Synology NAS instructions

[timkelty]

After some tinkering I got this working on a Synology NAS (412+).
Just wanted to share in case anyone else was trying.

Here's what I had to do:

• Add --dns 8.8.8.8 --dns 8.8.4.4 to the docker run command (as noted in README)
• Run the following script on startup.
  • In my case, this meant putting the script here (making sure it is executable): /usr/syno/etc.defaults/rc.d/S01tun.sh

#!/bin/sh

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
  if ( [ ! -d /dev/net ] ); then
    mkdir -m 755 /dev/net
  fi
  mknod /dev/net/tun c 10 200
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
  insmod /lib/modules/tun.ko
fi

[haugene]

Nice! Thanks for the input. I'm guessing this is related to issue #26 as well.

I'll add a reference to it from the README the next time I'm doing some changes. Maybe expand the known issues section to be a Known Issues/FAQ/Tips and Tricks kind of thing.

[haugene]

The --dns options will be used to write the containers /etc/resolv.conf
You could probably make your own resolv.conf file on the host and mount it with -v /your/resolv.conf:/etc/resolv.conf

You should maybe instead mount something to /etc/resolvconf/resolv.conf.d/head that will be prepended to your /etc/resolv.conf when resolvconf generates it.

Or something like that. It might fix the issues. And if it don't I would just exec into the container (docker exec -it bash) and change stuff manually and test using dig/ping until it resolves the hostnames. When you change the /etc/resolvconf/resolv.conf.d/head file you can make resolvconf reload the config based on your changes by running "resolvconf -u"

[timkelty]

Thanks, when I get time I'll give it a try. As it is it seems to work well enough, though.

[hamlynt]

@timkelty Thanks very much for this outline, I'm also trying to run this on a Synology NAS.

@haugene Unfortunately the Synology GUI doesn't support --dns and due to my lack of command line experience I have yet to get things working via the command line and overriding /etc/resolv.conf.

Any chance of adding back the RESOLV_OVERRIDE option? I think this would work seamlessly from the Synology GUI.

[ghost]

@timkelty you are the man. Thank you very much. I searched for two days but the solution was just premade here.. haha

[timkelty]

@Khogniak glad to be of service!

[rolandb5]

@timkelty I feel I'm almost there getting ths running on my Synology; but the tracker cannot connect.
https://www.dropbox.com/s/962x5r49f7ahe9e/Screenshot%202016-03-20%2014.00.33.png?dl=0

https://www.dropbox.com/s/fv383e6i089yl8j/Screenshot%202016-03-20%2014.12.57.png?dl=0

Any clues, which settings are not ok?

---

Never mind, the DNS settings could not be added as an environment variable. Had to add the container via logging in via ssh terminal and run the full command including --dns settings

[timkelty]

@rolandb5 👍 Can't remember if that's how I did it, but you got it working?

[rolandb5]

Yep, didn't know how to run the DNS command via the Synology GUI. SSH did the trick. If someone needs my command line entry to get this running, let me know.

[TheWolf474]

@rolandb5 Yes, please let me know what the SSH command is ! :D

[rolandb5]

@TheWolf474 docker run --privileged --dns 8.8.8.8 --dns 8.8.4.4 -d -v /your/path/:/data -e "OPENVPN_PROVIDER=PIA" -e "OPENVPN_CONFIG=Netherlands" -e "OPENVPN_USERNAME=XXXXX" -e "OPENVPN_PASSWORD=XXXXX" -p 9091:9091 haugene/transmission-openvpn

[timkelty]

FYI - I had to re-apply this after upgrading to DSM 6

[malmentm]

I really want to get this working, but it's a bit overwhelming for a novice like me :) I'm running the DMS 6.0 and got the docker container to start, with the help of @timkelty script. But i cannot access the web gui and i don't know how to get the --dns options to work.. if i try the command via SSH "docker run --privileged --dns 8.8.8.8 --dns 8.8.4.4 -d -v /your/path/:/data -e "OPENVPN_PROVIDER=PIA" -e "OPENVPN_CONFIG=Netherlands" -e "OPENVPN_USERNAME=XXXXX" -e "OPENVPN_PASSWORD=XXXXX" -p 9091:9091 haugene/transmission-openvpn" only gives me an error "Cannot connect to the Docker daemon. Is the docker daemon running on this host?"

I can't get the script to run at startup :( have done the chmod +x

Any helt would be appreciated :)

[ghost]

@malmentm as @timkelty said you have to recreate that script file, but also I noticed that in DSM 6 /usr/syno/etc.defaults/rc.d/ seems to became /usr/syno/etc.defaults/rc.sysv/ (that should make your script run on startup) :)

[timkelty]

Yep - so looks like I'm in the same boat as some of you after DSM 6 upgrade.

