Is a 2-bay NAS powerful enough to run WireGuard?

It depends on the CPU. On my DS220+ (Celeron J4025, dual-core), WireGuard in Docker sustains 90-110 Mbps measured. That's enough for 1-2 simultaneous users on a 100 Mbps fiber connection. The DS920+ (J4125, quad-core) easily reaches 150 Mbps. If you need more throughput, the QNAP TS-464 (N5095) is clearly superior.

Is WireGuard on NAS compatible with remote Plex access?

Yes, and it's actually the best configuration. Instead of exposing Plex via the Plex.tv relay (degraded quality), you connect to WireGuard first, then access Plex on the NAS local IP (e.g. 192.168.1.50:32400). Video quality is local LAN quality, with no additional compression.

What are the GDPR implications if traffic exits via a third-party VPN (NordVPN) from the NAS?

If you route NAS traffic through NordVPN (outbound use case), data passes through NordVPN servers subject to their privacy policy. NordVPN claims an audited no-log policy. For personal data stored on the NAS that traverses this tunnel, you remain the data controller under GDPR Art. 24. Recommendation: use inbound self-hosted WireGuard to access NAS data, not a third-party outbound VPN.

Which NAS model should I choose to sustain 100 Mbps WireGuard?

For 100 Mbps sustained: DS920+ (J4125) or QNAP TS-453D are sufficient. For 200 Mbps+: DS1522+ (Ryzen R1600, <300 Mbps measured) or QNAP TS-664 (N5105). The real bottleneck will often be your fiber upload speed, not the NAS CPU.

How do I back up the WireGuard config in case of NAS reset?

Everything is in /volume1/docker/wireguard/config/. This folder contains private keys, peer configs and wg0.conf. Set up a scheduled Hyper Backup task to a cloud service (Backblaze B2 costs <€1/month for this volume). After a reset, restore this folder and recreate the container — the entire config is recovered.

OpenVPN or WireGuard on Synology — which should I choose?

WireGuard wins on every front: 3-4x faster, 30-50% lower latency, 10x smaller codebase (less attack surface). The only advantage of OpenVPN: the official Synology VPN Server package is simpler to set up for non-technical users. For performance and security, choose WireGuard via Docker on DSM 7.2.

Does the NAS VPN work behind double NAT (ISP modem + router)?

Yes, but you need to create two cascading port forwarding rules. On the inner router: UDP 51820 → NAS IP. On the ISP modem: UDP 51820 → inner router IP. If the ISP modem doesn't allow forwarding (some CGNAT setups), use a Cloudflare tunnel or Tailscale as a workaround.

What's the difference between VPN Server and VPN Plus Server on Synology?

VPN Server (free, in Package Center) supports OpenVPN, L2TP/IPSec, PPTP. VPN Plus Server (paid, license ~€40/month for 5 users) adds SSL VPN for browsers, WebVPN client, and SSTP support. For personal homelab use, VPN Server + WireGuard Docker is more than sufficient and costs nothing.

VPN on Synology and QNAP NAS: complete 2026 guide (WireGuard + OpenVPN)

Q: How do I back up the WireGuard config in case of NAS reset?

Everything is in /volume1/docker/wireguard/config/. This folder contains private keys, peer configs and wg0.conf. Set up a scheduled Hyper Backup task to a cloud service (Backblaze B2 costs <€1/month for this volume). After a reset, restore this folder and recreate the container — the entire config is recovered.

Q: OpenVPN or WireGuard on Synology — which should I choose?

WireGuard wins on every front: 3-4x faster, 30-50% lower latency, 10x smaller codebase (less attack surface). The only advantage of OpenVPN: the official Synology VPN Server package is simpler to set up for non-technical users. For performance and security, choose WireGuard via Docker on DSM 7.2.

Q: Does the NAS VPN work behind double NAT (ISP modem + router)?

Yes, but you need to create two cascading port forwarding rules. On the inner router: UDP 51820 → NAS IP. On the ISP modem: UDP 51820 → inner router IP. If the ISP modem doesn't allow forwarding (some CGNAT setups), use a Cloudflare tunnel or Tailscale as a workaround.

Q: What's the difference between VPN Server and VPN Plus Server on Synology?

VPN Server (free, in Package Center) supports OpenVPN, L2TP/IPSec, PPTP. VPN Plus Server (paid, license ~€40/month for 5 users) adds SSL VPN for browsers, WebVPN client, and SSTP support. For personal homelab use, VPN Server + WireGuard Docker is more than sufficient and costs nothing.

I've been running a WireGuard server on a Synology DS920+ NAS for two years. My QNAP TS-464, tested for four months, now offers native WireGuard in QTS 5.1 — no Docker required. This guide covers both paths, with measured numbers and the mistakes to avoid.

For a broader overview of self-hosted VPN options, start with our complete guide to the best self-hosted VPN solutions 2026.

