Synology does automate new firewall rules when you install new services like hyper backup, music streaming (uses ports Apple started using) and such.
With docker I think you have to stay on top of the firewall rules if you have done due diligence of making an implicit deny (which isn’t default).
A big part of my problem is that I got out of the habit of documenting what I’ve done and why. I’m running to a lot of past band-aids I have foggy memory of.
Neat, can install the tailscale client but just change some config to make it a tailscale subnet router.
I was gearing up to make an Ubuntu VM to serve this role, but maybe I’ll just install via this method.
I can’t shake the want of still making a VM. Any pros I’m missing? Easy of turning it off? Snapshots for pre/post updates?
I gotta get this done very soon, I will be on the road a lot and this potentially saves me a lot of HAproxy, SSL, domain cname etc etc drama.
The main thing that makes a container different is you can really only run a single process in it. That process might be a shell like bash, with a complete file system and distro behind it, but don’t do that. That’ll just make you want to have some kind of persistent state of the container which you really shouldn’t have. Sometimes you’ll need to mount a network share in order to import/export data, but that’s data, not state.
That’s where things like docker compose come into play when you have an app, a web server, and a database all running in different containers and talking to each other over a shared network.
Docker sounds amazing, but just like learning a coding language and getting better at code, I know I should but I put it off.
VMs are just more intuitive to do things like setup networking, resources, winscp, putty, snapshots etc.
I also tried to use git in a container, couldn’t, couldn’t install it, then thought if it was on the host it would work, that was derp haha. It’s just in way over my head so I can’t get basic stuff done.
Same with git.
I need to stop being a bitch and force myself to get better with a language, PowerShell, git and docker.
You just described the last several years of my life. 
Zerotier is a lot more involved.
Run it in docker? Nah.
Talescale as a supported app so I think that will be the way.
Then I assume I can SSH in and change some configs to make it a tailscale NAT router.
@oO.o a snippet example of the Synology pop-up when you install an app and it automatically makes a firewall rule for you to open the port/ports for the app:
Jebus that is freaky- I used SSO with my github account to create my tailscale account, then installed the client app on my synology, clicked open, it auto logged me in with the github account. I guess just nifty cookies, source IP or whatnot, nothing magical but I’m just not used to simplicity at this level. I know they like to say “zero config VPN” but damn…
OIDC has a lot of little hooks like that where it’ll login you in on one application after you’ve logged in on another, or log you out somewhere else, and so on. Pretty nifty when it works.
When it doesn’t work you end up with something like Azure Data Studio. 
Phew… ok… take a breath…
This is amaze-balls.
I shouldn’t be so stoked as I poured over vids for months and months such as Lawrence Systems vids + the tailscale vs. zerotier vids etc.
But wow this is awesome, it just #justworked.
Go to tailscale, create free-be account:
Create account/use SSO of choice.
Go to package manager on synology, install.
Open. Logged in automatgically and device is populating on tailscale webUI on their cloud page.
Install on Android phone via play store.
Login (this time wasn’t so automamagic but still easy).
SSH into Synoloy, Enter command from video to make tailscale a NAT router:
ex: sudo tailscale up --advertise-routes=192.168.1.0/24 --reset
Go back into tailscale web GUI, edit route settings, enable that range that auto populated. Go back to edit and also disable token experation.
Done.
Turned off wifi on phone and accessed all the things PLUS notifications from home assistant.
This is horrible. Its too easy and I won’t be forced to put in the learning. If this were fitness I just quit a program and decided to couch potato.
Its not hard to do this via a number of VPN setups on pfsense, with openVPN being very turn key, but I like the idea of a split tunnel setup where not all of my phone’s data is routing through my home router. I know there are a lot of options in openVPN but I don’t think I’ve seen a good tutorial on split tunnel.
Maybe as simple as just unchecking this?
If so I feel pretty derpy as then my OpenVPN has been a solution all this time.
example I used my VPN to get a file from home while away but then also kicked in an app install and it draaaaged. Now to test this split traffic that tailscale is supposed to solve.
I have some clients on Tailscale via Synology (smaller clients, like individuals, not companies with several or more employees). It’s been fine, just be sure to update Tailscale along with DSM updates and hang back on major DSM updates for a while. It has been buggy before on DMS point releases (I don’t remember which ones).
Is tailscale default split tunnel? I’m not finding info on this, but I’m assuming when off the LAN pretty much all traffic is routing as if there is no VPN and only traffic needing those LAN services are tunneled?
And if I simply un-check the “Redirect IPv4 Gateway” on my OpenVPN interface configuration is it effectively the same thing?
By default, Tailscale will only provide access to the Synology. I can’t speak to the OpenVPN setting.
I already typed into the CLI vis SSH the config change for the synology to act as NAT router. Verified by taking phone off LAN/wifi and still accessing various LAN only things like my home assistant.
I keep saying NAT router o think due to a tutorial but I guess the tailscale terminology is “exit node”
So unfortunately tailscale hasn’t been as seamless as desired. More times than not when I’m away from my wifi tailscale is either having a routing issue or its my janky OP6 android software but often I have to jump onto my openvon to then check on home assistant.
Next time I’ll try to remember to get into my NAS first and see if this is more the home assistant app.
I’m finding headscale very very appealing. Self hosted ftw.
Interesting perspective as AGI predictions have gotten more and more pessimistic.
Starting to dip into SDRs but the room I’m in must be a faraday cage, my cell doesn’t have reception and it can barely get the weather channel
I’m finding an issue with my tailscale setup. It cannot move large files.
For example I can navigate my NAS’s files remotely, and even open some small up, but if I try to copy something large it fails.
Same with Synology’s photo app. It will back up my photos when connected to wifi and charging but fail at backing up the vids.
If I turn off tailscale and turn on my openVPN connection then the Synology photo app gets the chunky vids through.
So tailscale can setup a connection and has visibility into my LAN, but I have no idea where and how to troubleshoot the stack to try and figure out where this failure occurs. Is this a jumbo frame enablement thing? A confliction with transitions from protocols like UDP and TCP to IP and then and Ethernet frames? Nuking it and maybe as simple as a Synology firewall rule if tailscale changes sockets for large files and streams?
Phone- OP6/android
Router - pfsense, snort is set to IDS not IPS (snap I better double check this)
NAS - Synology
Tailscale exit node - same Synology NAS via supported app
That was a good excersise:
Looked at flow traffic via my pfsense’s ntopng dashboard- noticed the IPs my tailscale exit node were not the IPs of my tailscale clients.
Looked over pfblockerng and dnsbl logs, disabled them anyhow just to validate.
Added some UDP ports and a TCP port to the exit nodes firewall allow rules per this:
What firewall ports should I open to use Tailscale? · Tailscale
All of that and I still had the issue of video lag and failed large file transfers (the latter I feel is an application layer issue due to too many dropped packets).
Then I found this documentation:
I need to enable NAT-PMP…
I don’t think I’m comfortable with this… Rather than enable it I’m wondering if I can make for more specific rules/mappings. There are some interesting settings that kinda do this at first glance, need to read into the documentation better.
But yeah, enabling NAT-PNP fixed it, tailscale now sets up direction connections versus being stuck using DERP (their relays).
