synology logo with red arrow pointing down to another Synology logo. Tailscale logo on top of red arrow and rscync next to the arrow

Synology Offsite Backup Using rsync Over Tailscale

synology logo with red arrow pointing down to another Synology logo. Tailscale logo on top of red arrow and rscync next to the arrow

Back in November I wrote an article entitled The Great Synology Migration of 2022. It was the story of how I’d bought a second Synology to replace the finally end-of-life Drobo 5N2. In the article, I explained how I used the tried and true rsync protocol to create a backup of each Shared Folder from my primary Synology to my backup Synology.

One of the things I could never do before with a Synology backing up to a Drobo was have the Drobo off-site; they had to both be on my home network. But remember me telling you about the magical technology Tailscale? That’s the tool that allows me to put multiple devices (including my Synologys) onto a virtual private network, while also living on the local network. This means that (in theory) I should be able to move the backup Synology to my buddy Ron’s house and continue to run rsync to do the backups.

Or so I thought. The reason I haven’t told you how I accomplished this right after setting up Tailscale was that I couldn’t get it to work, until now.

For a quick review, in the Synology Disk Station Manager (DSM) operating system includes rsync. It’s pretty simple and straightforward. In Control Panel / File Services there’s a tab for rsync. You enable rsync on the destination Synology first. Then on the source Synology you create the rsync tasks, which for me was one for each Shared Folder, I wanted to sync.

For each sync task, you need to point to the destination Synology by IP address. The problem was that if I typed in the Tailscale IP of the remote Synology, I’d get an error when I tried to test the connection. The field kept reverting back to the local IP address, and it’s not on my local network anymore.

Rsync Task Pointing to Tailscale IP of Destination Synology
rsync Task List That Refused Tailscale IP Address

I verified that both Synologys were on Tailscale, and I could access the remote Synology via that Tailscale IP address, but I simply could not convince rsync that it was a reachable IP address.

I reached out to Dave Hamilton, who taught me about Tailscale in the first place through the Mac Geek Gab. I used his awesome Discord community to post my question. He offered a few ideas but nothing panned out. I searched the interwebs until I nearly wore my little fingers down to nubs.

Then I posted the question on Twitter and on Mastodon. I didn’t get any traction on Twitter but Shannon Kay (@[email protected]) suggested the Synology subreddit. It was a great idea because I found several people asking fairly similar questions, but sadly they didn’t find the answer either.

But Shannon’s idea prompted me to ask the question in two more places: the Synology forum and the Tailscale forum. I got an answer pretty quickly in the Synology Community from Arild Skaar that was 90% of the solution but I didn’t understand exactly how to implement the solution he suggested.

In the Tailscale forum, @Jonas108 started comparing settings with me because he did have it working. After a few times going back and forth, he hit on the problem. He sent me a link in the Tailscale documentation that explained exactly what was going on.

The support article is entitled Access Synology NAS from anywhere · Tailscale which is exactly what I needed.

The opening paragraph explains:

Synology DSM7 introduced tighter restrictions on what packages are allowed to do. If you’re running DSM6, Tailscale runs as root with full permissions and these steps are not required.

By default, Tailscale on Synology with DSM7 only allows inbound connections to your Synology device but outbound Tailscale access from other apps running on your Synology is not enabled.
The reason for this is that the Tailscale package does not have permission to create a TUN device.

In 8 extremely simple steps, the support article walks you through how to run a user-defined script that Tailscale gives you on installation, and it tells you how to make sure it’s run as root on every boot-up.

Synology Task Scheduler Showing User defined Script to Allow Outbound Connections
Synology Task Scheduler with Tailscale Script

As soon as I walked through these steps, when I pointed my rsync task at my remote Synology’s Tailscale IP, the test connection worked, and my rsync task worked without a hitch.

Rsync Task List Showing Success on All Tasks
rsync Task List Success!

Circling back to Arild from the Synology forum’s answer. He told me essentially the same thing that there was a permissions problem, and he pointed to the same script, but he runs these commands himself. He did even tell me I could do it through the same Task Scheduler that the Tailscale instructions provided, but I had no idea how to find the Task Scheduler in the Synology interface. Turns out it’s a Control Panel. I needed the spoon-feeding of the Tailscale instructions.

The one curiosity to me is that in all of my searching of the net, including the Tailscale documentation itself, I was never able to find these instructions myself.

In any case, the community came through for me from Mastodon to the Synology forums to the Tailscale forums, and I am thrilled that I finally have offsite backups running daily of my precious Synology data. And I thank Ron for his bandwidth.

2 thoughts on “Synology Offsite Backup Using rsync Over Tailscale

  1. MightyT - January 25, 2023

    OMG! So all this time, instead of using Hyper Backups destination, I should be using Rsync! I’ve spent months trying to solve this with an onsite Synology to offsite Synology Backup! It sounds like you are saying follow the Tailscale Synology directions, except setup Rsync on both devices and use the Task Scheduler to ensure persistent connectivity after boot up. Maybe I will give it a try, I was just about to throw in the towel! Thank you for posting this and to the others who helped gain a solution, though I wish Tailscale would have jumped on it a provided a resolution! I will give it a try an circle back! Thanks again, much appreciated!

  2. podfeet - March 9, 2023

    I wish I’d seen this comment months ago – I’m so happy it helped you! Technically the solution was in the Tailscale documentation (the explanation that a lockdown of security by Synology (which is a good thing) changed what you had to do.). I don’t understand why my HOURS of Googling didn’t find it in the documentation though.

    BTW thee’s nothing wrong with using Hyper Backup, I just didn’t want a scrambled blob of a backup, I wanted to be able to see the individual files on the remote device. Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top