@Khogniak seems to be right that the rc.d script doesn't work anymore. But perhaps just moving it to rc.sysv will fix?

So when I have my container running now ( on DSM 6.0), i can connect to the Transmission client and add torrents, but nothing downloads. If I inspect one, I can see that it can't connect to any trackers, presumably because the --dns options aren't set or working.

I can't run the docker run command like I was able to before (I get the same "Cannot connect to the Docker daemon" message @malmentm is getting).

[ghost]

@timkelty : Yep, I just noticied that after posting, my downloads were stuck too and it didn't connect to trackers.
I managed to run the command as root (and downloads works perfectly now).
This issue comes with the security enhancement on DSM 6, since we can not directly connect as root.

So ;

1. connect as admin
2. run sudo su -
3. enter your admin password (not root)

You are now logged as root and can run the docker run command with no error :)

[timkelty]

@Khogniak that did it!
Seemingly if you start it once from the CLI, you can still just restart that same container with the DSM interface later and have it still work too.

[malmentm]

@Khogniak I've put the script at the new location you mentioned for DSM 6.0 but i won't run at startup :( If i start the script with sudo sh S01tun.sh i can start the container so the script is fine, any suggestions? :P

[timkelty]

Here's what I did:

• Put the script in /volume1/etc/tun.sh (to prevent Syno from wiping out on future upgrades)
• use Task Scheduler to run a "User-defined script" on startup, pointing to /volume1/etc/tun.sh, running as root, as @Khogniak suggests, (though I didn't get an error for a "Boot-up" script).
• Run the run command w/ dns options as root (also, give it a name with --name "vpn-torrent")
• You can then see this container running with the Docker GUI in DSM. Stop it, edit it:
  • Create a desktop shortcut
  • Enable auto restart
  • I was also forced to delete some invalid env vars for some reason
  • Run the container!

[ghost]

@timkelty Does using Task Scheduler works for you? Because for me, even if i specify the scheduler to run it as root, it act like when we run it manually as admin : torrents are stuck and it doesn't connect to trackers.

[timkelty]

@Khogniak It seems to be working yes. Though I still seeing lots of "Could not connect to tracker" errors, stuff seems to be downloading, maybe that's normal.

To be clear:
I'm pretty sure the stuck downloads/"Could not connect to tracker" problems are specifically related to the --dns options, while not being able to run the container at all is the startup script/tun stuff.

[ghost]

@timkelty Hum ok, can you please detail your sheduled task ?

[timkelty]

@@Khogniak ok...here's what I've learned through testing:

If DSM/GUI EVER starts your container (including manually, or even if it is already running and you restart), your --dns options are lost. Seemingly, that container will never have them again.

You can run the docker run command, stop the container (either through DSM or docker stop my-container-name.

You can then restart the container with docker start my-container-name, and everything will work (--dns). However, if you start it with the DSM GUI, no dice. Furthermore, if you then later go and start with docker start, --dns options are lost.

So, I'm not really sure how to get it working consistently. Seems like we need DSM's docker package to suppose the dns option.

Or should explore @haugene's suggestion:

The --dns options will be used to write the containers /etc/resolv.conf
You could probably make your own resolv.conf file on the host and mount it with -v /your/resolv.conf:/etc/resolv.conf

[timkelty]

Ok, this seems to fix it for me!

Add this line to your docker run command: -v /volume1/etc/resolv-google.conf:/etc/resolv.conf

And on our DS, add /volume1/etc/resolv-google.conf with:

nameserver 8.8.8.8                                                                                                       
nameserver 8.8.4.4                                                                                                       

Now you don't even need the --dns args, so synology can start everything.

[ghost]

For me too !
And the most awesome is .. Now we can edit DNS conf and TUN script directly in the GUI text-editor :D

[malmentm]

I don't use any --dns options and my connects to trackers fine.

[ghost]

@malmentm How about DNS leak ?

[malmentm]

How do i check for dns leak? I only tested ipeak.net torrent test. I use tigerVPN by the way, they say on the homepage that their DNS servers are provided on connect.

[harermuir]

Strange issue with the script.

I have put it in the right place on the server, but it seems i cannot run it. All the command work correctly when writed manually, but the script doesn't seem to start.

If i try to run it manually, i obtain a : -ash: ./S01tun.sh: not found . The other script in rc.d can be launched without any error. Permission seems ok (-rwxr-xr-x for all file in the folder). I got no clue on what's going on.

