{"id":23659277,"url":"https://github.com/jackmoore7/tailscale-synology-ssl","last_synced_at":"2025-04-10T17:23:35.774Z","repository":{"id":268827379,"uuid":"905544975","full_name":"jackmoore7/tailscale-synology-ssl","owner":"jackmoore7","description":"How to use Tailscale with a custom domain via Cloudflare and reverse proxy on a Synology NAS","archived":false,"fork":false,"pushed_at":"2025-03-16T22:05:14.000Z","size":26,"stargazers_count":41,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-24T15:03:44.620Z","etag":null,"topics":["cloudflare","cloudflare-api","custom-domain","dsm","nas","reverse-proxy","synology","synology-nas","tailscale"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jackmoore7.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-19T03:42:11.000Z","updated_at":"2025-03-23T11:18:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"9fcb0472-173a-4bae-b8b7-47766bb0e858","html_url":"https://github.com/jackmoore7/tailscale-synology-ssl","commit_stats":null,"previous_names":["jackmoore7/tailscale-synology-ssl"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackmoore7%2Ftailscale-synology-ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackmoore7%2Ftailscale-synology-ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackmoore7%2Ftailscale-synology-ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jackmoore7%2Ftailscale-synology-ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jackmoore7","download_url":"https://codeload.github.com/jackmoore7/tailscale-synology-ssl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248261953,"owners_count":21074227,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","cloudflare-api","custom-domain","dsm","nas","reverse-proxy","synology","synology-nas","tailscale"],"created_at":"2024-12-29T02:43:22.021Z","updated_at":"2025-04-10T17:23:35.768Z","avatar_url":"https://github.com/jackmoore7.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# How to use Tailscale with a custom domain via Cloudflare and reverse proxy on a Synology NAS\n\n## Introduction\nI recently decided enough is enough, I want to access my self-hosted services while I'm on the go. A lot of people's first thought to accomplish this is **Tailscale**, a service where you can create a private network \"bubble\" of your chosen devices (called a Tailnet), which can be accessed via an oauth of your choosing. Upon signing up, you're given a unique subdomain, such as `tailb12345.ts.net`, which is used for DNS. As such, you can access your devices using this name instead of an IP address.\n\nThat's great and all, but I had wondered if I could take this a step further and use my own domain to access my devices. So, here we are. \"But Jack\" I hear you say, \"Won't it be secure anyway if we're connecting through Tailscale?\". And to that I say, well yes! But this method does come with a couple of benefits:\n - Not having to remember which port is which since it'll all be handled via reverse proxy\n - Not having to remember (frankly ugly) domain names\n\n## Prerequisites\n - A Synology NAS\n - Docker installed on your NAS\n - A domain managed via Cloudflare\n - The ability to SSH into your NAS\n\n## Initial setup\nFirst off, you'll need to install Tailscale on your Synology NAS. There's a great video by Tailscale's YouTube channel that explains step-by-step how to install Tailscale, configure auto-update, and enable HTTPS: https://www.youtube.com/watch?v=0o2EhK-QvmY\n\nOnce you think you've got it set up, give it a test by going to `https://[nas name].[tailnet name].ts.net`. In my case, my nas is called `ds920`, and my tailnet name is `tailb12345`.\n![brave_waKsC06BDN](https://github.com/user-attachments/assets/0099ef25-376f-4672-aec1-59129f2593f2)\nAnd, we have a successful connection to our machine over HTTPS.\n\u003cimg width=\"1470\" alt=\"Screenshot 2024-12-19 at 15 05 14\" src=\"https://github.com/user-attachments/assets/2be220e0-bbc4-43ff-a2cb-614a6cc14835\" /\u003e\n\n## Custom domain with wildcard\nNow comes the fun part! We're going to use **Certbot** to get us a wildcard certificate by using the Cloudflare API to complete the DNS-01 challenge.