Tailscale HTTPS certificate on Synology NAS

I recently discovered Tailscale for setting up a private VPN. My main goal was to use it for accessing my Synology NAS at home from anywhere in the world. So far I had kept my home NAS publically accessible from the internet, which had been fine but risky nevertheless.

In order to secure web connections to the Synology DSM and various Docker-based services, I had set up Let’s Encrypt on Synology under my own subdomain. Since my NAS is no longer publically accessible, it cannot obtain new Let’s Encrypt certificates for the subdomain1. Instead, I needed HTTPS certificates for the Tailscale full domain of the NAS.

Tailscale has a guide for setting Tailscale itself up on Synology and a guide for obtaining HTTPS certificates using tailscale cert. Surprisingly, neither documents the best solution, which is the undocumented command

tailscale configure synology-cert

Prior to its introduction, under this Tailscale issue users came up with their own scripts, but using the official command is now the easiest way.

Step-by-step

  1. Set up Tailscale on your Synology NAS or update it to at least version 1.64.0.
  2. Navigate in the Synology DSM to Control Panel → Task Scheduler.
  3. Create a new scheduled task with an user-defined script (Create → Scheduled Task → User-defined script) with the following details:

    • General:
      • Task (name): “Tailscale Certificate” (or whatever you want).
      • User: root (the Tailscale command needs that).
    • Schedule:
      • “Run on the following days”: “Monthly”, “First”, “Monday” (should be frequent enough such that the 90 day Let’s Encrypt certificate is renewed automatically).
    • Task Settings:
      • User-defined script: tailscale configure synology-cert (the magic command).
  4. Press “OK” and follow on-screen instructions for setting up the root script.
  5. Right click on the created task and select “Run” to get the first certificate immediately.
  6. Navigate in the Synology DSM to Control Panel → Security → Certificate.
  7. You should now see a certificate for your ts.net subdomain in this list.
  8. Use the Tailscale certificate in one of the two ways, depending on your use case:
    1. Right click on the certificate and select “Edit”. Then tick “Set as default certificate” and press “OK”.
    2. Click “Settings” in the toolbar. Change the certificate on a per-service basis.

  1. This would be possible with Let’s Encrypt’s DNS-01 domain validation (as opposed to HTTP-01), but Synology only supports HTTP-01 for custom domains.