Exposing SSH directly to the internet is risky. Even with a strong password or key-based auth, brute force attacks are constant. In this guide, I’ll show you how to restrict SSH on your Synology NAS so it’s only accessible via Tailscale — keeping port 22 closed to the public internet.
🧰 What You’ll Need
- A Synology NAS running DSM 7+ (or DSM 6)
- Tailscale installed on your Synology NAS
- Admin access to Synology (for firewall configuration)
- Another device with Tailscale to test the connection
⚙️ Step 1: Install Tailscale on Synology
- Open Package Center on your Synology NAS
- Search for Tailscale
- Install the Tailscale app
- Log in with your Tailscale account (or create a free one)
Once connected, your Synology NAS is now part of your tailnet and has a Tailscale IP address (typically in the 100.64.0.0/10 range).
⚙️ Step 2: Schedule Auto-Updates and Boot Recovery
Create two tasks to keep Tailscale running smoothly.
Task 1: Daily Update Check
- Go to Control Panel → Task Scheduler
- Click Create → Scheduled Task → User-defined script
- Configure:
| Setting | Value |
|---|---|
| Task Name | Tailscale Update |
| User | root |
| Schedule | Daily, at a time of your choice |
- In Task Settings, paste:
/var/packages/Tailscale/target/bin/tailscale update --yes
- Click OK
Task 2: Boot Recovery
This ensures Tailscale restarts properly after your NAS reboots.
- Go to Control Panel → Task Scheduler
- Click Create → Triggered Task → User-defined script
- Configure:
| Setting | Value |
|---|---|
| Task Name | Tailscale Boot |
| User | root |
| Event | Boot-up |
- In Task Settings, paste:
/var/packages/Tailscale/target/bin/tailscale configure-host
synosystemctl restart pkgctl-Tailscale.service
/var/packages/Tailscale/target/bin/tailscale up --reset
- Click OK
⚙️ Step 3: Configure Synology Firewall
Now the key step — restrict SSH to only accept connections from Tailscale.
- Go to Control Panel → Security → Firewall
- Click Edit Firewall Rules
- Click Create → Allow/Block by IP
Rule Configuration
| Setting | Value |
|---|---|
| Port | SSH (22) |
| Action | Allow |
| Source IP | Specific IP ranges |
| IP Range | 100.64.0.0/10 |
-
Click OK
-
Important: Ensure this rule is positioned above any “block all” rules.
What This Does
- SSH port 22 will only accept connections from your Tailscale network
- All other sources (LAN, WAN) are blocked
- You can still SSH into your NAS from anywhere via Tailscale
⚙️ Step 4: Test the Lockdown
- Disconnect Tailscale from your test device
- Try to SSH to your Synology’s LAN IP — should fail or timeout
- Connect Tailscale on your test device
- SSH to your Synology’s Tailscale IP — should succeed
Your Synology NAS IP on Tailscale is shown in the Tailscale admin panel (usually something like 100.x.x.x).
🔐 Why This Matters
- No exposed ports: Port 22 is never open to the internet
- Zero Trust: Only devices authenticated in your tailnet can SSH
- No brute force attacks: Attackers can’t even reach your SSH port
- Still accessible: You can SSH from anywhere via Tailscale
✅ Wrap Up
Your Synology SSH is now locked down to Tailscale only. This is a huge security improvement — your NAS is invisible to the internet, but still accessible from your devices.
For more security hardening, consider:
- Disabling root login
- Using key-based authentication only
- Changing the default SSH port
If this guide helped you secure your NAS, consider buying me a coffee:
Every tip helps me keep testing, writing, and sharing guides like this. Appreciate the support!