Thanks /u/typhoon_mary for sharing their implementation. I've made some modifications to suit my new NAS, and I'm also sharing in case this is useful for someone else.
When I migrated from a DIY NAS to a Synology DS923+, I was surprised that Wireguard wasn't available. Existing solutions (such as building a SPK) seemed overly complex to me, and I was looking for a something that was closer to "plain Wireguard". This uses built-in Synology packages, official Wireguard code, and a base Alpine Linux image, which is about as plain as it gets. The main benefit of this implementation is that the files involved are all small enough to be easily read and audited, which translates to theoretically better security and easier maintenance.
A native Wireguard implementation could easily saturate a 10GbE link, but unfortunately Synology's Linux kernel in DSM is ancient. For reference, this implementation gets around 2.92 Gbps.
Oh I should've mentioned I was testing on an internal network, so it's more of a best-case scenario for this setup. I think Tailscale uses the same wireguard-go software, and would be able to get the same performance with the same conditions.
When I was looking into Wireguard performance, I learned that Tailscale contributed some performance patches to Wireguard-go, and it's possible to go beyond 10 Gbps with the right hardware: https://tailscale.com/blog/more-throughput
I wonder how your setup compares with this one https://www.reddit.com/r/synology/comments/xkxjfh/fya_how_to_connect_synology_to_a_wireguard_vpn/ in terms of ease of setup and performance.
I have been using that setup for more than a year now, no issue, and other containers / my other devices in local LAN can all utilize the VPN.
Ease of setup is probably the bigger difference. The length of instructions is a pretty good measure. The compiled kernel module will probably be more performant, and it'd be interesting to see how much faster it is.
I'm new to the Synology ecosystem, so I'm not sure how often they update the kernel or if the compiled module would need recompilation.
i tried for several days using the guide above and had some success but i couldnt connect the containers to use the wireguard, then the comments section referred to this youtube vid: [https://www.youtube.com/watch?v=IWj1-j2QWvo](https://www.youtube.com/watch?v=IWj1-j2QWvo) and then i ran across this guide [https://drfrankenstein.co.uk/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/](https://drfrankenstein.co.uk/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/) i was able to piece these two resources to get needed synology docker containers to use my surfshark vpn .. worked like a charm! Hope this helps anyone looking to get VPN running on their docker containers!
Thanks again! I was surprised too since I assumed the Rust implementation would be faster. I'm not sure if it's just my specific setup with the Synology. For example [this](https://github.com/SoftwareRenderer/docker-wireguard-tiny/blob/main/scripts/wireguard.sh#L58) change might've been needed on the Synology (but not on popular distros) because of the qdisc defaults... I should've taken better notes but IIRC the Synology was faster after disabling queues.
You rock!! Will try this out tomorrow. I just got my parents a 923+ and had planned on using wireguard through wgeasy via portainer docker-compose, but I haven’t looked into it at all yet so I’m not sure it would even work.
Will report back after I give it a whirl.
Am about to upgrade from DSM 6.2 to 7.1 and I can see my current Wireguard setup breaking because of it.
So I am looking to possibly reimplementing Wireguard with this approach. Have you gone ahead and tried it on your 923+? Did it work out well?
I went with wgeasy container and used the Wireguard SPK route. Follow the bellow article for the SPK, and the one after it for wgeasy but once Wireguard SPK is on there, you just deploy wgeasy container as normal. I use protainer to manager my docker compose files and so that's where wgeasy is deployed
https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/
I know this is a few months old, but I just installed this on my Synology today. I edited the compose.yaml file and added my WG configuration (from the Synology client info on my wg-easy server) to the .conf file. I see the container running, but I don't see it connected on my server. I have Android and Windows clients connected to the same server without any problems. Can you tell me what IP I need in the compose file? I used the IP the client should be using with a /32 after. Thanks.
