๐Ÿ’ก
This article is the first out of the two Wireguard ones. This article is about building your SPK package for your Synology NAS using Docker in order to enable Wireguard support! For information on how to run your Wireguard server on your NAS use the second article, Wireguard VPN for your Synology NAS.
๐Ÿ”ˆ
INFO: 26/08/2024 - SPKs under the 7.2 section work with the new DSM 7.2.2-72803 that has been released today.

WG SPK running under DSM 7.2.2
๐Ÿ”ˆ
INFO: 15/11/2023 - SPKs under the 7.2 section work with the new DSM 7.2.1-69057 that has been released today including UP1-UP5.

๐Ÿ“ข
INFO: 24/08/2023 - Added (finally) the DSM 7.2 Braswell and RTD1619B SPK to the list! Many thanks to Orphee for the help on this build!


SPKs for DSM 6.2

Denverton models:
DVA3221, RS820+/RS820RP+, DS2419+II, DS2419+, DS1819+, DVA3219, RS2818RP+, RS2418+/RS2418RP+, DS1618+


SPKs for DSM 7.1

๐Ÿ’ก
In case you are getting into the error 93 problems described below, or you do not want to build your own SPKs, here are the ones that I have already compiled for the CPU architectures that were requested.

Use this page to identify your Synology CPU architecture.

Apollolake models:
DS620slim, DS1019+, DS918+, DS718+, DS418play*, DS218+

Avoton models:
RS1219+, RS818+/RS818RP+, DS1817+, DS1517+, RS2416+/RS2416RP+, RS815+/RS815RP+, DS2415+, DS1815+, DS1515+, DS415+

Braswell models:
DS916+, DS716+II, DS716+, DS416play, DS216+II, DS216+

Broadwellnk models:
FS3600, FS1018, SA3600, SA3400, DS3622xs+, RS4021xs+, RS3621xs+, RS3621RPxs, DS1621xs+, RS1619xs+, DS3018xs

Cedarview models:
DS713+, DS1513+, DS1813+ DS2413+, RS814+, RS2414+,

Denverton models:
DVA3221, RS820+/RS820RP+, DS2419+II, DS2419+, DS1819+, DVA3219, RS2818RP+, RS2418+/RS2418RP+, DS1618+

Geminilake models:
DVA1622, DS1520+, DS920+, DS720+, DS420+, DS220+, DS423+, DS224+

R1000 models:
RS422+, DS1522+, DS923+, DS723+

v1000 models:
FS2500, RS822+/RS822RP+, DS2422+, RS2821RP+, RS2423+/RS2423RP+, RS2421+/RS2421RP+, RS1221+/RS1221RP+, DS1821+, DS1621+

vDSM:


SPKs for DSM 7.2

โš ๏ธ
NOTE: After installing the package (following the steps below), be sure to reboot the NAS, and then log in via SSH as root to run the startup script! Also, if you are already running WG under DSM 7.1, be sure to uninstall it and reinstall it after you install DSM 7.2 if there is "invalid file format" error!

Apollolake models:
DS620slim, DS1019+, DS918+, DS718+, DS418play*, DS218+

Avoton models:
RS1219+, RS818+/RS818RP+, DS1817+, DS1517+, RS2416+/RS2416RP+, RS815+/RS815RP+, DS2415+, DS1815+, DS1515+, DS415+

Armada37xx models:
DS119j, DS120j

Armada38x models:
DS419slim, DS218j, RS217, RS816, DS416j, DS416slim, DS216, DS216j, DS116

Braswell models:
DS916+, DS716+II, DS716+, DS416play, DS216+II, DS216+

Broadwell models:
FS3400, FS2017, RS3618xs, RS18017xs+, RS4017xs+, RS3617xs+, RS3617RPxs, DS3617xsII, DS3617xs

Broadwellnk models:
FS3600, FS1018, SA3600, SA3400, DS3622xs+, RS4021xs+, RS3621xs+, RS3621RPxs, DS1621xs+, RS1619xs+, DS3018xs

Denverton models:
DVA3221, RS820+/RS820RP+, DS2419+II, DS2419+, DS1819+, DVA3219, RS2818RP+, RS2418+/RS2418RP+, DS1618+

Epyc 7002 models:
SA6400

Geminilake models:
DVA1622, DS1520+, DS920+, DS720+, DS420+, DS220+, DS423+, DS224+

R1000 models:
RS422+, DS1522+, DS923+, DS723+

RTD1296 models:
DS420j, DS220j, RS819, DS418, DS418j, DS218, DS218play, DS118

RTD1619B models:
DS124, DS423, DS223j, DS223

v1000 models:
FS2500, RS822+/RS822RP+, DS2422+, RS2821RP+, RS2423+/RS2423RP+, RS2421+/RS2421RP+, RS1221+/RS1221RP+, DS1821+, DS1621+

vDSM:


If you have ever tried to connect outside your LAN back into it in order to get to certain content or devices, you were probably quickly suggested to make a VPN connection as a prerequisite.

