Token's lvl1 blog- edit -- Token's rantings

Synology does automate new firewall rules when you install new services like hyper backup, music streaming (uses ports Apple started using) and such.

With docker I think you have to stay on top of the firewall rules if you have done due diligence of making an implicit deny (which isn’t default).

A big part of my problem is that I got out of the habit of documenting what I’ve done and why. I’m running to a lot of past band-aids I have foggy memory of.

Neat, can install the tailscale client but just change some config to make it a tailscale subnet router.

I was gearing up to make an Ubuntu VM to serve this role, but maybe I’ll just install via this method.

I can’t shake the want of still making a VM. Any pros I’m missing? Easy of turning it off? Snapshots for pre/post updates?

I gotta get this done very soon, I will be on the road a lot and this potentially saves me a lot of HAproxy, SSL, domain cname etc etc drama.

The main thing that makes a container different is you can really only run a single process in it. That process might be a shell like bash, with a complete file system and distro behind it, but don’t do that. That’ll just make you want to have some kind of persistent state of the container which you really shouldn’t have. Sometimes you’ll need to mount a network share in order to import/export data, but that’s data, not state.

That’s where things like docker compose come into play when you have an app, a web server, and a database all running in different containers and talking to each other over a shared network.

1 Like

Docker sounds amazing, but just like learning a coding language and getting better at code, I know I should but I put it off.

VMs are just more intuitive to do things like setup networking, resources, winscp, putty, snapshots etc.

I also tried to use git in a container, couldn’t, couldn’t install it, then thought if it was on the host it would work, that was derp haha. It’s just in way over my head so I can’t get basic stuff done.

Same with git.

I need to stop being a bitch and force myself to get better with a language, PowerShell, git and docker.

1 Like

You just described the last several years of my life. :stuck_out_tongue_closed_eyes:

1 Like

Zerotier is a lot more involved.

Run it in docker? Nah.

Talescale as a supported app so I think that will be the way.

Then I assume I can SSH in and change some configs to make it a tailscale NAT router.

@oO.o a snippet example of the Synology pop-up when you install an app and it automatically makes a firewall rule for you to open the port/ports for the app:

Jebus that is freaky- I used SSO with my github account to create my tailscale account, then installed the client app on my synology, clicked open, it auto logged me in with the github account. I guess just nifty cookies, source IP or whatnot, nothing magical but I’m just not used to simplicity at this level. I know they like to say “zero config VPN” but damn…

OIDC has a lot of little hooks like that where it’ll login you in on one application after you’ve logged in on another, or log you out somewhere else, and so on. Pretty nifty when it works.

When it doesn’t work you end up with something like Azure Data Studio. :face_vomiting:

1 Like

Phew… ok… take a breath…

This is amaze-balls.

I shouldn’t be so stoked as I poured over vids for months and months such as Lawrence Systems vids + the tailscale vs. zerotier vids etc.

But wow this is awesome, it just #justworked.

Go to tailscale, create free-be account:

Create account/use SSO of choice.

Go to package manager on synology, install.

Open. Logged in automatgically and device is populating on tailscale webUI on their cloud page.

Install on Android phone via play store.

Login (this time wasn’t so automamagic but still easy).

SSH into Synoloy, Enter command from video to make tailscale a NAT router:
ex: sudo tailscale up --advertise-routes= --reset

Go back into tailscale web GUI, edit route settings, enable that range that auto populated. Go back to edit and also disable token experation.


Turned off wifi on phone and accessed all the things PLUS notifications from home assistant.

This is horrible. Its too easy and I won’t be forced to put in the learning. If this were fitness I just quit a program and decided to couch potato.

1 Like

Its not hard to do this via a number of VPN setups on pfsense, with openVPN being very turn key, but I like the idea of a split tunnel setup where not all of my phone’s data is routing through my home router. I know there are a lot of options in openVPN but I don’t think I’ve seen a good tutorial on split tunnel.

Maybe as simple as just unchecking this?

If so I feel pretty derpy as then my OpenVPN has been a solution all this time.

example I used my VPN to get a file from home while away but then also kicked in an app install and it draaaaged. Now to test this split traffic that tailscale is supposed to solve.

I have some clients on Tailscale via Synology (smaller clients, like individuals, not companies with several or more employees). It’s been fine, just be sure to update Tailscale along with DSM updates and hang back on major DSM updates for a while. It has been buggy before on DMS point releases (I don’t remember which ones).


Is tailscale default split tunnel? I’m not finding info on this, but I’m assuming when off the LAN pretty much all traffic is routing as if there is no VPN and only traffic needing those LAN services are tunneled?

And if I simply un-check the “Redirect IPv4 Gateway” on my OpenVPN interface configuration is it effectively the same thing?

1 Like

By default, Tailscale will only provide access to the Synology. I can’t speak to the OpenVPN setting.

1 Like

I already typed into the CLI vis SSH the config change for the synology to act as NAT router. Verified by taking phone off LAN/wifi and still accessing various LAN only things like my home assistant.

I keep saying NAT router o think due to a tutorial but I guess the tailscale terminology is “exit node”

So unfortunately tailscale hasn’t been as seamless as desired. More times than not when I’m away from my wifi tailscale is either having a routing issue or its my janky OP6 android software but often I have to jump onto my openvon to then check on home assistant.

Next time I’ll try to remember to get into my NAS first and see if this is more the home assistant app.

I’m finding headscale very very appealing. Self hosted ftw.

Interesting perspective as AGI predictions have gotten more and more pessimistic.

Garmin -


My Garmin watch:

1 Like

Starting to dip into SDRs but the room I’m in must be a faraday cage, my cell doesn’t have reception and it can barely get the weather channel