Synology does automate new firewall rules when you install new services like hyper backup, music streaming (uses ports Apple started using) and such.
With docker I think you have to stay on top of the firewall rules if you have done due diligence of making an implicit deny (which isn’t default).
A big part of my problem is that I got out of the habit of documenting what I’ve done and why. I’m running to a lot of past band-aids I have foggy memory of.
The main thing that makes a container different is you can really only run a single process in it. That process might be a shell like bash, with a complete file system and distro behind it, but don’t do that. That’ll just make you want to have some kind of persistent state of the container which you really shouldn’t have. Sometimes you’ll need to mount a network share in order to import/export data, but that’s data, not state.
That’s where things like docker compose come into play when you have an app, a web server, and a database all running in different containers and talking to each other over a shared network.
Docker sounds amazing, but just like learning a coding language and getting better at code, I know I should but I put it off.
VMs are just more intuitive to do things like setup networking, resources, winscp, putty, snapshots etc.
I also tried to use git in a container, couldn’t, couldn’t install it, then thought if it was on the host it would work, that was derp haha. It’s just in way over my head so I can’t get basic stuff done.
Same with git.
I need to stop being a bitch and force myself to get better with a language, PowerShell, git and docker.
Talescale as a supported app so I think that will be the way.
Then I assume I can SSH in and change some configs to make it a tailscale NAT router.
@oO.o a snippet example of the Synology pop-up when you install an app and it automatically makes a firewall rule for you to open the port/ports for the app:
Jebus that is freaky- I used SSO with my github account to create my tailscale account, then installed the client app on my synology, clicked open, it auto logged me in with the github account. I guess just nifty cookies, source IP or whatnot, nothing magical but I’m just not used to simplicity at this level. I know they like to say “zero config VPN” but damn…
OIDC has a lot of little hooks like that where it’ll login you in on one application after you’ve logged in on another, or log you out somewhere else, and so on. Pretty nifty when it works.
When it doesn’t work you end up with something like Azure Data Studio.
Its not hard to do this via a number of VPN setups on pfsense, with openVPN being very turn key, but I like the idea of a split tunnel setup where not all of my phone’s data is routing through my home router. I know there are a lot of options in openVPN but I don’t think I’ve seen a good tutorial on split tunnel.
Maybe as simple as just unchecking this?
If so I feel pretty derpy as then my OpenVPN has been a solution all this time.
example I used my VPN to get a file from home while away but then also kicked in an app install and it draaaaged. Now to test this split traffic that tailscale is supposed to solve.
I have some clients on Tailscale via Synology (smaller clients, like individuals, not companies with several or more employees). It’s been fine, just be sure to update Tailscale along with DSM updates and hang back on major DSM updates for a while. It has been buggy before on DMS point releases (I don’t remember which ones).
Is tailscale default split tunnel? I’m not finding info on this, but I’m assuming when off the LAN pretty much all traffic is routing as if there is no VPN and only traffic needing those LAN services are tunneled?
And if I simply un-check the “Redirect IPv4 Gateway” on my OpenVPN interface configuration is it effectively the same thing?
I already typed into the CLI vis SSH the config change for the synology to act as NAT router. Verified by taking phone off LAN/wifi and still accessing various LAN only things like my home assistant.
So unfortunately tailscale hasn’t been as seamless as desired. More times than not when I’m away from my wifi tailscale is either having a routing issue or its my janky OP6 android software but often I have to jump onto my openvon to then check on home assistant.
Next time I’ll try to remember to get into my NAS first and see if this is more the home assistant app.
I’m finding headscale very very appealing. Self hosted ftw.
I’m finding an issue with my tailscale setup. It cannot move large files.
For example I can navigate my NAS’s files remotely, and even open some small up, but if I try to copy something large it fails.
Same with Synology’s photo app. It will back up my photos when connected to wifi and charging but fail at backing up the vids.
If I turn off tailscale and turn on my openVPN connection then the Synology photo app gets the chunky vids through.
So tailscale can setup a connection and has visibility into my LAN, but I have no idea where and how to troubleshoot the stack to try and figure out where this failure occurs. Is this a jumbo frame enablement thing? A confliction with transitions from protocols like UDP and TCP to IP and then and Ethernet frames? Nuking it and maybe as simple as a Synology firewall rule if tailscale changes sockets for large files and streams?
Phone- OP6/android
Router - pfsense, snort is set to IDS not IPS (snap I better double check this)
NAS - Synology
Tailscale exit node - same Synology NAS via supported app
All of that and I still had the issue of video lag and failed large file transfers (the latter I feel is an application layer issue due to too many dropped packets).
Then I found this documentation:
I need to enable NAT-PMP…
I don’t think I’m comfortable with this… Rather than enable it I’m wondering if I can make for more specific rules/mappings. There are some interesting settings that kinda do this at first glance, need to read into the documentation better.
But yeah, enabling NAT-PNP fixed it, tailscale now sets up direction connections versus being stuck using DERP (their relays).