While VPN is still the most secure way to do it, there are various methods, protocols, and solutions to do it. In the linked article above, you can find what methods Synology uses in its VPN package, but they are yet to support a new player in this field, Wireguard.

In short, Wireguard is a new standard and protocol that has made huge leaps in performance over a very popular OpenVPN or IPSec. While still not implemented out of the box as other protocols, it will be soon enough.

So what is this all about then? Well if you want to use your NAS as a Wireguard server or client you will need to have certain modules in place in order to be able to use it. As it was said, Synology still doesn't officially support it, but you can install 3rd party packages that will solve this problem.

โš ๏ธ
WARNING: This article contains steps that will require you to have root access to your NAS, knowledge of Docker, and ultimately install 3rd party package to your NAS. If you are not comfortable with this, best not get into it. Also, the author of this article takes zero responsibility if any step will cause any problems with your NAS setup. You have been warned!

This article will help you describe what you need to do (and how to do it) in order to get a valid Wireguard SPK (DSM Package Centar compatible installer) for your NAS CPU architecture, and if all else fails, build your own with Docker.

๐Ÿ—’๏ธ
NOTE: Even though Docker is used in this article, this does not mean that you will have to have a Docker-capable NAS in order to be able to install the SPK. Still saying this, both server and client Wireguard deployments out there are mostly in a container (Docker) form, but you can install them on your NAS in bare metal form as well, hence why you do not need Docker as mandatory.

First off, the credits go to Andreas Runfalk for making the effort to make this happen. His Github repository has all the info that I will cover in this article, but I will show the execution of it as well on a real-world device.

The already precompiled list of Wireguard SPK packages (for DSM 6.2) can be found here. If your device is not on the list, or you are looking for how to make this happen for DSM 7.1, keep reading.

Using the process described on the Github repository, you can make your own Docker images, and of course containers, that will be used to build the valid SPKs that you need.

I have already done that for both DSM 6.2 and 7.1. So if you want to get into the action, just use them by following the process below.

Wireguard SPK Docker images (6.2, 7.1 and 7.2)

All images are uploaded to hub.docker.com, so you are welcome to pull them and build your own SPK.

Each image is used identically, depending on the DSM in question, so make sure that you are using the correct one.

blackvoidclub/synowgbuild - Wireguard SPK builder for DSM 6.2

blackvoidclub/synobuild71 - Wireguard SPK builder for DSM 7.1

blackvoidclub/synobuild72 - Wireguard SPK builder for DSM 7.2

How do build an SPK?

As with any Docker operation, you will need to use it with root account on your NAS via SSH.

Make sure that you have access to your NAS via SSH by enabling it via Control Panel > Terminal and SNMP, and activating the SSH checkbox.

Next, use any SSH-compatible application (like Terminal on macOS, or Putty on Windows), and log in with your default DSM user.

Once that is done, elevate to root by entering sudo -i command and repeat your default password. This will land you at the root command prompt, and you will be ready to move along.

Now that you have root access make sure to run the following command as a single line but before that change two (2) parameters needed.

sudo docker run --rm --privileged --env PACKAGE_ARCH=<yourNASarch> --env DSM_VER=7.1 -v /volume1/docker/synowirespk71:/result_spk blackvoidclub/synobuild71

The Docker run command takes PACKAGE_ARCH and DSM_VER parameters that you need to change depending on your NAS and its DSM version.

To get your NAS CPU architecture, consult the following Synology KB article.

Examples of values that you can put in here are:

    apollolake
    armada38x
    avoton
    braswell
    broadwell
    broadwellnk
    bromolow
    cedarview
    denverton
    geminilake
    kvmx64
    monaco
    rtd1296
    x64

The DSM_VER parameter needs to be set to either to 6.2, 7.1 or 7.2 depending on your need and of course what image you are using.

Finally, add the location that will be a volume bound to the container's result_spk folder by doing it like this:/your_local_folder_path:/result_spk.

