Tailscale for remote connection to the NAS

Hello.

I want to share my recent experience installing Tailscale to connect to my home NAS remotely. I used OpenVPN for a couple of years to avoid using QNAP MyCloud Link. The OpenVPN server was my QNAP NAS, and I configured Qfirewall to accept the connection. I set up port forwarding on my home router/modem. I recently lost my router configuration and had to set up port forwarding again. Then I noticed that the router was giving a lot of warnings as soon as I activated it. I had seen those warnings before, but I didn’t know that they were caused by port forwarding.

I did some research and realized that port forwarding wasn’t a good idea from the beginning. Then I found Tailscale, which promised super easy and secure connections. If you go to the website, you’ll see this explanation: “A Zero Trust identity-based connectivity platform that replaces your old VPN, SASE, and PAM and connects remote teams, multi-cloud environments, CI/CD pipelines, Edge & IoT devices, and AI workloads.” I just have a NAS to store my photos, I don’t understand any of this.

This tool can do many things, but its main function is to create a secure network connection with multiple devices. This allows you to do a lot of things with those devices. There are no servers or clients; there are only peers. You can start using it with one device. It requires authentication, and they decided to use external authentication, so you have to log in with an external account (Google, GitHub, Microsoft, Apple).

This page Access QNAP NAS from anywhere · Tailscale Docs says that it works with ARM 64 processors, and my QNAP TS-216G has an ARM processor. If you can’t fin the app in the app center (like me) it can be downloaded at this link: https://pkgs.tailscale.com/stable/#qpkgs. There are several versions: arm-x19, arm-x31, arm-x41, arm-64, x86, x86_64, and x86_ce53xx. I’m not sure what the difference is. I just know my NAS has an ARM processor. I did a lot of research, but I couldn’t find any information about which one to use. I installed the arm_64 file manually on my NAS, and it worked.

When you open the app you’ll find a big button that opens the tailscale sign-up page on the internet. You’ll need to authenticate with one of the providers there. The email address you choose in this moment will be somehow the name of the network and the user who owns it. After this step, the qnap is connected to the network and has a particular ip address that starts with 100. You can add more devices to the network using the same email address (user). Each device will have its own ip address. I think that eventually you can add more users (email addresses) to the network that can add more devices.

I installed tailscale in my android phone and used the same email address to sign in. Now both devices are connected in their own shared tailscale network. This allows them to reach each other using their respective tailscale ip addresses, even if they are on different networks. Each device now has two ip addresses, the ip address of their conventional network and one tailscale ip address. I didn’t change any settings on the router, but now the NAS is accessible from an Android phone outside the local network.

It’s easy to set up any tailscale device to open a route to other IP addresses in their conventional network. For example, the NAS (which is connected with tailscale) can open a route to the printer in the home network. So now my android phone in a hotel can reach the printer at home using its home ip address. I wouldn’t need the NAS to open a route if I could install Tailscale in the printer. This is useful for devices that can’t run Tailscale.

On qfile in my phone I’ve set up the local ip address of the nas, so at home it connects directly to the nas. When I used openvpn, I started the VPN which let me connect to the nas because I was virtually on the local network. But when I connect with tailscale, my phone at the hotel sees the tailscale ip address of my nas, not the local ip address. One option to reach the nas with qfile is to change the ip address in the qfile app to the tailscale ip address. But when I get home I need to change it back to the local address. Not ideal, because qfile is meant to write the ip address one time and forget about it.

Another solution I’m testing involves opening a route to the nas itself. This way qfile can reach the nas again using the usual local ip address. I don’t think this makes much sense but it works. Another option is to use a local hostname instead of an ip address. This method works locally but my home network has a subnet that doesn’t play well with hostnames. So I haven’t investigated further.

So far, I can confirm that tailscale works to establish a remote connection with my NAS. However, I dont’s know how fast or reliable it is during long sessions. And now that I know more about it, I would say it is easy to set up. I think this is a very good alternative to the VPNs.

