How to run Nebula Mesh VPN on Synology DSM 7

Running custom services on a Synology NAS just got harder. With the newest version — DSM 7 — a lot has changed. Most importantly, running processes as root is no longer officially supported and Synology switched to systemd for service management. In this post, I will give you a step-by-step guide on how to connect to your nebula mesh VPN with your NAS.

Step 1: Generating a configuration file

In order to connect to your existing nebula VPN, you need a config file with a public/private key pair. I suggest that you inline the CA certificate, client certificate, and client key as shown below:

Step 2: Create a new Share

In the DSM Web GUI, open the Control Panel, go to “Shared Folder” ↦ “Create” ↦ ”Create Shared Folder” and name it Nebula. Do not enable encryption nor checksums.

Shared Folder Creation Wizard

In the last step, remove all permissions for every user. We will create a separate user in the next step.

Step 3: Create a new User

Originally, I wanted to create a Unix-only service user with as few permissions as possible. To my surprise, it seems that DSM 7 does not ship the normal Linux binaries to create and manage user accounts (useradd, adduser , usermod , etc..) so we choose to create a user using the DSM GUI. Open the Control Panel, go to “User & Group” ↦ “Create” and set nebula as the username. The password should be long and random. You do not need it later so you do not need to write it down. The nebula user does not need any permissions for any applications or services.

Creating a new user to run nebula

In the last step, give your newly created user all rights on the new shared folder.

Step 4: Download the installer script & run it

Inside your newly created share, place the files from this git repository:

This should result in the following file structure:

/volume1/Nebula/
├── bin
├── config
├── install.sh
└── systemd
 └── nebula.service.sample

Next, you have to place the nebula config file from step 1 under config/config.yml .

Now you can run the installer by connecting via SSH, obtaining root privileges with sudo, and starting the installer with sudo sh install.sh .

If everything goes well you should see the VPN interface using ip a show dev nebula .

Step 5: Ensure the systemd unit persists

Because we are placing our own unit files under /etc/systemd/system/ , we cannot rely on our service surviving a firmware upgrade. To recreate the service file on every reboot, we can set up a CRON task that runs on boot.

Create a new task on boot to reinstall the nebula systemd unit file

In the DSM Web GUI, open the Control Panel, go to “Task Scheduler” ↦ “Create” ↦ ”Triggered Task” ↦ “User-defined script”. Give it any name, choose the root user, and select Boot-up as Event. Under “Task Settings”, enter the following for the user-defined script:

cp /volume1/Nebula/systemd/nebula.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable nebula
systemctl start nebula

How the install script works

The install script downloads the newest version of nebula for the hardware and creates a systemd unit file under /etc/system/system. It uses the nebula user instead of root to start the nebula binary and grants the necessary privilieges.