Optionally we can use this single-line command line that includes the local folder of the already downloaded toolkits, to improve the speed of the process:

docker run --rm --privileged --env PACKAGE_ARCH=<yourNASarch> --env DSM_VER=7.1 -v /volume1/docker/toolkit_tarballs:/toolkit_tarballs -v /volume1/docker/synowirespk71:/result_spk blackvoidclub/synobuild71

Again, make sure that the local toolkit location already exists at the mentioned location of your choice.

Executing the 7.1 build for Apollolake NAS (DS718+/DS918+)

You will have to be patient with the progress as it can take a long time (about 10 minutes or so) to pull the corresponding toolkit, so just let it do its thing.

Cloning into 'pkgscripts-ng'...
[2022-07-21 13:10:49,508] INFO: Download... https://dataupdate7.synology.com/toolchain/v1/get_download_list?identify=toolkit&version=7.1&platform=base
[2022-07-21 13:11:18,372] INFO: Download... https://dataupdate7.synology.com/toolchain/v1/get_download_list?identify=toolkit&version=7.1&platform=apollolake
[2022-07-21 13:15:09,513] INFO: tar -xhf /toolkit_tarballs/base_env-7.1.txz -C /build_env/ds.apollolake-7.1
[2022-07-21 13:18:23,801] INFO: tar -xhf /toolkit_tarballs/ds.apollolake-7.1.env.txz -C /build_env/ds.apollolake-7.1
[2022-07-21 13:19:36,459] INFO: tar -xhf /toolkit_tarballs/ds.apollolake-7.1.dev.txz -C /build_env/ds.apollolake-7.1
[2022-07-21 13:21:12,766] INFO: All task finished.
--2022-07-21 13:21:12--  https://crt.sh/?d=8395
Resolving crt.sh (crt.sh)... 91.199.212.73, 2a0e:ac00:c7:d449::5bc7:d449
Connecting to crt.sh (crt.sh)|91.199.212.73|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1200 (1.2K) [application/pkix-cert]
Saving to: 'DSTRootCAX3_Extended.crt'

     0K .                                                     100%  608M=0s

2022-07-21 13:21:13 (608 MB/s) - 'DSTRootCAX3_Extended.crt' saved [1200/1200]

Once that is all done, the rest will go real quick, generating a long (and I do mean long) log. The task of creating the SPK will be another minute or so and you are done!

----------------- Time cost statistics -----------------
Time cost: 00:01:11 [Build-->WireGuard]

1 projects, 0 failed, 0 blocked.

The final project will be an SPK file that will have a similar name, depending on your CPU architecture, WireGuard-apollolake-1.0.20220627.spk.

Install and start the Wireguard SPK

Now that you know how to build any SPK needed, it is time to install it and run it so that your NAS will be ready for future Wireguard operations.

Log into your NAS, and open Package Center. Use the Manual install button and locate the SPK in order to upload and install it.

โ€ผ๏ธ
NOTE: Make sure to uncheck the option to run the package after installation. You will run the package via SSH after the installation is complete.

Select the SPK for your NAS and move to the next step
Click Yes to continue
Uncheck the option Run after installation, and apply
โš ๏ธ
NOTE: If you are on DSM 7.2 be sure to reboot the NAS before running the startup script!

Next, jump back to the SSH prompt as root and run the following command to start the package: /var/packages/WireGuard/scripts/start.

Once that is done, a quick check inside the Package Center will also confirm that Wireguard support is running.

Wireguard support is ready!

That's it. Your NAS now has Wireguard support and is ready to be configured as a Wireguard server or client.

๐Ÿ—’๏ธ
NOTE: the package will automatically start after a NAS reboot for example following a DSM update

ERROR: line 93: /dev/null: Permission denied

In case you have tried to follow this article and failed to run this on your own, one of the reasons might be the line 93: /dev/null: Permission denied error. There is an open ticket on GitHub for this particular matter, so try and follow it in case there will be development on that front.

Some users have found out that running this image on a different machine runs just fine, and in some other cases, it does not. At the moment I have no idea why this is happening, as I am unable to reproduce the issue (on any of my 4 NAS boxes).

If you do get in a similar situation, let me know in the comment section below, or contact me over the support chat (upper right corner of the site, visible on desktop only), and I will gladly build you an SPK for your model.


In the follow-up article, we will see how you can configure an incoming Wireguard VPN server that will serve as your "access point" from outside your network as an alternative to popular VPN methods linked at the start of this article.

Comment on the topic in the section below if you have any questions, or suggestions on the matter.