Backups are important. Offsite backups are even better. However, hosting a powerful NAS at a friend's place and making sure port forwarding is set up correctly so that you can access your NAS at all times as well as ensuring it doesn't become a target for attacks from the outside is a bit more tricky.
Enter tinc. As you may know, I'm quite a big fan of tinc, the mesh networking VPN. You can find my prior posts on tinc here. So, as I already had a network up and running, it was just a matter of having the Synology NAS become a host on my tinc network. That way, I would be able to access it as if it were on my local network and not have to worry about any port forwarding.
After a bit of research, I found a great little Docker container that would just run tinc: https://hub.docker.com/r/jenserat/tinc
As such, the goal here will be to connect your Synology NAS to your tinc network using a Docker container.
As with every tinc setup, it'll need configuration files to run and connect to your network.
Setup the configuration folder
Assuming you have Docker installed on your Synology NAS, you should have a folder on your volume called
docker. Simply create a folder called
tinc in here which we'll use to store our configuration files.
In the next steps we'll be using this folder which if you have a single volume will be
/volume1/docker/tinc. Keep this in mind in case your folder differs as you'll need to change some of the commands below.
Generate keys for your Synology server
Now that we've got a folder to store our configuration files, we need to generate keys for the Synology server.
In order to generate these, simply run the following command:
sudo docker run -it --rm --volume /volume1/docker/tinc:/etc/tinc jenserat/tinc generate-keys
When asked for input, leave this default. Keep in mind that these are the file paths within the container, so changing them from default will not work. For that, you'll have to adjust the volume definition in the command above.
If all goes well, you'll see this:
Generating 2048 bits keys:
Please enter a file to save private RSA key to [/etc/tinc/rsa_key.priv]:
Please enter a file to save public RSA key to [/etc/tinc/rsa_key.pub]:
Generating Ed25519 keypair:
Please enter a file to save private Ed25519 key to [/etc/tinc/ed25519_key.priv]:
Please enter a file to save public Ed25519 key to [/etc/tinc/ed25519_key.pub]:
That's it. You should now see your keys in the tinc folder you created before. We'll get back to these files soon.
tinc configuration files
Now we'll have to create the 3 core configuration files in the
This is the main configuration file, setting the name for your Synology server and telling it to which nodes it should connect to.
Name = remote-nas
AddressFamily = ipv4
ConnectTo = ams
The file above basically calls your Synology NAS
remote-nas and tells it to connect to the
ams node on start.
Here we'll configure the IP address within tinc for your NAS. In our case, as all of the nodes are within
10.0.0.0/8, we're assigning it an IP address in that range.
ifconfig $INTERFACE 10.254.0.11 netmask 255.0.0.0
We'll need to create the script to clean up the interface if tinc shuts down. The file simply needs to contain:
ifconfig $INTERFACE down
That's it for the configuration files.
Configuring the hosts
Now that we have created the core configuration for tinc, we need to add the hosts configuration. For that, simply create a folder called
hosts in the
Let's start by creating the configuration file for your
-----BEGIN RSA PUBLIC KEY-----
COPY THE CONTENT OF rsa_key.pub from your tinc folder
-----END RSA PUBLIC KEY-----
Ed25519PublicKey = COPY THE CONTENT OF ed25519_key.pub from your tinc folder
Address = remote-nas.florianjensen.com # It's useful to set up a DynDNS and use that one here.
Subnet = 10.254.0.11/32 # This is the same IP address as we set up in tinc-up
Compression = 0
Copy your other host config files
Lastly, we're going to copy the configuration from our other nodes. In our case, this is the hosts file for
ams. Simply place it in the hosts folder.
That's it. Everything should be configured.
Starting the tinc container
With everything configured, it's time to fire up our tinc container.
sudo docker run -d \
--name tinc \
--cap-add NET_ADMIN \
--volume /volume1/docker/tinc:/etc/tinc \
jenserat/tinc start -D
Keep in mind that the -D makes sure the daemon stays active and does not actually daemonize, which would terminate the container.
Your container should now be connected to your tinc network. Once you have verified that everything is working as expected, you can configure the container to automatically restart after a reboot to ensure your remote NAS remains connected. Simply run the following command:
sudo docker update --restart=always tinc
That's it! You should now have your Synology NAS connected through the docker container running tinc, on a secure private VPN network.
As the Docker image from jenserat is quite dated, I've made available an update Docker image under
florider89/tinc. Simply replace
jenserat/tinc with it and you'll be running the latest version of it.