\n\n### Generating a Cloudflare API token\n\n1. Create a User API token. \n\nGo to My Profile \u003e API Tokens \u003e Create Token. Give it whatever name you desire, and set parameters like so:\n- Permissions:\n  \t- Zone: Zone: Read\n\t- Zone: DNS: Edit\n- Zone Resources:\n\t- Include: Specific zone: `domain.com` (where `domain.com` is your domain)\n\nYour summary should look like this: \n\u003cimg width=\"716\" alt=\"Screenshot 2024-12-27 at 10 55 09\" src=\"https://github.com/user-attachments/assets/78df83af-ce08-4c51-822c-45a606c55a16\" /\u003e\n\n2. Save the API key somewhere, because you won't be able to see it again.\n\n### Running Certbot\n\nThis section will assume your volume is called `volume1` and that you have a folder called `docker` inside. Please make necessary adjustments if this doesn't align with your setup.\n\n1. SSH into your NAS (if you don't know how to do this on your platform, there are a lot of guides out there)\n2. Create the necessary directories for Certbot: `sudo mkdir -p /volume1/docker/certbot/{logs,lib_letsencrypt,etc_letsencrypt}`\n3. Create the Certbot configuration file: `sudo touch /volume1/docker/certbot/lib_letsencrypt/cloudflare.ini`\n4. Add your Cloudflare API token:\n```\necho \"dns_cloudflare_api_token = your-cloudflare-api-token\" | \\\nsudo tee /volume1/docker/certbot/lib_letsencrypt/cloudflare.ini \u003e /dev/null\n```\n5. Use the folling command to launch a temporary Docker container which runs Certbot and adds the necessary DNS records to your domain. Make sure you replace the domains and email with your own.\n```\nsudo docker run --rm \\\n  -v /volume1/docker/certbot/etc_letsencrypt:/etc/letsencrypt \\\n  -v /volume1/docker/certbot/lib_letsencrypt:/var/lib/letsencrypt \\\n  -v /volume1/docker/certbot/logs:/var/log/letsencrypt \\\n  certbot/dns-cloudflare:latest certonly \\\n  --dns-cloudflare \\\n  --dns-cloudflare-credentials /var/lib/letsencrypt/cloudflare.ini \\\n  --dns-cloudflare-propagation-seconds 30 \\\n  -d \"*.subdomain.domain.com\" -d \"subdomain.domain.com\" \\\n  --non-interactive --agree-tos --email your-email@example.com\n```\n\n6. If successful, you'll find your new certificates at `.../docker/certbot/etc_letsencrypt/live`. You'll need to download the following files:\n - Private Key - `privkey.pem`\n - Certificate - `cert.pem`\n \u003eA couple of people have reported that their certificates were generated in `.../docker/certbot/etc_letsencrypt/archive` instead of `/live`. \n\n7. Import the certificate to your NAS. It'll be in Control Panel \u003e Security \u003e Certificate. Select Add \u003e Add a new certificate \u003e Import certificate \u003e Upload the `Private Key` and `Certificate`. Don't worry about the Intermediate certificate. \n\n8. Your certificates page should now look something like this: \n![brave_kpcgyR2F1v](https://github.com/user-attachments/assets/d86cb779-48f8-4c85-9345-b12f1e607d88)\n\n## Configure the certificate check script\n\nDownload the certificate check script and run it once to create a configuration file. Then, add your certificate details to the file.\n\n1. Download the script and make it executable:\n\n    ```bash\n    sudo wget -O check_certs.sh https://raw.githubusercontent.com/telnetdoogie/synology-scripts/main/check_certs.sh \u0026\u0026 \\\n    sudo chmod +x check_certs.sh\n    ```\n2. Run the script to create the configuration file:\n\n    ```bash\n    sudo ./check_certs.sh\n    ```\n\n3. Open the configuration file in a text editor and add your certificate's Common Name (CN) and file path: \n\n    ```json\n    {\n      \"config\": [\n        {\n          \"cn\": \"*.subdomain.domain.com\",\n          \"cert_path\": \"/volume1/docker/certbot/etc_letsencrypt/live/domain.com\"\n        }\n      ]\n    }\n    ```\n\n## Schedule certificate renewals\n\nLet's Encrypt certificates expire every 90 days, but you can automate renewals with the Synology Task Scheduler. To do this, schedule two tasks: one to renew your certificates and another to install them using `check_certs.sh`. \n\n1. In Synology DiskStation Manager, go to **Control Panel** \u003e **Task Scheduler**.