This package adds WireGuard support for Synology NAS drives. It provides the
WireGuard kernel module and the wg
/wg-quick
commands.
You use everything here at your own risk. I am not responsible if this breaks your NAS. Realistically it should not result in data loss, but it could render your NAS unaccessible if something goes wrong.
If you are not comfortable with removing your drives from the NAS and manually recover the data, this might not be for you.
All models marked Is working have been confirmed by users to work. If your model has the same platform as one of the working ones, chances are it will work for you too.
Model | Platform | DSM Version | Is working? |
DS114 | armada370 | N/A | No (Kernel version too old) |
DS115j | armada370 | N/A | No (Kernel version too old) |
DS1817+ | avoton | 6.2 | Yes |
DS213j | armada370 | N/A | No (Kernel version too old) |
DS213j | armada370 | N/A | No (Kernel version too old) |
DS214play | armada370 | N/A | No (Kernel version too old) |
DS214se | armada370 | N/A | No (Kernel version too old) |
DS216se | armada370 | N/A | No (Kernel version too old) |
DS218+ | apollolake | 6.2 | Yes |
DS218j | armada38x | 6.2 | Yes |
DS414slim | armada370 | N/A | No (Kernel version too old) |
DS713+ | cedarview | 6.2 | Yes |
DS918+ | apollolake | 6.2 | Yes |
RS214 | armada370 | N/A | No (Kernel version too old) |
The minimum required kernel version is 3.10. If you have a kernel version lower
than that, WireGuard will not work. You can check your kernel version by
logging in through SSH and running the uname -a
command.
Check the releases page for SPKs for your platform. If there is no SPK you have to compile it yourself using the instructions below.
- In the Synology DSM web admin UI, open the Package Center and press the Settings button.
- Set the trust level to Any publisher and press OK to confirm.
- Press the Manual install button and provide the SPK file. Follow the instructions until done.
Now you just need to figure out how to configure WireGuard. There are lots of good guides on how to do that.
To put my WireGuard configuration on the NAS, I used SSH and created a
wg-quick
configuration in /etc/wireguard/wg0.conf
. Then I opened the
Control panel, opened the Task scheduler and created Triggered task that
runs wg-quick up wg0
on startup.
When running iptables
in the PostUp
and PostDown
rules I needed to
toggle the interface to make it work. My full startup task looks like this:
sleep 60
wg-quick up wg0
sleep 5
wg-quick down wg0
sleep 5
wg-quick up wg0
My /etc/wireguard/wg0.conf
looks like this:
[Interface] Address = 10.0.1.1/16 PrivateKey = <nas-private-key> ListenPort = 16666 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = <peer-public-key> AllowedIPs = 10.0.1.2/32
Note that you need to modify the rules if your network interface is not
eth0
. You can check which name your interface has by running ip a
in an
SSH session.
I've used docker to compile everything, as pkgscripts-ng
clutters the file
system quite a bit. First create a docker image by running the following
command in this repository:
git clone https://github.com/runfalk/synology-wireguard.git
cd synology-wireguard/
sudo docker build -t synobuild .
Now we can build for any platform and DSM version using:
sudo docker run --rm --privileged --env PACKAGE_ARCH=<arch> --env DSM_VER=<dsm-ver> -v $(pwd)/artifacts:/result_spk synobuild
You should replace <arch>
with your NAS's package arch. Using
this table
you can figure out which one to use. Note that the package arch must be
lowercase. <dsm-ver>
should be replaced with the version of DSM you are
compiling for.
For the DS218j that I have, the complete command looks like this:
sudo docker run --rm --privileged --env PACKAGE_ARCH=armada38x --env DSM_VER=6.2 -v $(pwd)/artifacts:/result_spk synobuild
If everything worked you should have a directory called artifacts
that
contains your SPK files.
I based a lot of this work on this guide by Reddit user akhener. However, I had to modify their instructions a lot since my NAS has an ARM CPU which made cross compilation a lot trickier.
GitHub user galaxysd made a guide on how to enable iptables NAT support.