WireGuard support for Synology NAS

This package adds WireGuard support for Synology NAS drives. It provides the WireGuard kernel module and the wg/wg-quick commands.

Disclaimer

You use everything here at your own risk. I am not responsible if this breaks your NAS. Realistically it should not result in data loss, but it could render your NAS unaccessible if something goes wrong.

If you are not comfortable with removing your drives from the NAS and manually recover the data, this might not be for you.

FAQ/Known issues

• The Dns = x.x.x.x setting is unsupported. If you try it you will get the following message: /usr/local/bin/wg-quick: line 31: resolvconf: command not found
• IPv6 is probably not supported (at least not using wg-quick). Due to the system version of iproute2 being too old. You'll get the error message Error: argument "suppress_prefixlength" is wrong: Failed to parse rule type.
• Everything appears to be OK when running wg show but no traffic is flowing through the tunnel. Apparently there is some kind of race when setting up the interface. The simplest known workaround is to append ; sleep 5; ip route add 10.0.0.0/16 dev wg0 to the PostUp rule. This assumes that your WireGuard IP subnet is 10.0.x.x. See issue #10 for more information.

PRs that solve these issues are welcome.

Installation

1. Check the releases page for SPKs for your platform and DSM version. If there is no SPK you have to compile it yourself using the instruction below.
2. (Not applicable for DSM from 7.0) In the Synology DSM web admin UI, open the Package Center and press the Settings button. Set the trust level to Any publisher and press OK to confirm.
3. In the Package Center, press the Manual install button and provide the SPK file. Follow the instructions until done.
4. (Only for DSM from 7.0) From DSM 7.0, an additional step is required for the WireGuard package to start. This is related to preventing packages not signed by Synology from running with root privileges. When installing the package, uncheck the run after installation option. After installing the package, connect to the NAS via SSH and run the sudo /var/packages/WireGuard/scripts/start command.

Now you just need to figure out how to configure WireGuard. There are lots of good guides on how to do that.

To put my WireGuard configuration on the NAS, I used SSH and created a wg-quick configuration in /etc/wireguard/wg0.conf. My configuration looks like this:

[Interface]
Address = 10.0.1.1/16
PrivateKey = <nas-private-key>
ListenPort = 16666
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <peer-public-key>
AllowedIPs = 10.0.1.2/32

Note that you need to modify the rules if your network interface is not eth0. You can check which name your interface has by running ip a in an SSH session.

Adding WireGuard to autostart

DSM since version 7.0 comes with systemd unit support, while for previous versions you can use the built-in upstart. To standardize the process of adding the WireGuard interface to the autostart, a simple wg-autostart script has been developed.

Important note: before adding the interface to the autostart, start it manually by sudo wg-quick up wg0 ensure that it does not cause the system to crash and that you can still access your NAS properly. Otherwise, you may not be able to start the NAS or you may not be able to access the device after a reboot.

To add the wg0 interface to the autostart, run the command:

sudo wg-autostart enable wg0

To remove the wg0 interface from the autostart, run the command:

sudo wg-autostart disable wg0

Compiling

I've used docker to compile everything, as pkgscripts-ng clutters the file system quite a bit. First create a docker image by running the following command in this repository:

git clone https://github.com/runfalk/synology-wireguard.git
cd synology-wireguard/
sudo docker build -t synobuild .

Now we can build for any platform and DSM version using:

sudo docker run --rm --privileged --env PACKAGE_ARCH=<arch> --env DSM_VER=<dsm-ver> -v $(pwd)/artifacts:/result_spk synobuild

You should replace <arch> with your NAS's package arch. Using this table you can figure out which one to use. Note that the package arch must be lowercase. <dsm-ver> should be replaced with the version of DSM you are compiling for.

For the DS218j that I have, the complete command looks like this:

mkdir $(pwd)/artifacts
sudo docker run --rm --privileged --env PACKAGE_ARCH=armada38x --env DSM_VER=6.2 -v $(pwd)/artifacts:/result_spk synobuild

If everything worked you should have a directory called artifacts that contains your SPK files.

Avoiding timeouts when downloading build files

It can take a long time to pull development files from SourceForge, including occasional timeouts. To get around this, create a folder locally and map it to the /toolkit_tarballs Docker volume using the following command: -v $(pwd)/<path/to/folder>:/toolkit_tarballs to the docker run command listed above. This will allow the development files to be stored on your host machine instead of ephemerally in the container. The image will check for existing development files in that folder and will use them instead of pulling them from SourceForge when possible. You can also download the files directly and put them in the folder you created by downloading them from here: https://sourceforge.net/projects/dsgpl/files/toolkit/DSM<DSM_VER> (e.g. https://sourceforge.net/projects/dsgpl/files/toolkit/DSM6.2)

Credits

I based a lot of this work on this guide by Reddit user akhener. However, I had to modify their instructions a lot since my NAS has an ARM CPU which made cross compilation a lot trickier.

GitHub user galaxysd made a guide on how to enable iptables NAT support.