Why run a VPN on your NAS

A home NAS runs 24/7. Its CPU is idle 90% of the time — might as well put it to work.

Four concrete use cases that justify the setup:

Remote LAN access: from a café or hotel, you access your drives as if you were home. File sharing, Surveillance Station, backup access — without exposing a single NAS port directly to the internet.

NAS data integration: if you have 20 TB of media on your NAS, a local VPN avoids going through the Synology/QNAP cloud relay (paid, limited, potentially slow). You access the LAN directly.

Single device: one device serves as NAS + VPN server + Plex + Pi-hole. No additional Raspberry Pi to manage.

Available idle CPU: a DS920+ consumes 15-20W idle. Adding WireGuard doesn't significantly change the electricity bill — the J4125 CPU encrypts in kernel mode with <5% impact on other services.

The honest limitation: unlike a cloud VPS, a power or internet outage at home cuts your VPN. For critical business travel use, keep a Contabo VPS as backup — see our self-hosted VPN on Contabo guide.

Synology vs QNAP: VPN setup comparison

After two years on Synology and 4 months testing QNAP, here's what I found:

Criterion	Synology DSM 7.2	QNAP QTS 5.1
Native WireGuard	No (via Docker)	Yes (QVPN Service 3.0+)
Native OpenVPN	Yes (VPN Server)	Yes (QVPN Service)
WireGuard setup ease	Medium (Docker required)	Easy (native GUI)
WireGuard throughput DS920+	~150 Mbps (J4125)	—
WireGuard throughput TS-464	—	~200 Mbps (N5095)
WireGuard throughput DS1522+	~290 Mbps (R1600)	—
Free integrated DDNS	Yes (*.synology.me)	Yes (*.myqnapcloud.com)
Ecosystem maturity	High	Good
Documentation	Excellent	Decent

Verdict: If you already own a QNAP on QTS 5.1+, native WireGuard is a clear advantage — no Docker to manage. If you're on Synology, Docker WireGuard remains very stable once configured (2 years in production on my DS920+, zero crashes).

Setting up VPN Server on Synology (OpenVPN/L2TP)

The simplest path to get started on DSM 7.2 without Docker.

Installation:

Package Center → Search "VPN Server" → Install
Open VPN Server → Choose OpenVPN or L2TP/IPSec
Enable the protocol and check "Allow VPN clients to access the server's local network"

OpenVPN configuration:

In VPN Server > OpenVPN > Advanced Settings:

Network interface: eth0 (NAS Ethernet)
Port: 1194 UDP
Encryption: AES-256-CBC
Check "Enable compression"

Port forwarding: on your router, forward UDP 1194 to the NAS local IP.

Dynamic DNS: Control Panel > External Access > DDNS. Choose "Synology" as provider — your-nas.synology.me is free. This will be the Endpoint in the client .ovpn config file.

Generating the client file: VPN Server > OpenVPN > Export Configuration. The .ovpn file is ready to import into OpenVPN Connect on iOS/Android/Windows.

OpenVPN throughput limitation on NAS: on my DS920+, I measured 45-60 Mbps with OpenVPN (AES encryption on CPU without hardware AES-NI), versus 150 Mbps with WireGuard. If throughput matters, move to the WireGuard Docker section.

Setting up WireGuard on Synology via Docker

This is the configuration I've used in production for two years. More performant than OpenVPN, slightly more technical to set up.

Prerequisites: DSM 7.2, Container Manager installed, at least 4 GB RAM on the NAS.

Step 1 — Create the config folder:

In File Station, create /volume1/docker/wireguard/.

Step 2 — Pull the image:

Container Manager > Registry > Search linuxserver/wireguard > Download (latest).

Step 3 — Create the container:

Container Manager > Container > Create > Use image linuxserver/wireguard.

Critical settings:

Network mode: Host (required — allows the container to listen on the NAS network interface directly)
Capabilities: NET_ADMIN, SYS_MODULE (add manually in advanced settings)

Environment variables:

PUID=1000
PGID=1000
TZ=Europe/London
SERVERURL=your-nas.synology.me
SERVERPORT=51820
PEERS=3
PEERDNS=auto
INTERNAL_SUBNET=10.13.13.0

Volumes:

/volume1/docker/wireguard → /config

Step 4 — Port forwarding:

DSM > Control Panel > Security > Firewall: allow UDP 51820 inbound. Router: UDP 51820 → NAS local IP.

Step 5 — Retrieve client configs:

After the container starts (30-60 seconds), in Container Manager > Container Logs, peer QR codes appear. Scan from the WireGuard mobile app. Client config files are also available at /volume1/docker/wireguard/peer1/peer1.conf.

Measured result: 148 Mbps download, 141 Mbps upload from a remote client on fiber, J4125 CPU at 38% during the test — well below saturation.

