Synology NAS Tailscale Integration
Synology NAS Tailscale Integration
Last Updated: 2025-12-26
Status: Planned
Source: infrastructure-migration-nas-gpu.md
Overview
This guide covers integrating Synology DS224+ NAS with the Tailscale mesh network for secure, private access to NAS services.
Prerequisites
- Synology DS224+ NAS with DSM installed
- Tailscale account (flux423@mac.com)
- Access to Tailscale admin console
- Network connectivity to NAS
Installation Steps
Step 1: Install Tailscale Package
- Open Package Center in DSM
- Search for "Tailscale"
- Install Tailscale package
- Wait for installation to complete
Step 2: Configure Tailscale
- Open Tailscale application in DSM
- Click Sign in to Tailscale
- Authenticate with Tailscale account (flux423@mac.com)
- Wait for connection to establish
Step 3: Configure Tailscale Settings
Recommended Settings:
| Setting | Value | Reason |
|---|---|---|
| Enable | ON | Enable Tailscale |
| Account | flux423@mac.com | Tailscale account |
| Subnet routing | OFF | NAS should not advertise routes |
| Exit node | OFF | NAS should not be exit node |
| Funnel | OFF | No public exposure needed |
| Auto-connect | ON | Auto-connect on boot |
Step 4: Assign Tailscale IP and Tag
- Go to Tailscale admin console
- Find NAS device (hostname will be auto-generated)
- Assign Tailscale IP (e.g., 100.116.110.124)
- Add tag:
tag:nas-storage - Verify device appears in device list
Network Configuration
Current Network
- Local IP: 192.168.68.60
- Network: 192.168.68.0/24
- Port: 5001 (HTTPS)
Recommended Network (If Moving to Agent Network)
- Local IP: 192.168.8.10 (static)
- Network: 192.168.8.0/24 (Bluefly-Agents)
- Port: 5001 (HTTPS)
Benefits of Moving to Agent Network:
- Same subnet as other agent infrastructure
- Easier NFS configuration for Kubernetes
- Consistent network topology
- Better integration with router subnet routing
Tailscale ACL Configuration
Update Tailscale ACL policy to allow access to NAS:
{ "tagOwners": { "tag:nas-storage": ["group:admins"] }, "acls": [ { "action": "accept", "src": ["group:admins"], "dst": ["tag:nas-storage:*"] }, { "action": "accept", "src": ["tag:agent-host"], "dst": ["tag:nas-storage:*"] } ] }
This allows:
- Admins to access NAS from anywhere
- Agent hosts to access NAS for storage operations
Access Methods
Via Tailscale (Private Access)
Once Tailscale is configured:
- Web Interface:
https://100.116.110.124:5001(via Tailscale IP) - NFS:
100.116.110.124:/k8s-pv(via Tailscale IP) - SMB:
\\100.116.110.124\share(via Tailscale IP)
Via Cloudflare Tunnel (Public Access)
Currently configured:
- Web Interface:
https://nas.blueflyagents.com(via Cloudflare Tunnel)
Note: Cloudflare Tunnel provides public access, Tailscale provides private access. Both can coexist.
NFS Configuration for Kubernetes
Prerequisites
- NAS on Tailscale network
- NFS shares configured on NAS
- NFS CSI driver installed in Kubernetes
Configuration
NFS Share Settings:
- Share Name:
k8s-pv - NFS Version: 4.1
- Access Control:
- Allow: 100.108.129.7 (Mac M4 Tailscale IP)
- Allow: 100.108.180.36 (Mac M3 Tailscale IP)
- Allow: 192.168.8.0/24 (Agent network, if NAS moved)
- Root Squash: Enabled
- Async: Enabled
Kubernetes StorageClass:
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: synology-nfs provisioner: nfs.csi.k8s.io parameters: server: 100.116.110.124 # Tailscale IP share: /k8s-pv mountOptions: "nfsvers=4.1,async" volumeBindingMode: Immediate allowVolumeExpansion: true
Testing
Test Tailscale Connection
# From Mac M4 or M3 tailscale ping 100.116.110.124 # NAS Tailscale IP # Test web interface open https://100.116.110.124:5001 # Test NFS (if configured) mount -t nfs 100.116.110.124:/k8s-pv /mnt/test
Verify ACL Policy
- Check NAS device has
tag:nas-storage - Verify ACL allows access from agent hosts
- Test access from different devices
Troubleshooting
Tailscale Not Connecting
- Check Tailscale package is running in DSM
- Verify Tailscale account authentication
- Check network connectivity
- Review Tailscale logs in DSM
Cannot Access NAS via Tailscale
- Verify Tailscale IP is correct
- Check ACL policy allows access
- Verify NAS device is online in Tailscale admin
- Test connectivity:
tailscale ping <nas-ip>
NFS Not Working
- Verify NFS is enabled on NAS
- Check NFS share permissions
- Verify Tailscale IP in StorageClass
- Test NFS mount manually
Security Considerations
- Tags: Use
tag:nas-storagefor access control - ACL: Restrict access to admins and agent hosts only
- No Public Exposure: Tailscale provides private access only
- Funnel OFF: Never enable Funnel on NAS
- Subnet Routing OFF: NAS should not advertise routes
Related Documentation
- Synology Setup - NAS setup and configuration
- Synology Services - Services running on NAS
- Tailscale Configuration - Tailscale setup
- Tailscale ACL Policy - Access control
- Network Overview - Network architecture