If you have ever tried to connect outside your LAN back into it in order to get to certain content or devices, you were probably quickly suggested to make a VPN connection as a prerequisite.
While VPN is still the most secure way to do it, there are various methods, protocols, and solutions to do it. In the linked article above, you can find what methods Synology uses in its VPN package, but they are yet to support a new player in this field, Wireguard.
In short, Wireguard is a new standard and protocol that has made huge leaps in performance over a very popular OpenVPN or IPSec. While still not implemented out of the box as other protocols, it will be soon enough.
So what is this all about then? Well if you want to use your NAS as a Wireguard server or client you will need to have certain modules in place in order to be able to use it. Like it was said, Synology still doesn't officially support it, but you can install 3rd party packages that will solve this problem.
This article will help you describe what you need to do (and how to do it) in order to get a valid Wireguard SPK (DSM Package Centar compatible installer) for your NAS CPU architecture, and if all else fails, build your own with Docker.
First off, credits go to Andreas Runfalk for making the effort to make this happen. His Github repository has all the info that I will cover in this article, but I will show the execution of it as well on a real-world device.
The already precompiled list of Wireguard SPK packages (for DSM 6.2) can be found here. If your device is not on the list, or you are looking for how to make this happen for DSM 7.1, keep reading.
Using the process described on the Github repository, you can make your own Docker images, and of course containers, that will be used to build the valid SPKs that you need.
I have already done that for both DSM 6.2 and 7.1. So if you want to get into the action, just use them by following the process below.
Wireguard SPK Docker images (6.2 and 7.1)
Both images are uploaded to hub.docker.com, so you are welcome to pull them and build your own SPK.
Each image is used identically, depending on the DSM in question, so make sure that you are using the correct one.
blackvoidclub/synobuild62 - Wireguard SPK builder for DSM 6.2
blackvoidclub/synobuild71 - Wireguard SPK builder for DSM 7.1
How do build an SPK?
As with any Docker operation, you will need to use it with
root account on your NAS via
Make sure that you have access to your NAS via SSH by enabling it via Control Panel > Terminal and SNMP, and activating the SSH checkbox.
Next, use any SSH-compatible application (like Terminal on macOS, or Putty on Windows), and log in with your default DSM user.
Once that is done, elevate to
root by entering
sudo -i command and repeat your default password. This will land you at the root command prompt, and you will be ready to move along.
Now that you have root access make sure to run the following command as a single line but before that change two (2) parameters needed.
sudo docker run --rm --privileged --env PACKAGE_ARCH=<yourNASarch> --env DSM_VER=7.1 -v /volume1/docker/synowirespk71:/result_spk blackvoidclub/synobuild71
The Docker run command takes
DSM_VER parameters that you need to change depending on your NAS and its DSM version.
To get your NAS CPU architecture, consult the following Synology KB article.
Examples of values that you can put in here are:
apollolake armada38x avoton braswell broadwell broadwellnk bromolow cedarview denverton geminilake kvmx64 monaco rtd1296 x64
DSM_VER parameter needs to be set to either to
7.1 depending on your need and of course what image you are using.
Finally, add the location that will be a volume bind to the container's
result_spk folder by doing it like this:
You will have to be patient with the progress as it can take a long time (about 10min or so) to pull the corresponding toolkit, so just let it do its thing.
Cloning into 'pkgscripts-ng'... [2022-07-21 13:10:49,508] INFO: Download... https://dataupdate7.synology.com/toolchain/v1/get_download_list?identify=toolkit&version=7.1&platform=base [2022-07-21 13:11:18,372] INFO: Download... https://dataupdate7.synology.com/toolchain/v1/get_download_list?identify=toolkit&version=7.1&platform=apollolake [2022-07-21 13:15:09,513] INFO: tar -xhf /toolkit_tarballs/base_env-7.1.txz -C /build_env/ds.apollolake-7.1 [2022-07-21 13:18:23,801] INFO: tar -xhf /toolkit_tarballs/ds.apollolake-7.1.env.txz -C /build_env/ds.apollolake-7.1 [2022-07-21 13:19:36,459] INFO: tar -xhf /toolkit_tarballs/ds.apollolake-7.1.dev.txz -C /build_env/ds.apollolake-7.1 [2022-07-21 13:21:12,766] INFO: All task finished. --2022-07-21 13:21:12-- https://crt.sh/?d=8395 Resolving crt.sh (crt.sh)... 22.214.171.124, 2a0e:ac00:c7:d449::5bc7:d449 Connecting to crt.sh (crt.sh)|126.96.36.199|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1200 (1.2K) [application/pkix-cert] Saving to: 'DSTRootCAX3_Extended.crt' 0K . 100% 608M=0s 2022-07-21 13:21:13 (608 MB/s) - 'DSTRootCAX3_Extended.crt' saved [1200/1200]
Once that is all done, the rest will go real quick, generating a long (and I do mean long) log. The task of creating the SPK will be another minute or so and you are done!
----------------- Time cost statistics ----------------- Time cost: 00:01:11 [Build-->WireGuard] 1 projects, 0 failed, 0 blocked.
The final project will be an SPK file that will have a similar name, depending on your CPU architecture,
Install and start the Wireguard SPK
Now that you know how to build any SPK needed, it is time to install it and run it so that your NAS will be ready for future Wireguard operations.
Log into your NAS, and open Package Center. Use the Manual install button and locate the SPK in order to upload it and install it.
Next, jump back to the SSH prompt as
root and run the following command to start the package:
Once that is done, a quick check inside the Package Center will also confirm that Wireguard support is running.
That's it. Your NAS now has Wireguard support and is ready to be configured as a Wireguard server or client.
ERROR: line 93: /dev/null: Permission denied
In case you have tried to follow this article and failed to run this on your own, one of the reasons might be the
line 93: /dev/null: Permission denied error. There is an open ticket on GitHub for this particular matter, so try and follow it in case there will be development on that front.
Some users have found out that running this image on a different machine runs just fine, and in some other cases, it does not. At the moment I have no idea why this is happening, as I am unable to reproduce the issue (on any of my 4 NAS boxes).
If you do get in a similar situation, let me know in the comment section below, or contact me over the Rocker Chat icon (upper right corner of the site, visible on desktop only), and I will gladly build you an SPK for your model.
In the follow-up article, we will see how you can configure an incoming Wireguard VPN server that will serve as your "access point" from outside your network as an alternative to popular VPN methods linked at the start of this article.
Comment on the topic in the section below if you have any questions, or suggestions on the matter.