Creating backups is good - creating offsite backups is even better.

Goals

  • Maintain a secure offsite backup of one or more shared folders on your Synology NAS
  • The offsite backup will be encrypted at rest
  • Backup data in transit will be encrypted using Tailscale WireGuard VPN

Prerequisites

You will need 2 Synology NAS devices, running DSM7 or newer:

  • Source NAS “srcnas” is on-prem; it will run the backup task
  • Destination NAS “dstnas” is offsite, connected via a 4G modem

Synology offers various options for replicating data. In my situation, a one-way sync is sufficient. This is called “Shared Folder Sync”.

Preparation

Install Tailscale VPN

With Tailscale you don’t need to set up port forwarding - which is especially nice because the destination NAS is behind a 4G router and does not have a static IP address.

On both Synology NAS devices, open Package Center and install Tailscale (found under Contributor packages). Add them to your Tailnet.

Note that DSM7 security settings prevent Tailscale from initiating outbound connections.

Prepare the source NAS

We want the source NAS to run the “Shared Folder Sync” task, we need to enable outbound connections on that NAS.

On the source NAS, under Control Panel -> Task Scheduler, create a triggered task (Boot-up) that runs the following command as the root user (all on a single line):

/var/packages/Tailscale/target/bin/tailscale configure-host; synosystemctl restart pkgctl-Tailscale.service

Now, either reboot the NAS or run the same command from an SSH prompt:

user@srcnas:~$ /var/packages/Tailscale/target/bin/tailscale configure-host
user@srcnas:~$ sudo synosystemctl restart pkgctl-Tailscale.service

The source NAS should now be able to reach the destination NAS over Tailscale.

Prepare the destination NAS

On the destination Synology NAS:

  • Under Control Panel -> File Services -> rsync, switch “Enable rsync service” on.
  • Under Control Panel -> User & Group, create a dedicated user account - for example “srcnas-rsync”
    • Set a very long and secure random password that never expires
    • Add the user to the Administrators group or Shared Folder Sync won’t work
    • Disable all application access; only enable rsync
    • Note: “srcnas” will use this account to run “rsync” - hence the user name
  • Under Control Panel -> Shared Folder, create an encrypted shared folder as the destination folder

Configure ‘Shared Folder Sync’

On the source NAS, under Control Panel -> File Services -> Advanced, scroll to Shared Folder Sync and choose Task List -> Create.

  • On the “Source” tab, select the Source folder(s)
  • On the “Destination” tab,
    • Enter the hostname or IP address of the destination NAS (for Tailscale, I used the 100.x.y.z IP address)
    • Enter username and password for the “srcnas-rsync” user you created on “dstnas”
    • Enable the “Enable SSH transfer encryption” and “Enable transfer compression” options (SSH encryption inside Tailscale, I know)
    • Test the connection
  • Finally, on the “Schedule” tab, configure the sync schedule to your needs

That is all - the initial sync may take some time, but subsequent sync should be quite fast as it only transfers files that have changed.

Notes

  • All this could probably be implemented using standard WireGuard; I went with Tailscale for convenience and quick implementation.
  • You need to trust Tailscale - they are quite transparent about Tailscale security.
  • Definitely consider using the Tailnet lock feature to add an additional security control.
  • Check out Headscale for a self-hosted alternative to Tailscale.

Updated: