In this tutorial, i will show you how to install Wireguard using Docker Manager on your TerraMaster NAS. This tutorial works only on TOS6 > 6.0.420.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
Wireguard kernel module is implemented only on TOS6 from version 6.0.420 onward. Only that, in the current version 6.0.436, the kernel module is not loaded automatically during NAS boot. In order to use our wireguard app, we need to configure TOS to load the kernel module at startup. We'll achive this by creating a task to run during NAS shutdown, which will check if the module is present in the list of kernel modules to load during startup. The command to add you can find it in the file task scheduler.
From TOS top menu click on Control Panel and then scroll to General Settings and click on Scheduled Tasks.
Click now on the + icon to create new task
Select the type as below and click on Next.
On the name, type as example Enable wireguard kernel module and trigger the task to run during Shut Down. This way we are sure that the module is enabled to be loaded during next startup.
Enable notification if you want to be notified when the task run. In the Custom command script, add the command from the downloaded file task scheduler.
Click on Next
In the next window, click on Create button.
The task is now created an enabled.
Reboot your NAS now to load the wireguard kernel
Once the NAS is rebooted and you are loged in back to TOS, you can check the Notification center to see if the task runned succesfully.
Now we can proceed to install the wireguard container. Follow the steps below:
Download from above the wireguard.yml file and save it locally on your computer.
For TOS5 and TOS6, we are going to run these containers as the superuser account (the account that was created during initial NAS setup). For TOS4, we are going to run these containers as the root account.
If you already know your username id and group id from a previous container deployment, proceed to next step.
If not, for TOS6, the username id and group id for the superuser account should be both 0.
You can also use putty or any other SSH client and type id command. In this case, ssh service must run on your NAS.
Find your current time zone on this website, as example for Brussels is:
TZ=Europe/Brussels
In order to protect the Wireguard WebUI with a password, the wireguard.yml should contain your hashed password variable. The hashed password included in the downloaded wireguard.yml the hash value for the password terra
In order to generate a hash value for your own password, you have to be sure that Docker Engine app is runnig and then connect to terminal and run the command below (relace terra with your own password). To connect to the terminal, you can simple install the ttyd using this guide: How to install and use ttyd app (share your terminal over web). You can also use putty or any other SSH client but in this case, ssh service must run on your NAS (TOS ssh service or OkmSSHD).
user@TNAS:~# docker run ghcr.io/wg-easy/wg-easy wgpw terra
After you run the command, the hash password will be generated:
The generated hash value will be used on the config file at Step 7. Save it somewhere.
Now run the command below to delete the container created to generate the hash password
user@TNAS:~# docker rm charming_williams
Please note: don't wrap the generated hash password in single quotes when you add it in the config file. Instead, replace each $ symbol with two $$ symbols. For example, for the hash generate above for password terra, in our config file we have to use:
Open Docker Manager by using the icon on the desktop or from the top menu. Click on Project from the left menu and then on the small + icon to add new project.
On the Project name type wireguard
On the Project path type /Volume1/DockerYAML or use the Browse button to navigate and select the DockerYAML folder
Configuration file source select Your computer from the dropdown list
Click on the folder icon to browse your local computer for the yml file
On the file browser window, choose the wireguard.yml that you downloaded on Step 1. After you select the file, click on Open.
The file will be loaded and the content will appear on the code section. Before you proceed further, adapt the code to your particular values for these variables:
PUID and PGID change to the values for your user found on Step 3.
TZ change to the value for your specific zone found on Step 4.
WG_HOST change to your dynamic DNS or your fixed external IP
PASSWORD_HASH replaced with your hashed password generated at Step 6.
Config files will be stored at /Volume1/DockerAppsData/Wireguard
Scroll down in the code window to review the config.
After you adapt all the required values, click on Verify YAML button. If the code is OK, the Apply button will become available. Click on it to deploy the project.
The project will start building.
If the building went well, our project will show the status as Running.
When the project is selected, the buttons on top will be available from where you can stop/start the project, restart, delete or force stop.
Now go to Container section were you can see some info about the newly created container.
In order to be able to access the VPN server from outside your local network, you need now to create a port forward rule on your router. Here below a picture from my UniFi router (different router have different interface, you have to find yourself where the port forward option is). In our port forward rule, we need to forward the port 51820/tcp to the IP address of our NAS.
You can click on the accessing address to access the WebUI (port 51821) or navigate in the web browser to http://yournasip:51821 Use your password to login on the WebUI and click on Sign In.
Press on New Client, type a name for your client and press on Create button.
Once the client config was created, press on QR code (if you add client on PC, you can press on the download config button. Then this config must be uploaded on Wireguard client on your PC)
Install the Wireguard app on your android phone, press the + icon on the bottom of your screen and select Scan from QR code. Give a name to your tunnel and press Create Tunnel.
Now turn on the tunnel and you are ready to access your NAS from external connection via VPN.
Now you can access your NAS at http://yournasip from external network and you can see traffic going on through VPN.
All apps here are not officially provided by TerraMaster, but developed by me in spare time. All the apps you can download here are free. If you encounter problems while using the app, I can provide you with advice and help as much as i can. Since it takes me a lot of time to maintain these apps and provide technical support, I would appreciate if you make a donation to support my work and continue to provide up to date versions.
