Can't access NAS through VPN (wireguard)

Currently reading
Can't access NAS through VPN (wireguard)

9
1
NAS
DS220+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hello! I recently invested in a Synology DS220+ NAS and I'm new to the forum.

I set up the NAS to use Synology Drive for file sync. Everything works well locally but I'm having trouble with external access.

I have a pc running a Wireguard server, and dynamic DNS with DuckDNS. I forwarded the right port in my router to access the Wireguard server.
Using my phone as a hotspot and my laptop connected to it, I can access the Wireguard server. I can also ssh into the server and another pc on my home lan. I can ping various devices on my lan, including the NAS, without packet loss.
From the same laptop, I cannot load the DSM web interface in my browser (it times out). The Synology Drive client on the laptop also times out when trying to log in.

Meanwhile, my phone can also connect to the Wireguard server and the Synology Drive mobile app works fine (log in and file transfers both).

I must be doing something right if I can connect into the Wireguard server, ssh into lan pcs, ping devices, and also connect via the app on my phone. However, I can't get my laptop to work. Any help is appreciated!
 
Meanwhile, my phone can also connect to the Wireguard server and the Synology Drive mobile app works fine
How do you have Drive target client configured? Using QuickConnect or are you targeting the NAS (Drive) using a local IP address?

From the same laptop, I cannot load the DSM web interface in my browser (it times out). The Synology Drive client on the laptop also times out when trying to log in.
Are you running Synology firewall? If so check to see if your Wireguard subnet can pass over the firewall using a specific rule that will allow its subnet, access to your local Syno subnet.
 
Thank you for the response.
How do you have Drive target client configured? Using QuickConnect or are you targeting the NAS (Drive) using a local IP address?
I'm trying to access the NAS using its local IP address.
Are you running Synology firewall?
I was running the Synology firewall with a rule allowing all LAN traffic and rules allowing all traffic for the DSM management and Synology Drive ports. After turning it off, I can ping the NAS but I still cannot access the web interface nor have the Synology Drive client connect.
If so check to see if your Wireguard subnet can pass over the firewall using a specific rule that will allow its subnet, access to your local Syno subnet.
What would this look like in practice?
 
Thanks. My wireguard clients are given IP addresses of the form 10.aaa.bbb.ccc, so I tried creating a rule allowing all ports and IP 10.aaa.bbb.0 with subnet mask 255.255.255.0. Does that look right?

Unfortunately, it still doesn't work. Also, I am confused because I was testing everything with the Synology firewall turned off completely, so the lack of the access rule should not be the issue.
 
Agreed! I see some posts talking about setting up a static route. I tried playing around with this in my router but to no effect (this is something I definitely don't understand). Would it be worth looking more into this?

Any other thoughts?
 
You can ping and can even connect to other pc in your lan (guessing the same subnet where your nas is), so not sure that routing would be a solutions here considering you can access other services in that subnet.

Do you have any other service on the nas (other then DSM landing page) that you can try and access?
 
Do you have any other service on the nas (other then DSM landing page) that you can try and access?
Only Synology Drive, and that also isn't accessible.
 
Hello! I recently invested in a Synology DS220+ NAS and I'm new to the forum.

I set up the NAS to use Synology Drive for file sync. Everything works well locally but I'm having trouble with external access.

I have a pc running a Wireguard server, and dynamic DNS with DuckDNS. I forwarded the right port in my router to access the Wireguard server.
Using my phone as a hotspot and my laptop connected to it, I can access the Wireguard server. I can also ssh into the server and another pc on my home lan. I can ping various devices on my lan, including the NAS, without packet loss.
From the same laptop, I cannot load the DSM web interface in my browser (it times out). The Synology Drive client on the laptop also times out when trying to log in.

Meanwhile, my phone can also connect to the Wireguard server and the Synology Drive mobile app works fine (log in and file transfers both).

I must be doing something right if I can connect into the Wireguard server, ssh into lan pcs, ping devices, and also connect via the app on my phone. However, I can't get my laptop to work. Any help is appreciated!

let me start by saying I am a BIG fan of wireguard, I use it all the time to access my local network... but I would run it on a router, never on a synology. Opening a port on your router and forwarding traffic to a wireguard endpoint hosted on your NAS is not a good idea.... Not to mention you will have a hard time adjusting the nas fw rules, this config is complex and potentially dangerous (if you don't know what you're doing).

If all you need is accessing the "classic" services on a synology nas, and accessing them with the apps on your phone from the outside world, I would recommend you follow this video I did explaining how to expose services hosted on the NAS WITHOUT touching your home router, proxying the traffic through Cloudflare:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.


There's a playlist with some more videos on how to secure access with a one-time-code to get access...
 
let me start by saying I am a BIG fan of wireguard, I use it all the time to access my local network... but I would run it on a router, never on a synology.
I wasn't trying to run it on the NAS, I installed it on a separate pc on my lan.
I would recommend you follow this video I did
Thanks, I'll take a look.
 
I didn’t watch all the setup video but the gist of what is happening is a Docker container is used to initiate an outbound connection to the Cloudflare service. Then Cloudflare acts as a gateway-in-the-cloud for the domain that you’ve register. I use the term ‘gateway’ as I’m guessing it’s not just an open router but rather a more sophisticated firewall.

It’s somewhat akin to QuickConnect relay service but, of course, the implementations will be rather different. One would hope that the Cloudflare way isn’t a proxy service like QC relay. Because then you are back to “who do I trust?”.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Some VPN services allow port forwarding. Another option to consider and evaluate if applicable. Here‘s...
Replies
7
Views
6,064
  • Question
I guess "my Firewall" is the firewall on the Synology? a step by step tutorial can be found online like...
Replies
1
Views
797
OK at last, worked it out, you have to install Synology app on PC first then add name amd password then...
Replies
12
Views
1,249
Do you have a local user account and domain user account that shares the same short name? It was fixed...
Replies
2
Views
1,120
While using the "admin" is a a security issue and that account should be disabled, it is odd that it works...
Replies
1
Views
1,276
What DSM version are you running? If you are running a current DSM version, can you access your "local...
Replies
4
Views
2,618

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top