Best option is always setting up the VPN endpoint at the router, not at the NAS.

Regards

See also this post.

Basically what you are doing with TailScale is the same thing that you end up doing with QNAP and their MyQNAPCloud.com portal. You are using TailScale as a proxy to your NAS.

TailScale might be faster as the MyQNAPCloud portal has to go through the QNAP severs in Taiwan. But it does work quite nicely with no setup needed at all.

Agreed though that setting up a VPN at your router is really the best way to do things.

TailScale might be faster as the MyQNAPCloud portal has to go through the QNAP severs in Taiwan.

“Tailscale establishes a direct, encrypted connection between your devices using the WireGuard protocol. In this scenario, your data travels over the public internet directly from one device to the other without passing through any Tailscale-owned servers.”

Perfect! I wasn’t sure if Tailscale went through their servers. Yeah much faster…

Thank you very much for your valuable sharing! Your experience and feedback are extremely helpful to us and other users in the community. Thank you again for your support of our product!

Thanks for all your comments. My humble home router/modem isn’t capable to run a VPN by itself, but tailscale is working great so far.

Thank you for this great writeup. I have been using Tailscale for almost a year and have been very, very happy with it. I’m using it for some different things so thought I’d share what those are and my experience overall.

Since it’s been a while, I can’t remember exactly what I did before. However, I think I used myQNAPcloud to connect to my home network, opened the VPN ports on my router and QVPN Server running my QNAP TS-464. While this worked, as a result, multiple times per day, I would get attempted logins to the admin account. I had of course disabled it, but it was concerning nonetheless.

My usage was twofold. I wanted to be able to get to the data on my NAS when I was traveling, but more importantly, I live in the US and have an apartment in Europe (Slovakia), and wanted to be able to route my Apple TV through my US residence so that I could watch Netflix, Prime Video, etc. When you access any of those streaming services from abroad, you are GREATLY limited in what you have access to, and using a standard VPN has not worked for me as most services detect and block those.

Overall, the QNAP VPN solution worked ok, but was not the most reliable, and so that, combined with frustration about the hacking attempts led me to look for alternatives and it was then that I discovered Tailscale. Boy, am I glad I did.

With Tailscale, as the original poster noted, it’s not a client server architecture, but a network of peers. And each peer runs the Tailscale software that connects to that network. One of the benefits was that I could close the VPN port on my router. It’s not needed to connect to the my network.

Additionally, you can designate one or more nodes as an “Exit node” so that when you connect to the network, you select an exit node to use and then all non-local traffic is routed through that node. So I installed the Tailscale app on my Apple TV and it is always connected to my network and configured to use my QNAP as its exit node. As a result, all streaming services just work. Also, I can connect via my Mac, iPhone or iPad while traveling and stream on those too.

I recently had a situation where I had to access a Slovak government website and was unable to do so. It’s blocked outside of Slovakia and they block access from VPN as well. However, what I can do is designate my Apple TV as an exit node and then from the US connect to my Tailscale network and designate my Apple TV as the exit node!

Finally, one of the other things you can do is set up subnets so that you can access resources on the network that do not run Tailscale software. So, for example, I can access my home router or other device via my QNAP or my Apple TV.

In summary, I’ve been really happy that I discovered Tailscale. I’m on the free plan which is limited to 3 users (not devices), but it’s been enough for me and my wife to have our MacBooks, iPhones, iPads and the one Apple TV and to be able to stream from wherever. Highly recommended!

Thank you for that great information about Tailscale. This sounds really fascinating especially since you can designate the exit nodes, etc. That is really cool!

In thinking back, I think I found it because I was searching on “how to watch videos while traveling”. It’s a great use case. But equally important was not having to open up a port on my router and being bombarded with hacking attempts.

Oh, and it’s really easy to try. Just install it on your QNAP and devices. It’s free. And you can do it while also leaving your other VPN configs set up. That’s what I did. When I was satisfied it worked, I then removed the others.