[haugene]

@Khogniak DNS leak is an interesting one. But it depends on what your resolv.conf will be set inside the container I guess. Which again is up to the Docker daemon and your host system. If your ISP DNS servers are set, they will be treated as external traffic and routed through the VPN interface so you're OK. But if your resolv.conf is something like 127.0.0.1 or 172.17.x.x (docker ip space) I guess the DNS requests will be routed through your host and you'll have a leak.

Anyways, probably a bit off topic for the Synology thread here. But might be worth some exploring in another issue. And perhaps a little notice in the README that setting --dns could be the safer choice.

[ghost]

@haugene Hum, dns 8.8.8.8 and 8.8.4.4 above-mentioned correspond to Google's DNS wich is -for the moment- one of the safer against country-related leaks (after Open DNS) . So, if we follow the above tutorial and set Google DNS in conf file, I imagine Synology will not overcome docker-specific dns :)

[timkelty]

@haugene I hadn't considered someone putting in a local IP.
I think everyone in this thread is just using Google's IP for DNS, which should be fine, as I understand it.

[haugene]

Yup. Using Google DNS you should be fine, no DNS leaks. I don't think people would set a local IP with intent either. Just figured that it could probably be some scenario where the host by default sets itself as DNS server for the containers. And that could be trouble.

But as long as the DNS servers are set in a public IP range, it will be routed through the VPN interface.

[ghost]

Here is the whole summary using everyone's informations. (Could maybe be improved / added to the doc cc @haugene ) :

• Connect as admin to your Synology SSH
• Switch to root with command sudo su -
• Enter your admin password when prompted
• Create a TUN.sh file anywhere in your synology file system by typing vim /volume1/foldername/TUN.sh
  replacing foldername with any folder you created on your Synology
• Paste @timkelty 's script :

#!/bin/sh

# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
    if ( [ ! -d /dev/net ] ); then
        mkdir -m 755 /dev/net
    fi
    mknod /dev/net/tun c 10 200
fi

# Load the tun module if not already loaded
if ( !(lsmod | grep -q "^tun\s") ); then
    insmod /lib/modules/tun.ko
fi

• Save the file with [escape] + :wq!
• Go in the folder containing your script : cd /volume1/foldername/
• Check permission with chmod 0755 TUN.sh
• Run it with ./TUN.sh
• Create the DNS config file by typing vim /volume1/foldername/resolv.conf
• Paste the following lines :

nameserver 8.8.8.8
nameserver 8.8.4.4

• Save the file with [escape] + :wq!
• Create your docker container with docker run --privileged -d -v /volume1/foldername/resolv.conf:/etc/resolv.conf -v /volume1/yourpath/:/data -e "OPENVPN_PROVIDER=PIA" -e "OPENVPN_CONFIG=Netherlands" -e "OPENVPN_USERNAME=XXXXX" -e "OPENVPN_PASSWORD=XXXXX" -p 9092:9091 haugene/transmission-openvpn -name TransmissionVPN
• If you wish to access WebUI, just run the nginx container as explained in doc on ports 9091:9091
• To make it work after a nas restart, create an automated task in your synology web interface : go to *Settings Panel > Task Scheduler * create a new task that run /volume1/foldername/TUN.sh as root (select 'root' in 'user' selectbox). This task will start module that permit the container to run, you can make a task that run on startup. These kind of task doesn't work on my nas so I just made a task that run every minute.
• Enjoy

[haugene]

Thanks @Khogniak! Great summary for this issue. I will include it in the README and then maybe close this issue at some point :) Another Synology-thread will probably pop up, but it looks like the first iteration of NAS-tinkering has brought good results.

Kind of busy these days, but I'll sit my self down and just do it at some point. Until then... If anyone is up for it, feel free to submit it as a PR!

[haugene]

Readme is now updated, as of PR #62. Closing this issue.

[haderack]

For those using the Synology Docker GUI that want to use that and not the command line for the docker command you can make this work by slightly modifying the instructions for Synology from above.

Add the resolv.conf file to a location that you can access for the docker image and mount it as /etc/resolve.conf.

Set the Docker container to "Execute container using high privilege".

You still need to set the TUN.sh script up, but otherwise the rest of the Docker stuff can be down in the GUI.

[jonk999]

Have been trying to get this to work and am having issues with TUN.
I follow the directions and seems to work, but when I run the container I get the error:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

Any ideas?

[Marcus59]

@jonk999 I used to have the same error. If you run docker via the synology GUI check the high privilege box for your container. It allows the docker container to run as root and use all the devices of the host (see https://docs.docker.com/engine/reference/run/#additional-groups section Runtime privilege and Linux capabilities and maybe other for more info on docker and privileges).
For me it worked.
And if you do not want to run the TUN.sh script at each startup you can install the synology VPN server it should create the necessary structure for OpenVPN