https://sim642.eu/blog/2024/08/11/tailscale-https-certificate-on-synology-nas/ Simmo Saan Toggle navigation * about * news * blog (current) * repositories * publications * cv * teaching * Tailscale HTTPS certificate on Synology NAS August 11, 2024 * last updated August 15, 2024 2024 * networking security I recently discovered Tailscale for setting up a private VPN. My main goal was to use it for accessing my Synology NAS at home from anywhere in the world. So far I had kept my home NAS publically accessible from the internet, which had been fine but risky nevertheless. In order to secure web connections to the Synology DSM and various Docker-based services, I had set up Let's Encrypt on Synology under my own subdomain. Since my NAS is no longer publically accessible, it cannot obtain new Let's Encrypt certificates for the subdomain^1. Instead, I needed HTTPS certificates for the Tailscale full domain of the NAS. Tailscale has a guide for setting Tailscale itself up on Synology and a guide for obtaining HTTPS certificates using tailscale cert. Surprisingly, neither documents the best solution, which is the undocumented command tailscale configure synology-cert Prior to its introduction, under this Tailscale issue users came up with their own scripts, but using the official command is now the easiest way. Step-by-step 1. Set up Tailscale on your Synology NAS or update it to at least version 1.64.0. 2. Navigate in the Synology DSM to Control Panel - Task Scheduler. 3. Create a new scheduled task with an user-defined script (Create - Scheduled Task - User-defined script) with the following details: + General: o Task (name): "Tailscale Certificate" (or whatever you want). o User: root (the Tailscale command needs that). + Schedule: o "Run on the following days": "Monthly", "First", "Monday" (should be frequent enough such that the 90 day Let's Encrypt certificate is renewed automatically). + Task Settings: o User-defined script: tailscale configure synology-cert (the magic command). 4. Press "OK" and follow on-screen instructions for setting up the root script. 5. Right click on the created task and select "Run" to get the first certificate immediately. 6. Navigate in the Synology DSM to Control Panel - Security - Certificate. 7. You should now see a certificate for your ts.net subdomain in this list. 8. Use the Tailscale certificate in one of the two ways, depending on your use case: 1. Right click on the certificate and select "Edit". Then tick "Set as default certificate" and press "OK". 2. Click "Settings" in the toolbar. Change the certificate on a per-service basis. --------------------------------------------------------------------- 1. This would be possible with Let's Encrypt's DNS-01 domain validation (as opposed to HTTP-01), but Synology only supports HTTP-01 for custom domains. - Please enable JavaScript to view the comments powered by giscus. (c) Copyright 2024 Simmo Saan. Powered by Jekyll with Gem-based al-folio theme. Hosted by GitHub Pages. Last updated: September 29, 2024.