Backups are important. Offsite backups are even better. However, hosting a powerful NAS at a friend's place and making sure port forwarding is set up correctly so that you can access your NAS at all times as well as ensuring it doesn't become a target for attacks from the outside is a bit more tricky.

Enter tinc. As you may know, I'm quite a big fan of tinc, the mesh networking VPN. You can find my prior posts on tinc here. So, as I already had a network up and running, it was just a matter of having the Synology NAS become a host on my tinc network. That way, I would be able to access it as if it were on my local network and not have to worry about any port forwarding.

After a bit of research, I found a great little Docker container that would just run tinc: https://hub.docker.com/r/jenserat/tinc

As such, the goal here will be to connect your Synology NAS to your tinc network using a Docker container.

Configuring tinc

As with every tinc setup, it'll need configuration files to run and connect to your network.

Setup the configuration folder

Assuming you have Docker installed on your Synology NAS, you should have a folder on your volume called docker. Simply create a folder called tinc in here which we'll use to store our configuration files.
In the next steps we'll be using this folder which if you have a single volume will be /volume1/docker/tinc. Keep this in mind in case your folder differs as you'll need to change some of the commands below.

Generate keys for your Synology server

Now that we've got a folder to store our configuration files, we need to generate keys for the Synology server.
In order to generate these, simply run the following command:
sudo docker run -it --rm --volume /volume1/docker/tinc:/etc/tinc jenserat/tinc generate-keys

When asked for input, leave this default. Keep in mind that these are the file paths within the container, so changing them from default will not work. For that, you'll have to adjust the volume definition in the command above.

If all goes well, you'll see this:

Generating 2048 bits keys:
....................................+++ p
...........................+++ q
Done.
Please enter a file to save private RSA key to [/etc/tinc/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/rsa_key.pub]:
Generating Ed25519 keypair:
Done.
Please enter a file to save private Ed25519 key to [/etc/tinc/ed25519_key.priv]:
Please enter a file to save public Ed25519 key to [/etc/tinc/ed25519_key.pub]:

That's it. You should now see your keys in the tinc folder you created before. We'll get back to these files soon.

tinc configuration files

Now we'll have to create the 3 core configuration files in the tinc folder.

tinc.conf

This is the main configuration file, setting the name for your Synology server and telling it to which nodes it should connect to.

Name = remote-nas
AddressFamily = ipv4
ConnectTo = ams

The file above basically calls your Synology NAS remote-nas and tells it to connect to the ams node on start.

tinc-up

Here we'll configure the IP address within tinc for your NAS. In our case, as all of the nodes are within 10.0.0.0/8, we're assigning it an IP address in that range.

ifconfig $INTERFACE 10.254.0.11 netmask 255.0.0.0

tinc-down

We'll need to create the script to clean up the interface if tinc shuts down. The file simply needs to contain:

ifconfig $INTERFACE down

That's it for the configuration files.

Configuring the hosts

Now that we have created the core configuration for tinc, we need to add the hosts configuration. For that, simply create a folder called hosts in the tinc folder.

remote-nas

Let's start by creating the configuration file for your remote-nas.

-----BEGIN RSA PUBLIC KEY-----
COPY THE CONTENT OF rsa_key.pub from your tinc folder
-----END RSA PUBLIC KEY-----
Ed25519PublicKey = COPY THE CONTENT OF ed25519_key.pub from your tinc folder
Address = remote-nas.florianjensen.com # It's useful to set up a DynDNS and use that one here.
Subnet = 10.254.0.11/32 # This is the same IP address as we set up in tinc-up
Compression = 0

Copy your other host config files

Lastly, we're going to copy the configuration from our other nodes. In our case, this is the hosts file for ams. Simply place it in the hosts folder.

That's it. Everything should be configured.

Starting the tinc container

With everything configured, it's time to fire up our tinc container.

sudo docker run -d \
        --name tinc \
        --net=host \
        --device=/dev/net/tun \
        --cap-add NET_ADMIN \
        --volume /volume1/docker/tinc:/etc/tinc \
        jenserat/tinc start -D

Keep in mind that the -D makes sure the daemon stays active and does not actually daemonize, which would terminate the container.

Your container should now be connected to your tinc network. Once you have verified that everything is working as expected, you can configure the container to automatically restart after a reboot to ensure your remote NAS remains connected. Simply run the following command: sudo docker update --restart=always tinc

Closing

That's it! You should now have your Synology NAS connected through the docker container running tinc, on a secure private VPN network.