Synology has awful speeds - trying Wireguard on openwrt router - Help with routing

[Bestaflex 0]

Hi all,

I have an older synology 1511+ under DSM 6.2 and use the synocommunity version of deluge (docker is beyond my tech skills, tried and failed a few times).

When no vpn is connected in the network tab of the control panel i get my usual speeds around 30Mo/s (240mbps) but then when vpn is connected i can't for my life get over 6Mo/sec (48mbps).

Could someone please review what i did and hit me on the head with some advice ?

Setup :

I set up the openvpn through that guidemaking sure i use a low charge server (tried 1 server, country and region without noticeable change)

I opened a port on the air vpn website and reported it in deluge as describded in multiple forum threads unchecking lots of previously checked boxes


 

Edited ... by Bestaflex

[reversevpn 9]

OpenVPN might just be too heavy for your synology NAS to do without sacrificing significant performance. Try wireguard instead.

[Bestaflex 0]

On 4/9/2026 at 10:07 PM, reversevpn said:

OpenVPN might just be too heavy for your synology NAS to do without sacrificing significant performance. Try wireguard instead.

Any guide or how to because it feels like wireguard and Synology are not natively liking each other.

All the guides i've found are docker or spk repacker (does not exist for 1511+) and seems to be done for incoming and not outgoing Edited ... by Bestaflex

[reversevpn 9]

Is it possible for you to insert a middlebox between your synology and the upstream router? By middlebox, I mean any computer that can run Linux (i.e. Debian) and that you can give at least two ethernet interfaces (oen or both can be USB ethernet if you don't have enough built-in Ethernet ports). If it is possible, you can have the middlebox do wireguard, then just set the mtu between the synology and the middlebox to be 1420 (or 1320, if you leave the AirVPN config file as-is), and then just have the middlebox NAT all the synology's traffic into the Wireguard tunnel.

[reversevpn 9]

If you can't dedicate a middlebox to just your NAS, you can use your main machine as the middlebox, if it runs Linux with systemd. If you do have that, then you can use iproute2 and systemd-nspawn to just send the NAS's trafic over the VPN without sending your main computer's traffic over the VPN, unless you also want to send your main computer's traffic over the VPN.

[Bestaflex 0]

On 4/13/2026 at 9:30 AM, reversevpn said:

If you can't dedicate a middlebox to just your NAS, you can use your main machine as the middlebox, if it runs Linux with systemd. If you do have that, then you can use iproute2 and systemd-nspawn to just send the NAS's trafic over the VPN without sending your main computer's traffic over the VPN, unless you also want to send your main computer's traffic over the VPN.

On 4/13/2026 at 9:25 AM, reversevpn said:

Is it possible for you to insert a middlebox between your synology and the upstream router? By middlebox, I mean any computer that can run Linux (i.e. Debian) and that you can give at least two ethernet interfaces (oen or both can be USB ethernet if you don't have enough built-in Ethernet ports). If it is possible, you can have the middlebox do wireguard, then just set the mtu between the synology and the middlebox to be 1420 (or 1320, if you leave the AirVPN config file as-is), and then just have the middlebox NAT all the synology's traffic into the Wireguard tunnel.

I dropped the Wiregard approach as while i found and spk, after that it's mostly SSh as there is no native UI and that's somehow above my paygrade (and as said all the guide i find for syno/wireguard are taylored for the server side or access point, no as an exit strategy).

I saw some post about raspberry middle box and i'll look into it thanks.

[Bestaflex 0]

Little update.

After i was advised to use Wireguard and that the NAS did not provide any native support i remembered i had an old tplink archer C7 lying around and wondered if i could do a middle box of it.

Long story short : I flashed it for openwrt, made it a dumb ethernet access point (no WAN, no DHCP, no wifi), installed wireguard and managed to setup airvpn.

I then connected the nas to it but now i have a bit of an issue : dumb AP works as even with the openwrt router between may main gateway (isp box) and the NAS i can find it and access the DSM UI fine but then when i activate the wireguard interface i loose connexion. 
The connexion from my PC is wifi to ISP box then ethernet to openwrt then nas. My take is that the wireguard interface tunnels all to the airvpn exit node and there is no way for me to reach the nas from the LAN with it's local IP)

Is there a way to dissociate so that the WG connexion is only for outside of the actual LAN (the DSM VPN system did that perfectly) ? May be some port routing black magic (because honestly i only need the torrent to go trhough the vpn, rest not so much)

BTW also noticed that with the WG interface activated, the tailscale network i use to reach the nas from outside loose trace of it when it never did it with the openvpn on DSM.

EDIT : after tweaking for hours i now have access to the devices after the router but the traffic doesn't go to the router and ip leak test show my torrents on my own. I found places where they seem to think that dumb AP and vpn client just don't work as the principle of dumb AP is to be transparent.

[reversevpn 9]

The reason there is leakage is that you'retch not NAT'ing the traffic from the Synology to AirVPN. My suggestion is to do the following:
For the purposes of this guide, I'll call whatever device you're using to access the OpenWRT Web Interface as "laptop", but in reality, it can be a desktop, smartphone, tablet, or anything else with a web browser.