For ready-to-use WireGuard templates adapted to different scenarios, check our WireGuard configuration templates 2026.

Setting up QVPN Service on QNAP (native WireGuard QTS 5.1+)

On my QNAP TS-464 (N5095, 8 GB RAM, QTS 5.1.6), WireGuard is native — no Docker needed.

Installation:

App Center > Search "QVPN Service" > Install (free). Open QVPN Service from the main menu.

WireGuard configuration:

QVPN Service > VPN Server > WireGuard > Enable WireGuard Server.

Settings:

Listening port: 51820 UDP
Tunnel IP address: 10.6.0.1/24
DNS: 1.1.1.1 (or NAS IP for local QNAP DNS)

Adding clients:

QVPN > Connection Accounts > Add VPN Account. Each account automatically generates a WireGuard key pair. Click the QR Code button to display the scannable QR from the WireGuard mobile app.

Port forwarding:

On your router, forward UDP 51820 to the QNAP IP. Use QNAP Cloud for free DDNS (*.myqnapcloud.com): App Center > myQNAPcloud > Enable.

Measured result on TS-464 (N5095): 197 Mbps download, 189 Mbps upload. N5095 CPU at 24% during transfer — clearly superior to the J4125. The N5095 has a better cryptographic pipeline than the Celeron J4125.

For Tailscale exit node strategies on NAS, also see our Tailscale exit node complete guide 2026 — complementary to self-hosted VPN.

Outbound routing: sending NAS traffic through an external VPN

Different use case: you want the NAS itself to route internet traffic via NordVPN/Surfshark (to access geo-blocked content from Plex, or have Sonarr/Radarr exit from a different IP).

On Synology via Docker (NordVPN):

Use the ghcr.io/bubuntux/nordvpn image:

version: "3"
services:
  nordvpn:
    image: ghcr.io/bubuntux/nordvpn
    cap_add:
      - NET_ADMIN
    environment:
      - USER=your@email.com
      - PASS=your_password
      - CONNECT=France
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24
    ports:
      - 8080:8080

Sonarr/Radarr containers placed in the same Docker network then use this connection.

Plex + outbound VPN use case: if you access Plex from a geo-restricted region (e.g. French content from Canada), routing through this tunnel bypasses the restriction. Note this doesn't exempt you from a valid Plex subscription.

On QNAP via QVPN: QVPN Service > VPN Client > Add Connection > WireGuard or OpenVPN (import the .ovpn file downloaded from NordVPN/Surfshark's website). Enable the connection. Verify the QNAP's outbound IP with curl ifconfig.me via SSH.

For advanced routing strategies with custom routing tables, see our self-hosted VPN on Raspberry Pi 5 guide — the IP forwarding principles apply to NAS as well.

Performance and security: benchmarks and hardening

WireGuard throughput benchmarks (iperf3 LAN→remote via WireGuard):

NAS	CPU	WireGuard Docker	Native WireGuard
Synology DS220+	J4025 (2C)	~95 Mbps	N/A
Synology DS920+	J4125 (4C)	~150 Mbps	N/A
Synology DS1522+	R1600 (6C)	~290 Mbps	N/A
QNAP TS-253D	J4125 (4C)	N/A	~160 Mbps
QNAP TS-464	N5095 (4C)	N/A	~200 Mbps
QNAP TS-664	N5105 (4C)	N/A	~230 Mbps

Security hardening (mandatory before exposing any port to the internet):

1. Admin MFA on DSM/QTS

Synology: Control Panel > User Account > 2-Step Verification → enable TOTP (Google Authenticator or Authy). QNAP: myQNAPcloud > Security Center > 2-Step Verification → TOTP. Never expose the DSM admin port (5000/5001) directly — only via VPN or reverse proxy.

2. Fail2ban and IP blocking

Synology DSM natively includes an auto-block system: Control Panel > Security > Protection > Automatically block IP addresses after X failed login attempts. Configure: 5 attempts, 24h block.

3. Firewall geo-block

Synology: Control Panel > Security > Firewall > Create rule > Allow only expected source countries (your home country + travel destinations). Block everything else. QNAP: QuFirewall (available in App Center) offers the same geo-blocking.

4. Minimal exposed ports

Only expose the WireGuard UDP port (51820). No DSM/QTS admin ports, no direct Plex port (use QuickConnect or via VPN only), no exposed SSH (use the VPN as a jump host).

Production CPU impact: during a 150 Mbps WireGuard transfer on my DS920+, the CPU runs at 38-42%. Other services (Plex transcoding 1080p H.265 → H.264) were not affected. WireGuard is light enough to not compromise typical NAS workloads.

For deeper coverage of VPN security strategies, see our complete guide to the best self-hosted VPN solutions 2026.

★ Datacenter Nuremberg GDPR · ✓ IPv4 dédiée incluse · 200+ Mbps garantis

Get Contabo30 jours satisfait ou remboursé→