYPE=1
      - PASSWORD_HASH=#your bcrypt hash
    volumes:
      - /volume1/docker/wg-easy:/etc/wireguard
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: unless-stopped

Step 6: Configuring Environment Variables

Adjust environment variables for optimal configuration. Essential settings include:

• WG_HOST: Alter to match your previously set DDNS address.
• PASSWORD_HASH: It’s advisable to secure your UI with a password—generate a bcrypt hash for this purpose.

Step 7: Client Setup

Navigate to your NAS IP:51821 to access the web UI and create new clients effortlessly. This setup allows each device to connect securely. Utilize the WireGuard app to streamline the process for mobile devices by scanning the generated QR code.

Conclusion

Setting up WireGuard for self-hosting offers a secure and efficient method to connect remotely to your NAS. This guide provides all the necessary steps and tips for a smooth process. If you run into challenges, don’t hesitate to join the growing community focused on self-hosting solutions.