(Topmost Menu is the Black Bar of OpenWRT LUCI, which has, by default: OpenWRT, Status, System, Network,Tools):
1. Reset your OpenWRT router to default settings(but the firmware should still be OpenWRT, not the stock firmware).
2.For now, Just plug your laptop into a LAN port so you can configure the router according to the next steps here and the WAN port to your pre-existing network, so that you can install Wireguard .
3. Install the OpenWRT Package for Wireguard
4. Download the AirVPN config file you want to use onto your laptop.
5. Disconnect the router from your pre-existing network that was attached via the WAN port, but leave your laptop plugged in. From here on out, you will not have internet access as you're configuring the OpenWRT router, but you will regain it later at the step where I tell you to reattach the cable from the network to your OpenWRT. You MUST do this, else the next step will fail. DO NOT plug your pre-existing network into any hole on the OpenWRT till you reach the step where I tell you to do so.  
4. !!!VERY IMPORTANT!!! PLEASE READ THIS STEP IN FULL, INCLUDING THE EXPLANATION AT THE END
Go to Network>Switch and assign 1 port to VLAN 1(We'll use this for LAN) and VLAN 2(We'll use this for your NAS). To assign a router port to a VLAN, within a single row, select "untagged" for the port you want to assign to the VLAN, "off" for very other port, and "tagged" for CPU(eth0).
Your table can look like this(I'm going to write it out in JSON-style, where a JSON single object is a table row, the key is a column header, and the value is either what you write in the empty box or select from a dropdown in the empty box. I'm doing this because actually recreating a table in text is more challenging than I'd like)
{VLAN ID:1,
 Description:"",
CPU(eth0): tagged,
LAN 1: untagged,
LAN 2: untagged,
LAN 3: off,
LAN 4: off,
WAN: off
},
{VLAN ID:2,
 Description:"",
CPU(eth0): tagged,
LAN 1: off,
LAN 2: off,
LAN 3: off,
LAN 4: off,
WAN: untagged
},
{VLAN ID:3,
 Description:"For NewLAN",
CPU(eth0): tagged,
LAN 1: off,
LAN 2: off,
LAN 3: untagged,
LAN 4: off,
WAN: off
},
{VLAN ID:4,
 Description:"For NAS",
CPU(eth0): tagged,
LAN 1: off,
LAN 2: off,
LAN 3: off,
LAN 4: untagged,
WAN: off
}
You're free to choose different ports than what I choose here, as long as your choices are consistent between this step and the following steps.
Notice that when I donate a port to NAS and to NewLAN, I remove those same ports from LAN. That is, when I mark them as untagged for the New VLANS I create, I mark them as off for the pre-existing LAN bridge. Whatever you do, DO NOT donate the port that your laptop is currently plugged into to NewLAN or to NAS.

5. Go to the Network>Interfaces Section of OpenWRT and create 3 interfaces, NewLAN, AirVPN(This is what I'll call your Wireguard Interface from now on), and NAS.
     5.1.Set the Device of NewLAN to the VLAN ID 3 from earlier, then give it an IP address that is in the same subnet as your pre-existing LAN(i.e. if your pre-existing LAN's gateway is 192.168.1.1, then a potentially nice candidate is 192.168.1.254, if you don't have another device sitting there yet), but not part of the DHCP range. Set the gateway to be the address of your pre-existing router. DO NOT plug the OpenWRT into your pre-existing LAN yet. DO NOT enable DHCP Server on this interface 
     5.2. Set the Device of NAS to VLAN ID 4. Then, give this interface an IP address that is outside your pre-existing subnet, and also that is not in AirVPN's IP 10.0.0.0/8 range. For example, if your pre-existing LAN is 192.168.1.0/24, then make this interface have address 192.168.2.1. If you have more than 1 LAN, choose a new address that is not part of any network you have yet. Enable DHCP Server on this interface. Set the MTU to be the same as the MTU of your Wireguard conf from AirVPN. 
    5.3. Copy the Wireguard config file into the AirVPN interface.

You will be able to select the Device to bind the new interface to in the Device: field after clicking the "Add new interface..." button in network Interfaces. Do not assign any pre-existing firewall zone to any of these new interfaces. Create a new zone for each.

6. In Network>Firewall, if these zones do not exist yet, create 3 new zones called NewLAN, NAS, and AirVPN. Enable Masquerading for all of these interfaces. Allow NAS to forward to AirVPN. Allow NewLAN to forward to NAS.  Allow INPUT, OUTPUT, and Intrazone Forward for NewLan and NAS. Allow OUTPUT but block INPUT and Intrazone Forward for AirVPN. If they already exist, still configure them as I told you.

7. Go back to Network>Interfaces, then edit NewLAN, AirVPN, and NAS interfaces. For each of them go to the Firewall Settings tab (visible after clicking Edit) and set each interface to the firewall zone with the same name.

8. Plug your pre-existing router into the port you donated to NewLAN.

9. Plug your NAS into the ethernet port you donated to NAS. 

10. Find out what the IP of the NAS is from Status->Overview and scrolling down. 

11. Go to Network->DHCP and DNS->Static Leases and add a static lease for the NAS using the IP address you learned from step 10. Set the lease time to infinite

12. Go to Network->Firewall->Port Forwards and Add a Rule. Specify AirVPN as Source Zone and NAS as Destination Zone. Fill Internal Address with what you learned from step 10. Try your best to make the internal and external port the same. If you cannot, either remap the port from AirVPN's Port Forward page in the Client Area or here in OpenWRT's Port Forward Window.

12. Activate the Wireguard Profile

13. Test the setup

14. Please report the results back here. If there is an error in this guide, let me know so I can correct it.