Wireguard and Innernet on Synology
I recently bought a Synology DS220+ NAS for my home network and I’m really liking it so far. Setting it up was very easy and getting my phone to sync photos was a breeze with the Synology Photos app for Android. I also set it up as an Network File System (NFS) server so I could mount the files on my desktop and laptop computers, and therefore removed my reliance on Syncthing. (I don’t have anything against Syncthing, its worth noting. In fact, I think its a great piece of software. I just don’t have any need for it anymore).
One issue that arose from this change, though, was what to do about file access when I was out of my house on my laptop. Syncthing keeps a full copy of all files on every device, and does NAT hole-punching to connect computers that are behind home networks. NFS doesn’t have either of those solutions.
Fortunately, all of my computers are already connected via a WireGuard virtual network, orchestrated by a tool called innernet. Innernet is a tool that is similar to tailscale if you’ve heard of that, but which doesn’t rely on a third party for authentication or to help with endpoint discovery. You need to provide a server (one which is always-on and which has a globally routeable IP address) yourself. I have a server with Linode that does the job.
The Synology operating system actually has an available tailscale app, so if you’re already using that you’re good to go. Unfortunately, there’s no innernet app and, as far as an internet search turned up, nobody had written about how to get it running. I decided to take a stab at making it work, and was successful. I thought I’d share my steps in case it helps someone else out in the future.
Wireguard on Synology
First things first we need to get WireGuard running on the Synology NAS. Fortunately that was fairly straight forward thanks to this repo which has step by step instructions as well as a docker image to make compilation easy. Be sure to pay attention to the note that the pre-built images in the “releases” section are only for DSM 6. If you have a newer Synology running DSM 7, as I do, you will have to go the manual compilation route using the instructions starting here.
Follow the instructions for installing the resulting packages, but you can ignore the portion about configuring WireGuard as innernet will do that itself.
Since there’s no innernet package for the Synology OS, we need to compile a copy. For this, you will need a copy of Rust. If you don’t already have it, head over to Rustup and follow the instructions to get Rust running on your computer.
You will then need to find out what architecture your NAS is on. It looks like most, though not all, are running x86_64. You can find yours in this table. If your model lists a CPU by Intel or AMD, you’re running x86_64. If not, its likely an ARM chip. You might have to search up the chip name to find out what exact version of ARM it is.
Clone the innernet repo to somewhere convenient and
cd into it. Once in there, you will need to get the right rust toolchain for your NAS installed.
If your NAS is Intel or AMD:
$ rustup install x86_64-unknown-linux-musl
If your NAS is ARMv7:
$ rustup install armv7-unknown-linux-musleabi
If your NAS is ARMv8 or other 64-bit ARM architecture:
$ rustup install aarch64-unknown-linux-musl
Once you’ve done that, compile the innernet client binary:
$ cargo build --release --target <the architecture you used in the prior step> --bin innernet
You should now have a file called
innernet in the
target/<architecture>/release/ directory. Copy that to your NAS, either via a network share or just by uploading in the web portal. You will also want to create an innernet invitation file on your server and upload that to the NAS as well.
If you haven’t already, enable SSH access to your Synology and ssh in. If you’re using innernet, I’m going to assume you already know how to do this.
Copy the innernet executable to
/usr/bin/ then follow the instructions in the innernet repo to claim the invitation.
This is where I ran into my only bit of trouble. The first couple times I tried to claim the invite, the innernet client wasn’t able to connect to my server. I ran it again, intending to interrupt it after it had setup the WireGuard tunnel to try to debug it, and it just worked. I don’t know if I did something different that time or if it was a momentary hiccup. Its been working fine ever since.
Once the invitation has been claimed, make sure you can access the NAS from elsewhere in your VPN. If it works, then you just need to do one last thing.
systemd unit file from the innernet repo to the
/usr/lib/systemd/system/ directory on your NAS. Enable the service by running:
$ sudo systemctl enable innernet@<network_name>
network-name is whatever name you gave to innernet when you created the network.
That should do it. You should now have innernet and WireGuard running on your NAS and it should bring the network back up again if the NAS restarts. Let me know if you have any questions or comments! I’m @rschulman:westwork.org on Matrix and @RossSchulman on Twitter.