How to install Zerotier VPN on Synology NAS
How to install Zerotier VPN on Synology NAS
The following article will showcase the steps how to install Zerotier VPN on Synology NAS. The procedure will be done step by step. The method we’ll be using to install, configure and deploy the VPN on the Synology is by running the Zerotier VPN using Docker, aka as a Docker container. This procedure will allow us to connect to our Synology more securely. The reason why we need Docker for this is because the DiskManager firmware from version 7 doesn’t allow apps to run as root anymore.
Zerotier have built a Docker version of their VPN client, which is great and this allows us to run Zerotier on our Synology with ease and to be able to connect to our Synology via VPN.
We’ll be following the steps from the Zerotier documentation.
What’s a Zerotier VPN?
Zerotier VPN(actually named Zerotier One) is a VPN solution with it’s protocol(they developed their own protocol) which runs on a P2P(peer-to-peer) and end-to-end encrypted endpoint connections. Zerotier combines VPN and SD-WAN technologies which enables easier network management and management of connected devices while trying to achieve as less latency as possible.
For and end user, on their client client devices, it requires only to install the Zerotier client and the rest is managed on the Zerotier dashboard. And that is we’ll be using to install Zerotier on Synology NAS. They provide a free tier plan where you can add uo to 50 client devices on one account.
Enable SSH access and prepare Synology for the Docker installation
NOTE – this process requires SSH root access, so be careful what commands you’re running and to minimize the errors – just copy and paste commands from the Zerotier documentation.
Log in to your Synology, navigate to the SSH settings from the Control panel and activate the SSH service:
Once the service is activated, establish an SSH connection via terminal to your Synology and login(username and password should be the same as your main account you use when you login on the Synology web dashboard):
Once you logged in your Synology, switch to the root account, create a new script and make it executable. The commands are showcased bellow and also are provided in the Zerotier document:
sudo -i echo -e '#!/bin/sh -e \ninsmod /lib/modules/tun.ko' > /usr/local/etc/rc.d/tun.sh chmod a+x /usr/local/etc/rc.d/tun.sh /usr/local/etc/rc.d/tun.sh ls /dev/net/tun /dev/net/tun
The command “/usr/local/etc/rc.d/tun.sh” is required only to run it once. The commands we ran now are to create a new virtual TUN network interface that will be used for our VPN connection.
Install Docker on Synology
From the package center, search for docker and click on install.
After the docker installation, we need to return again to our Synology terminal and connect via SSH.
Install Zerotier Docker container on Synology
In the Synology terminal, run the following commands to install the Zerotier Docker container.
Create a directory for the Zerotier Docker container:
Then deploy the Docker container with this command:
docker run -d \ --name zt \ --restart=always \ --device=/dev/net/tun \ --net=host \ --cap-add=NET_ADMIN \ --cap-add=SYS_ADMIN \ -v /var/lib/zerotier-one:/var/lib/zerotier-one zerotier/zerotier-synology:latest
You can double check if the Docker container is running properly with the following command and also you can see it in the Docker dashboard in Synology.
docker exec -it zt zerotier-cli status
Add Synology on the Zerotier network and test the connection
Next step is to connect our Synology to our Zerotier network. We need to join our network and to do that, we need to the Network ID from the Zerotier dashboard.
And in the terminal again, run the following command with the network ID. This command will connect our Synology to our Zerotier network.
docker exec -it zt zerotier-cli join "zerotier-network-id-number"
After that command return to the Zerotier dashboard and allow Synology into the network so that it’ll be able to connect to the Zerotier network.
Test the connection outside of your network by trying to access the Synology address which Zerotier has provided or by a phone with the Zerotier VPN client and you should be able to access the Synology.
To summarize – we covered the steps how to install Zerotier VPN on Synology NAS. We installed Zerotier VPN with Docker on our Synology and have it running as Docker container. We also have added our Synology to our Zerotier network and that way enabled the VPN connection between our Synology, Zerotier network and other devices we have in Zerotier.
With this method, we can connect to our Synology more securely and have avoided exposing the Synology publicly with the benefit of easier management of our VPN network.
Thank you for your time…
Thanks for your guide, is there any way to access the local network using zerotier on synology. i want to access my local network by connecting to nas.
appreciate your help.
Thanks for taking time to comment, appreciate it…
I haven’t tested this yet but it should be possible to access the local network if you set a static route on your Synology(network settings) which routes the Zerotier subnet and your local network. Just not quite sure is it enough to add the Zerotier subnet in the route or it requires subnet of that Docker network(since Docker is used to deploy the Zerotier client) as well. Try out and see if you can exec into the Docker container(access the shell) and ping your local network. If the ping can reach out your network, then Zerotier subnet is needed to be added in the static route. Also, Synology firewall may block the connection in this case. If you get an output “request timed out”, disable the Synology firewall temporarily and if the firewall blocks the traffic, create a new rule to allow the traffic.
Hoping this will help…
I am having latest Synology 7 installed. Unfortunately, while running last command ‘/dev/net/tun’ I am getting:
[email protected]:~# /dev/net/tun
-ash: /dev/net/tun: Permission denied
is that expected?
Thanks for commenting.
That outcome is not expected and could mean that “/dev/net/tun” doesn’t have the proper file permissions. The correct file permissions should be – “crw-rw-rw-“.
Try fixing the permissions with the command:
chmod 666 /dev/net/tun
And then try running it again.