How to securely access your Synology NAS drive with Enclave
Last Updated: January 20, 2021
Synology are market leaders in network attached storage devices, perfect for home or small business use. Enclave helps you easily build safe, secure and private network connectivity without the hassle of configuring firewalls and VPNs, or needing to manage IP addresses, subnets, ACLs, NAT, routing tables, certificates and secret keys.
In this article we will show you how to easily provide private remote access to your Synology NAS drive without needing to open ports or setup a VPN server, darkening your network to third parties by installing Enclave.
Before you begin, you will need:
- An Enclave account (Register here, for free)
- A Synology NAS drive running at least DSM 7.0 (currently in Beta)
- Administrative access to your Synology NAS drive
When setup, Enclave will be running inside a Docker container on your Synology NAS drive. At the time of writing, Docker can only be installed on devices from the Synology Plus Series product line (not the Value Series) so please check to see if your system is a supported model.
The Synology NAS allows administrators to fully own their devices, enabling SSH and dropping into a root bash prompt on the DSM software, Synology's Linux-based operating system.
Okay, lets get started.
If you have opened administrative access ports on your Synology NAS drive to the public Internet (default ports are 5000, 5001 and 22 for SSH) you should re-consider if they really need to be open and close those ports if not. They are the default HTTP and HTTPS web server ports for Synology DSM and allow access to the administration console.
1. Enable SSH access to your Synology NAS drive
For Enclave to create a virtual network interface, we'll need to ensure that the
tun kernel module is installed and enabled on the device. We do this by enabling and connecting into the device via SSH. Open the
Control Panel, navigate to
Terminal & SNMP and enable the SSH service.
2. Install the TUN kernel module
With SSH enabled, log into your NAS using the admin account and check to see if the
tun kernel module is installed and enabled.
$ lsmod | grep -w tun
lsmod returns no results, you'll need to use
insmod to install it.
$ sudo insmod /lib/modules/tun.ko
lsmod again, you should see
tun module is now loaded:
tun 19133 0
We don't need SSH access any more, if you're not going to use it again please go back and disable the SSH service in the DSM Control Panel.
This was not a permanent change, the module will be unloaded the next time the system reboots, so lets create a script which can be scheduled to run on start-up which will re-install
tun.ko at boot.
- Switch to root
$ sudo su -
- Create the following script on your Synology file system by typing
#!/bin/sh if ( [ ! -c /dev/net/tun ] ); then if ( [ ! -d /dev/net ] ); then mkdir -m 755 /dev/net fi mknod /dev/net/tun c 10 200 fi if ( !(lsmod | grep -q "^tun\s") ); then insmod /lib/modules/tun.ko fi
Save the file with
[escape]followed by the keys
Mark the file as executable
chmod +x /volume1/enable-tun.sh
- Now create a scheduled task to run this script on start-up: Log in to your Synology NAS drive web interface, go to Control Panel > Task Scheduler and create a new
User-defined scriptas a
Triggered Task. Name the task
Enable TUN, set the user to be
rootand the event as
Boot-up. Then, in the
Task Settingstab enter
bash /volume1/enable-tun.shas the User-defined script and hit OK. To test if the script works, after restarting your NAS log back into SSH and run
lsmod | grep -w tunto check that the TUN module was successfully re-loaded.
3. Install Docker
The easiest way to install Docker on your Synology NAS drive is via the DSM package manager. Navigate to the
Package Center and install Docker.
4. Download Enclave from the Docker Registry
Using the search box on the
Registry tab of the Docker package, search for
enclave and download the
enclavenetworks/enclave image from the container registry. The Enclave Docker image hosted on Docker hub.
5. Launch an Enclave container
Once the Enclave image is downloaded, the
Launch button (shown below) in the
Image tab will become available, click this.
Now we are ready to setup the Enclave container. First, give the container a name, we've used
enclave. Also need to be sure to check
Execute container using high privilege, this causes DSM to pass the
--privileged to Docker, which effectively enables the container to request
--cap-add NET_ADMIN (Perform various network-related operations) and
--device /dev/net/tun (Allows devices to run inside the container).
Next, open the
Advanced Settings dialog.
Add Folder. Create a mount path to
dockerdirectory on your DiskStation. This is where Enclave will write its configuration file, private keys, and certificates to persist between reboots.
Select the checkbox to
Use the same network as Docker host. This will allow you to access the Synology NAS drive via the Enclave network.
Define a new Environment Variable called
ENCLAVE_ENROLMENT_KEYand set its value to a valid (and enabled) enrolment key from your Enclave account. Be careful not to include whitespace!
This Enrolment key is only used the first time Enclave runs. When Enclave has successfully started once and written a profile to disk, it is safe to remove this environment variable.
Enrolment keys are available from the Enclave Portal and determine which systems can register to your Enclave account, so we recommend that you keep them secret.
Execution Commandset to the default value of
runand click Apply.
Congratulations! You've finished configuring your container, click
Done to Launch.
6. Connect to the NAS with Enclave
Your Enclave container is starting up and will enrol to your account, within 1 or 2 seconds your Enclave container will be happily humming away in the background. Let's create a connection to another system running Enclave.
From the Docker package, go to the
Container tab, select the Enclave container you've just created and open the container
Details pane. Here you can see CPU usage, RAM usage, container uptime and other information.
Move to the
Terminal tab and click on the
Create button to drop into a bash shell inside the container, from here you can work with and manipulate Enclave as normal using the CLI.
First, use the
status verb to check on the Enclave process and view your container's Local Identity. The container will also be visible as a newly connected system in the Enclave Portal.
# enclave status
Now you know the Local Identity of your container, you can authorise other systems to talk to your container by adding their identities, and visa versa.
# enclave add 4Y68W -d "Build server" # enclave add R89XQ -d "Windows 10 laptop" # enclave add K5W2Q -d "Jane's macbook"
For more information about how to use the CLI, or to learn more about Identities and how Enclave builds connections, please see our documentation.
Now you've added some connections, be sure to check the DNS forwarding is enabled on any peers which you're connected to so they can access your Synology NAS drive using a friendly DNS hostname like
Welcome to your own personal (dark) Internet!
This tutorial requires Docker to be installed on your Synology NAS drive which, at the time of writing, only runs on Synology NAS drives from the Plus Series product line (not the Value Series). Please see the Docker package for an up to date list of supported models.
Having problems? Contact us firstname.lastname@example.org