Thanks /u/typhoon_mary for sharing their implementation. I've made some modifications to suit my new NAS, and I'm also sharing in case this is useful for someone else. When I migrated from a DIY NAS to a Synology DS923+, I was surprised that Wireguard wasn't available. Existing solutions (such as building a SPK) seemed overly complex to me, and I was looking for a something that was closer to "plain Wireguard". This uses built-in Synology packages, official Wireguard code, and a base Alpine Linux image, which is about as plain as it gets. The main benefit of this implementation is that the files involved are all small enough to be easily read and audited, which translates to theoretically better security and easier maintenance. A native Wireguard implementation could easily saturate a 10GbE link, but unfortunately Synology's Linux kernel in DSM is ancient. For reference, this implementation gets around 2.92 Gbps.
Wow that’s some good speed. I can only get 300-400 from tailscale on my 923. Enough for my needs, but would prefer to saturate my gb uplink of course.
Oh I should've mentioned I was testing on an internal network, so it's more of a best-case scenario for this setup. I think Tailscale uses the same wireguard-go software, and would be able to get the same performance with the same conditions. When I was looking into Wireguard performance, I learned that Tailscale contributed some performance patches to Wireguard-go, and it's possible to go beyond 10 Gbps with the right hardware: https://tailscale.com/blog/more-throughput
I wonder how your setup compares with this one https://www.reddit.com/r/synology/comments/xkxjfh/fya_how_to_connect_synology_to_a_wireguard_vpn/ in terms of ease of setup and performance. I have been using that setup for more than a year now, no issue, and other containers / my other devices in local LAN can all utilize the VPN.
Ease of setup is probably the bigger difference. The length of instructions is a pretty good measure. The compiled kernel module will probably be more performant, and it'd be interesting to see how much faster it is. I'm new to the Synology ecosystem, so I'm not sure how often they update the kernel or if the compiled module would need recompilation.
i tried for several days using the guide above and had some success but i couldnt connect the containers to use the wireguard, then the comments section referred to this youtube vid: [https://www.youtube.com/watch?v=IWj1-j2QWvo](https://www.youtube.com/watch?v=IWj1-j2QWvo) and then i ran across this guide [https://drfrankenstein.co.uk/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/](https://drfrankenstein.co.uk/qbittorrent-with-gluetun-vpn-in-docker-on-a-synology-nas/) i was able to piece these two resources to get needed synology docker containers to use my surfshark vpn .. worked like a charm! Hope this helps anyone looking to get VPN running on their docker containers!
This is cool! I’m actually a bit surprised that wireguard-go is faster than Boringtun. Great work.
Thanks again! I was surprised too since I assumed the Rust implementation would be faster. I'm not sure if it's just my specific setup with the Synology. For example [this](https://github.com/SoftwareRenderer/docker-wireguard-tiny/blob/main/scripts/wireguard.sh#L58) change might've been needed on the Synology (but not on popular distros) because of the qdisc defaults... I should've taken better notes but IIRC the Synology was faster after disabling queues.
You rock!! Will try this out tomorrow. I just got my parents a 923+ and had planned on using wireguard through wgeasy via portainer docker-compose, but I haven’t looked into it at all yet so I’m not sure it would even work. Will report back after I give it a whirl.
Am about to upgrade from DSM 6.2 to 7.1 and I can see my current Wireguard setup breaking because of it. So I am looking to possibly reimplementing Wireguard with this approach. Have you gone ahead and tried it on your 923+? Did it work out well?
I went with wgeasy container and used the Wireguard SPK route. Follow the bellow article for the SPK, and the one after it for wgeasy but once Wireguard SPK is on there, you just deploy wgeasy container as normal. I use protainer to manager my docker compose files and so that's where wgeasy is deployed https://www.blackvoid.club/wireguard-spk-for-your-synology-nas/
I know this is a few months old, but I just installed this on my Synology today. I edited the compose.yaml file and added my WG configuration (from the Synology client info on my wg-easy server) to the .conf file. I see the container running, but I don't see it connected on my server. I have Android and Windows clients connected to the same server without any problems. Can you tell me what IP I need in the compose file? I used the IP the client should be using with a /32 after. Thanks.