Setting up WireGuard on Synology DSM 7 using Docker and Gluetun
At the time of writing Synology DiskStation Manager (DSM) v7.2.2-72806 is running on Linux v4.4.4 which doesn’t support WireGuard. It doesn’t look like Synology is interested in adding WireGuard support the way OpenVPN is supported. So if you want certain services on your Synology NAS to connect through WireGuard, you’ll need a workaround. One workaround is to establish a WireGuard connection using Gluetun in Docker. Then have containerized services do their networking through this Gluetun container. The caveat is that whatever services you want to go through a WireGuard tunnel will need to be containerized. This guide is intended for those comfortable with the command line , SSH, and Docker. You’ll need Container Manager installed, which is basically just Synology’s wrapper around Docker. Install it via the Web UI, then you’ll be able to use commands via SSH. Installing Container Manager is straightforward. Log into the Synology DSM Web UI -> open Package Center -> search for “Container Manager” -> click “Install”. You’ll also need a WireGuard configuration file. For this guide I’ll be using a configuration file from Mullvad VPN . A bit of background as to why I’m using Gluetun. There’s a linuxserver/wireguard docker image we can use, but that image expects the underlying kernel to have WireGuard support. Since Synology DSM runs on 4.4.4 at this time that means it doesn’t support WireGuard, which means the linuxserver/wireguard image won’t work. I tried to get it working myself but kept running into errors. Unlike linuxserver/wireguard, Gluetun works on any kernel by using something called userspace WireGuard implementation. Basically it runs at the user level rather than at the kernel level. This is beyond my knowledge though, so I encourage you to do some of your own research if you want to learn more. First, let’s create a directory where the Gluetun container will store a configuration file once it’s running. SSH into your Synology device with an admin user: Once you’re in, get root access to make this process easier: If you can run and get as the output then you’re good to go. Now we can create the directory that Gluetun will need. In my case, I only have one volume and it’s called , so your path may be a little different: That should be it! Stay as going forward to keep things simple. Next we can create a file where we’ll tell Docker to run a Gluetun container. This file can also be easily extended with additional containers that should connect to Gluetun to have WireGuard access. More on that later though. First, make sure Docker is actually installed as it’s a prerequisite I mentioned at the beginning of this post: Then create a file. I chose to create it in because it seemed logical but you can place this just about anywhere you’d like. Now we can fill in . Here’s the starting point you’ll need for Gluetun: Note that if it’s easier you can create locally on your device and then drag it over to a directory of your choosing through the Web UI. We’ll need to fill in and in . These can be retrieved from a WireGuard configuration file. It depends on your provider but for Mullvad VPN you go to https://mullvad.net/en/account/wireguard-config and download the Linux version of the WireGuard configuration file. The file itself should look something like this regardless of your VPN provider: Copy the field and paste it as the value for in . Then copy and paste it as the value for . Note: at the time of writing Gluetun only supports IPv4 addresses. So if your value contains an IPv6 range it will not work and you’ll get an error like . The value should look like this: . The value should NOT look like this: . Here’s what the updated file will look like in this case: Now we can start up the Gluetun container and verify that it works. In the same directory as , spin up a Gluetun container with : You’ll see some output similar to the following: For Mullvad VPN specifically there’s a way to verify that a connection is going through their servers. We can run a command against the Gluetun container to confirm. Regardless of VPN provider, you can check that the command returns a different IP address from the IP address your internet provider has assigned to you. Get your normal IP address first by running outside of Docker. Then run the same command against Gluetun to verify that you get a different IP address: If the IP addresses are different, you should be good to go. Now we can start creating containers that use the WireGuard connection through Gluetun. I’ll be using a qBittorrent container as an example as that is a common use case with WireGuard. People love their Linux ISOs. Adding containers is easy as we just need to append to the existing file. First, create some directories that qBittorrent will need for configuration and downloads: Then update like so: You’ll see output similar to: qBittorrent has a web interface that can be accessed on port . Open up a web browser and go to and see if the web UI shows up. If it does, qBittorrent is running successfully and all of its network traffic will run through Gluetun and WireGuard! We can do one final check with the qBittorrent container to make sure it has the same IP address as the Gluetun container: Both IP addresses are the same, which means qBittorrent is running through Gluetun and through a WireGuard connection. Everything works! https://github.com/qdm12/gluetun https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/mullvad.md https://docs.linuxserver.io/images/docker-qbittorrent/ a lot of trial and error
AI
C#
DevOps
Tutorial
Cloud
Python
Programming
Web Development
HTML
Go
CSS
Performance
Security
Git
JavaScript
Business
Career