You want some privacy on the internet highway for outbound connections of your nas. The reasons can be varied. Some want to just have some privacy.
Some want to download the movies and series they can not get legally. Some want to test stuff with different IP addresses. Lots of reasons out there
This article explains how you can make this happen on a Synology Nas and the reason why
this solution was chosen above other possible solutions…
Be warned! This is a very technical article and not for the faint of heart :-)
- anonymising vpn (e.g. purevpn, hidemyass, IPVanish, etc)
- anonymising proxy
- other… but in this article I will concentrate on the two mentioned
The problem with most vpn’s these days is that services like Netflix actively block anonymising vpn’s.
So if you setup your router for maximum internet freedom you cannot watch Netflix anymore.
Well if you want total anonymity you might have to forgo services like Netflix, but I’m not like that.
I don’t mind that Netflix knows its me :-) but I do like my privacy and hate all the trackers around these days.
As I’m of the opinion that internet freedom is a base right, I want to have the option to have it.
You can set up your separate devices with the VPN software and only run your machine in the secure mode when wanted
but not all devices provide the option of running VPN software (think of Apple TV or Smart TV’s or older devices).
If you use a Synology NAS you can setup the nas with VPN credentials quite easily, but again the problem is that all traffic
is then over the VPN and the nas becomes difficult to access from outside. So if you run a website on the nas and have
the VPN active it will not be accessible.
Well my solution is multifold… On my personal computer I install the VPN software and run in freedom mode when I want, but
On my Synology NAS I want the incoming connections to be normal but my outgoing connections to be private.
For this reason I wanted to setup a proxy server with with a VPN behind it. If the proxy is used to connect to the internet it
will in effect go the “the other side” through the VPN and become anonymous.
I’ve tried the solution to add a vpn to my router and let all internet traffic be anonymous but as I said some essential services
refused to work anymore. So I disabled that again.
So the solution I’m going to work out in this article is creating a docker image with OpenVPN on it and a squid
proxy and running that on my Synology NAS. This way I can point stuff to that proxy and have freedom.
This article describes the process I went through…
- Base image with OpenVPN client installed and working ivonet/openvpn
- Squid proxy image based on the ivonet/openvpn image
- PureVPN image based on the ivonet/openvpn-proxy image (my current vpn provider) or maybe even more generic and enable more providers (not sure yet)
- other optimizations:
- easy config
- rotate IP’s by switching at interval (at least at every startup)
- (possibly more…)
After some research and stubbornness I came up with the following Dockerfile:
This image defines a ubuntu image with openvpn installed on it and with an entrypoint script defined.
This script will run any command provided (
"$@") at the beginning of the script and then start the openvpn connection defined
on the commandline. It will check if the IP address has changed. If not it will end up in an endless loop (room for improvement here)
If you want to run this image you need to provide a location with your
*.ovpn files and a credentials location. If these are not
provided it will not work. As this image is meant as a base for further development I will not go into it but continue on to the proxy
So now it is time to extend the ivonet/openvpn docker image with proxy software. I choose squid as the proxy.
This images extends the ivonet/openvpn image with squid and configures it. See for the squid config files here because they are not relevant for this article.
sed -i 's~\"\$@~service squid start\n\"\$@~g' /entrypoint.sh command in the Dockerfile. This command replaces the
in the entrypoint.sh file of the base image and adds
service squid start to it.
This is probably not the cleanest way to do it but this article is not about that ;-)
So now we have a squid proxy with openvpn running in the image. Cool! now we need to get it to work properly.
At this point we have an image that has all the ingredients we need. Not necessarily the easiest to work with but all we need.
Here is how to get it to work:
Create a file called
openvpn-credentials.txt with the your credentials in it like so:
During all this I assume you have a VPN provider like IPVanish, purevpn, hidemyass er so… If not get one…
Create a directory (
config) containing the *.opvn and key files you can download from your vpn provider’s website
(often a zip with all you need)
Execute the following command in the folder containing the
openvpn-credentials.txt file and the
NOTE: Change options where needed. e.g. Switzerland-tcp.ovpn to a file that exists in your config folder…
if all goes well you get logging sorta like this:
Now on my local machine (macbook pro) this worked fine but when I tried this on my Synology I was disappointed because I got
the following error:
Don’t worry I fixed it but that is for later…
Warnings are to be fixed if possible…
If you get these warnings you have probably not followed this manually carefully enough :-) or I made a mistake.
Just leave a comment.
I currently use purevpn as my vpn provider and I wanted to have an easier startup…
If you have another proider and also want the ease of use. just make your own image based on the ivonet/openvpn-proxy image
and provide your provider download zip in the
wget command. Is should be easy to adjust te Dockerfile below to suit your
This image just extends the ivonet/openvpn-proxy image and installs the purevpn openvpn setting in the image.
When started the installed files are copied to the /config folder so that the parent image can find them. Now you can leave out
So you still need the
openvpn-credentials.txt file but the config folder is gone…
So now I really have the ingredients I need to get it to my NAS. So here it goes…
Of course you need a Synology that has docker installed.
As you can see in the above provided command it is not possible to start this image through the graphical interface (DSM). Some
options are just not provided by the GUI, but that does not mean that docker is not capable of these options.
You just need to ssh into your nas an perform the command yourself. If you do not know how to ssh into your nas you need
to google it because this article will not tell you.
First find the docker volume on your nas and create a new folder on it called something like
vpn-proxy and create
openvpn-credentials.txt file here as described above.
Now ssh to the nas and goto the vpn-proxy folder (e.g.
cd /volume1/docker/vpn-proxy) and execute the following command:
This should start the command in daemon mode with the restart always flag on and it should now be accessible on
You can check if you have errors during startup by executing the following command while the image is running:
You might not get feedback on errors because the image can get in an endless loop if you do not get a new anonymous IP Address
When I tried all this I got the following message (only on my Nas):
In order to fix this you have to create the device and load the tun module.
You can do this through the commandline (ssh) on your Synology NAS with root rights (sudo)
If you want to be sure that it is done every time the nas reboots place the following file in
/usr/local/etc/rc.d/ folder of your
Now it should all work.
Now if you have your proxy image running on your nas and know that all logging is as it should be
you should be able to test it by going to the DSM control panel and activating the proxy settings in
Now in the ssh console type:
The IP Address returned should be different than when you type
ipecho.net/plain in your own browser on your local machine.
Comments / tweeds / improvements always very welcome :-)