\n\n1. Using **Create** \u003e **Scheduled Task** \u003e **User Defined Script**, add two repeating tasks which run as `root` one hour apart.\n\n    For each task, in the **Task Settings** tab under **Run Command**, enter the following.\n\n    a. For the script to **renew certificates** in the Certbot folder:\n\n    ```bash\n    /bin/bash\n    sudo docker run -v /volume1/docker/certbot/etc_letsencrypt:/etc/letsencrypt \\\n        -v /volume1/docker/certbot/lib_letsencrypt:/var/lib/letsencrypt \\\n        -v /volume1/docker/certbot/logs:/var/log/letsencrypt \\\n        --rm \\\n        --cap-drop=all \\\n        certbot/dns-cloudflare:latest \\\n        renew\n    ```\n    b. For the script to **install certificates** on your NAS:\n\n    ```bash\n    /bin/bash\n    cd /path/to/script # Change into the script directory \n    bash /path/to/script/check_certs.sh --update\n    ```\n\n## Adding Cloudflare CNAME wildcard\nNow that we've got a wildcard SSL certificate for our subdomain, we'll need to add a couple of CNAME records which will point our domain towards our Tailnet name. \n1. The first record we'll add will have the following attributes:\n    - Type: `CNAME`\n    - Name: `*.subdomain` (a subdomain of your choosing)\n    - Target: `ds920.tailb12345.ts.net` (where `tailb12345` is your tailnet name and `ds920` is the name of your NAS)\n    - Proxy status: `DNS Only`\n    - TTL: `Auto`\n2. The second is optional, but I like to have this as a kind of \"home page\" where I can link all of my services in one place.\n    - Type: `CNAME`\n    - Name: `subdomain`\n    - Target: `ds920.tailb12345.ts.net`\n    - Proxy status: `DNS Only`\n    - TTL: `Auto`\n\nAnd that's Cloudflare setup complete! Your DNS records page should look something like this:\n![brave_KEza5JvOuB](https://github.com/user-attachments/assets/210d9017-1b49-4a80-a3d4-19fc3138ecee)\n\n## Synology NAS reverse proxy\nSince we've only set up a wildcard CNAME record, we still need to tell the NAS where to route a request. One of the amazing showstopping spectacular features of Synology DSM is a built-in reverse proxy manager that's ready to go. We'll be using this to point various sub-subdomains of our choosing to the correct service. In this example, we'll add a reverse proxy to connect to DSM.\n1. Open Control Panel \u003e Login Portal \u003e Advanced \u003e Reverse Proxy\n2. Hit Create\n3. Under General:\n    - **Source**:\n    - Name: `dsm`\n    - Protocol: `HTTPS`\n    - Hostname: `dsm.subdomain.domain.com`\n    - Port: `443`\n    - HSTS: Unchecked\n    - **Destination**:\n    - Protocol: `HTTPS` (because we'll be connecting to the secure port 5001)\n    - Hostname: `localhost`\n    - Port: `5001`\n4. Hit Save\n5. Add as many services as you desire. **Important: you should only use HTTPS in the destination if you are positive that it's a secure port. If you aren't sure, use HTTP. In most cases, you will be using HTTP.**\nOnce configured, your reverse proxy list should look something like this:\n![brave_I4qRUgBoUc](https://github.com/user-attachments/assets/0d3ae71a-1df8-4d0f-ad46-33e4ac79ca91)\n6. Now, open back up your certificate settings and set your reverse proxies to use your wildcard SSL certificate:\n![brave_YIf2Arwvmm](https://github.com/user-attachments/assets/ba08973f-6602-427d-89e4-10a86192024e)\n\n## Testing\nIf we've done everything correctly, we should be able to get to each of our services securely (without having to worry about ports!) Let's give it a go with Portainer:\n\u003cimg width=\"1470\" alt=\"Screenshot 2024-12-27 at 11 18 19\" src=\"https://github.com/user-attachments/assets/081ff9cc-f430-4d5c-a6a7-008e349668a8\" /\u003e\nSuccess! \n\n\u003e Disclaimer: Some of this guide was copied verbatim from https://github.com/btbristow/tutorials/blob/main/certbot-with-cloudflare.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackmoore7%2Ftailscale-synology-ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjackmoore7%2Ftailscale-synology-ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjackmoore7%2Ftailscale-synology-ssl/lists"}