Enabling outbound Tailscale connections on Synology NAS devices is essential when using services like Snapshot Replication or Hyper Backup over Tailscale IPs. By default, DSM 7 has limitations that prevent outbound traffic from working properly. This guide shows how to fix the issue using Tailscale’s supported method so replication works seamlessly.
In this blog post, we will walk through why this configuration is needed, the commands required, and how to apply the setup so it persists across reboots!
- Why This Is Needed
- Recommended Setup
- Configure Tailscale for Outbound Support at Boot
- Apply on Both Devices
- Notes
- Conclusion
Why This Is Needed
By default, Synology DSM 7 does not allow outbound Tailscale traffic for replication services due to missing kernel interface permissions and capabilities. This results in snapshot replication or backups failing when using Tailscale IPs.
The updated method provided by Tailscale:
- Fixes this issue cleanly
- Avoids manual device configuration with
/dev/net/tun - Persists through reboots and DSM updates
- Uses Tailscale’s officially supported tool
Recommended Setup
On each NAS participating in Tailscale-based replication, run the following command once to enable outbound support:
Command:
sudo /var/packages/Tailscale/target/bin/tailscale configure-host; sudo synosystemctl restart pkgctl-Tailscale.service
This command performs the following:
- Grants
cap_net_adminprivileges to the Tailscale process (tailscaled) - Ensures the TUN interface is prepared
- Restarts the Tailscale service cleanly
Note: A TUN device (short for network TUNnel) is a virtual network kernel device used to create point-to-point tunnels. It operates at Layer 3 (Network Layer) of the OSI model and is used by VPN software like Tailscale, WireGuard, and OpenVPN to securely route traffic.
Configure Tailscale for Outbound Support at Boot
To make sure outbound support is reapplied after every reboot, configure a boot-time scheduled task in DSM:
- Open Control Panel > Task Scheduler
- Click Create > Triggered Task > User-defined script
- Name it:
Tailscale Bootup Script - Event: Boot-up
- User:
root -
Task Settings > Run Command:
sleep 3m /var/packages/Tailscale/target/bin/tailscale configure-host synosystemctl restart pkgctl-Tailscale.serviceThe
sleep 3mdelay gives DSM time to fully boot before restarting Tailscale. - (Optional) Configure Task Settings > Email with an address like
support@yourdomain.comfor alerts.
If you’re interested in the details, you can review the configure-host code on GitHub.
Apply on Both Devices
If you’re using Snapshot Replication or Hyper Backup between two NAS units, you must configure outbound support on both the source and destination devices. This ensures that whichever side initiates the replication has full Tailscale connectivity.
Notes
- This configuration method is documented in the official Tailscale knowledge base: Synology Outbound Guide
- Best used in setups where the NAS acts as an initiator of replication or backups.
- Works seamlessly across reboots and DSM updates without requiring manual intervention.
Conclusion
Outbound configuration is a must-have if you want to use Tailscale IPs for Synology Snapshot Replication or Hyper Backup. By running the supported configure-host command and scheduling it at boot, you can ensure replication traffic flows securely and reliably. This method is simple, persistent, and officially supported—making it the best way to enable cross-site NAS backups with Tailscale.
