Tailscale HTTPS certificate on Synology NAS
I recently discovered Tailscale for setting up a private VPN. My main goal was to use it for accessing my Synology NAS at home from anywhere in the world. So far I had kept my home NAS publically accessible from the internet, which had been fine but risky nevertheless.
In order to secure web connections to the Synology DSM and various Docker-based services, I had set up Let’s Encrypt on Synology under my own subdomain. Since my NAS is no longer publically accessible, it cannot obtain new Let’s Encrypt certificates for the subdomain1. Instead, I needed HTTPS certificates for the Tailscale full domain of the NAS.
Tailscale has a guide for setting Tailscale itself up on Synology and a guide for obtaining HTTPS certificates using tailscale cert
. Surprisingly, neither documents the best solution, which is the undocumented command
tailscale configure synology-cert
Prior to its introduction, under this Tailscale issue users came up with their own scripts, but using the official command is now the easiest way.
Step-by-step
- Set up Tailscale on your Synology NAS or update it to at least version 1.64.0.
- Navigate in the Synology DSM to Control Panel → Task Scheduler.
-
Create a new scheduled task with an user-defined script (Create → Scheduled Task → User-defined script) with the following details:
- General:
- Task (name): “Tailscale Certificate” (or whatever you want).
- User: root (the Tailscale command needs that).
- Schedule:
- “Run on the following days”: “Monthly”, “First”, “Monday” (should be frequent enough such that the 90 day Let’s Encrypt certificate is renewed automatically).
- Task Settings:
- User-defined script:
tailscale configure synology-cert
(the magic command).
- User-defined script:
- General:
- Press “OK” and follow on-screen instructions for setting up the root script.
- Right click on the created task and select “Run” to get the first certificate immediately.
- Navigate in the Synology DSM to Control Panel → Security → Certificate.
- You should now see a certificate for your
ts.net
subdomain in this list. - Use the Tailscale certificate in one of the two ways, depending on your use case:
- Right click on the certificate and select “Edit”. Then tick “Set as default certificate” and press “OK”.
- Click “Settings” in the toolbar. Change the certificate on a per-service basis.
-
This would be possible with Let’s Encrypt’s DNS-01 domain validation (as opposed to HTTP-01), but Synology only supports HTTP-01 for custom domains. ↩