Wireguard
Fast, modern, secure VPN tunnel
About: https://www.wireguard.com
In this tutorial, i will show you how to install Wireguard using Docker Manager on your TerraMaster NAS.
This tutorial works only on TOS6 > 6.0.420.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
Wireguard kernel module is implemented only on TOS6 from version 6.0.420 onward.
Only that, in the current version 6.0.436, the kernel module is not loaded automatically during NAS boot. In order to use our wireguard app, we need to configure TOS to load the kernel module at startup.
We'll achive this by creating a task to run during NAS shutdown, which will check if the module is present in the list of kernel modules to load during startup. The command to add you can find it in the file task scheduler.
From TOS top menu click on Control Panel and then scroll to General Settings and click on Scheduled Tasks.
Click now on the + icon to create new task
Select the type as below and click on Next.
On the name, type as example Enable wireguard kernel module and trigger the task to run during Shut Down.
This way we are sure that the module is enabled to be loaded during next startup.
Enable notification if you want to be notified when the task run.
In the Custom command script, add the command from the downloaded file task scheduler.
Click on Next
In the next window, click on Create button.
The task is now created an enabled.
Reboot your NAS now to load the wireguard kernel
Once the NAS is rebooted and you are loged in back to TOS, you can check the Notification center to see if the task runned succesfully.
Now we can proceed to install the wireguard container. Follow the steps below:
Download from above the wireguard.yml file and save it locally on your computer.
If you already have Docker Engine and Docker Manager apps installed, proceed to next step.
If not, follow this guide to install them: How to install Docker Engine and Docker Manager.
If you already have these 2 shared folders, proceed to next step.
If not, follow this guide to create the folders: How to create DockerYAML and DockerAppsData shared folders
For TOS5 and TOS6, we are going to run these containers as the superuser account (the account that was created during initial NAS setup).
For TOS4, we are going to run these containers as the root account.
If you already know your username id and group id from a previous container deployment, proceed to next step.
If not, for TOS6, the username id and group id for the superuser account should be both 0.
You can double check this by by running a command in terminal.
You can simple install the ttyd app and find your uid and gid following this guide: How to install and use ttyd app (share your terminal over web).
You can also use putty or any other SSH client and type
id
command. In this case, ssh service must run on your NAS.Find your current time zone on this website, as example for Brussels is:
TZ=Europe/Brussels
In order to protect the Wireguard WebUI with a password, the wireguard.yml should contain your hashed password variable.
The hashed password included in the downloaded wireguard.yml the hash value for the password terra
In order to generate a hash value for your own password, you have to be sure that Docker Engine app is runnig and then connect to terminal and run the command below (relace terra with your own password). To connect to the terminal, you can simple install the ttyd using this guide: How to install and use ttyd app (share your terminal over web). You can also use putty or any other SSH client but in this case, ssh service must run on your NAS (TOS ssh service or OkmSSHD).
After you run the command, the hash password will be generated:
The generated hash value will be used on the config file at Step 7. Save it somewhere.
Now run the command below to delete the container created to generate the hash password
Please note: don't wrap the generated hash password in single quotes when you add it in the config file. Instead, replace each
$
symbol with two$$
symbols. For example, for the hash generate above for password terra, in our config file we have to use:Open Docker Manager by using the icon on the desktop or from the top menu.
Click on Project from the left menu and then on the small + icon to add new project.
On the file browser window, choose the wireguard.yml that you downloaded on Step 1.
After you select the file, click on Open.
The file will be loaded and the content will appear on the code section.
Before you proceed further, adapt the code to your particular values for these variables:
PUID
andPGID
change to the values for your user found on Step 3.TZ
change to the value for your specific zone found on Step 4.WG_HOST
change to your dynamic DNS or your fixed external IPPASSWORD_HASH
replaced with your hashed password generated at Step 6.Config files will be stored at /Volume1/DockerAppsData/Wireguard
Scroll down in the code window to review the config.
After you adapt all the required values, click on Verify YAML button. If the code is OK, the Apply button will become available.
Click on it to deploy the project.
The project will start building.
If the building went well, our project will show the status as Running.
When the project is selected, the buttons on top will be available from where you can stop/start the project, restart, delete or force stop.
Now go to Container section were you can see some info about the newly created container.
In order to be able to access the VPN server from outside your local network, you need now to create a port forward rule on your router.
Here below a picture from my UniFi router (different router have different interface, you have to find yourself where the port forward option is).
In our port forward rule, we need to forward the port 51820/tcp to the IP address of our NAS.
You can click on the accessing address to access the WebUI (port 51821) or navigate in the web browser to
http://yournasip:51821
Use your password to login on the WebUI and click on Sign In.
Press on New Client, type a name for your client and press on Create button.
Once the client config was created, press on QR code (if you add client on PC, you can press on the download config button. Then this config must be uploaded on Wireguard client on your PC)
Install the Wireguard app on your android phone, press the + icon on the bottom of your screen and select Scan from QR code.
Give a name to your tunnel and press Create Tunnel.
Now turn on the tunnel and you are ready to access your NAS from external connection via VPN.
Now you can access your NAS at
http://yournasip
from external network and you can see traffic going on through VPN.