Leveraging Tailscale Certificates for Syncthing

The Synology version

Syncthing is an excellent tool and is installed on all of my Synology units. For quite a while, I have had my Syncthings behind a Caddy, facing the Internet, with IP-based filtering to block anyone but me accessing them.

Since I have been using Tailscale for years and have the certificates on my Synology units to make them accessible everywhere, I thought it should be possible to leverage those certificates for the Syncthing. And it is.

This guide is probably usable for anyone using similar technology but, for Syncthing on Synology with Tailscale, here’s how to do it.

Since Synology is slightly stripped-down linux, I decided to avoid symlinks from the Tailscale certs to the Syncthing data folder; simply put, it’s a copy process with ownership adjustments and a restart.

The Tailscale certificates are produced and stored in:

/usr/syno/etc/certificate/_archive/*something*

and the Syncthing certificates created on install and stored as follows:

/volume1/@appdata/syncthing

Make a backup of your Syncthing certificates before proceeding (it’s only sensible!):

sudo su -
cd /volume1/@appdata/syncthing
cp https-cert.pem https-cert.pem.org
cp https-key.pem https-key.pem.org

After that sensible move, use a script running as root periodically (I chose weekly) topull the Tailscale Let’s Encrypt certificates down when needed and copy them to the Syncthing environment.

Add the following code to your scheduled tasks in DSM (once you verified your directory structure is fundamentally the same):

#!/bin/sh

# Refresh Tailscale HTTPS certificates for Synology (must run as root)
tailscale configure synology-cert

# Determine the active certificate archive folder
ARCHIVE_DIR=$(cat /usr/syno/etc/certificate/_archive/DEFAULT)
SRC="/usr/syno/etc/certificate/_archive/${ARCHIVE_DIR}"
DST="/volume1/@appdata/syncthing"

# Copy Tailscale cert and private key to Syncthing HTTPS cert files
cp "$SRC/cert.pem" "$DST/https-cert.pem"
cp "$SRC/privkey.pem" "$DST/https-key.pem"

# Set ownership to Syncthing user and group (adjust as needed)
chown sc-syncthing:synocommunity "$DST/https-cert.pem" "$DST/https-key.pem"

# Set secure permissions
chmod 440 "$DST/https-cert.pem" "$DST/https-key.pem"

# Restart Syncthing service to apply new certificates
/usr/syno/bin/synopkg restart syncthing

The script will then run the Tailscale certificate pull and copy the files into the folder, change the permissions and keep your Taiscale certificates up-to-date for the unit and copy them so that Syncthing can also leverage them.

Gone are all browser warnings and you can connect from anywhere using your Tailnet.

The Synology version

Related Posts

Mastering Your Digital Experience: The Complete Guide to Web Content Control

Outlook (new) Must Die

Solving the BSOD on a Microsoft Surface Pro 7