DSM’s TCP Stack Is Limiting Your Remote Access Speed#

The Problem#

DSM uses CUBIC, Linux’s default TCP congestion algorithm. CUBIC treats dropped packets as a congestion signal and cuts its send rate hard. Packet loss on normal internet connections triggers this constantly, so CUBIC oscillates: brake, ramp up, brake again. The result is a connection sitting at a fraction of what your bandwidth can deliver. This is a kernel-level limitation. No amount of DSM tuning fixes it.

The workaround is a Linux VM on your LAN that runs BBR and proxies remote connections. BBR measures actual throughput instead of reacting to drops, so it doesn’t back off on normal packet loss. HAProxy splits the connection in two: one TCP session with the remote client over the internet, and a separate session to the NAS over the LAN. The NAS never deals with the internet directly. Tailscale provides the encrypted tunnel from your remote device to the VM.

Architecture diagram

Component Role
Tailscale Encrypted WireGuard tunnel from your remote device to the VM
BBR Handles the internet-facing TCP connection without backing off on packet loss
HAProxy Splits the connection, isolating CUBIC to the local network where it belongs

The VM can live anywhere on your LAN. I run mine in Synology’s Virtual Machine Manager. Install Ubuntu Server, then continue below.

Setup#

Prerequisites#

  • A Linux machine on your home network (spare PC, Raspberry Pi, or VM)
  • SSH access to it
  • Your NAS’s local IP (DSM → Control Panel → Network)

Step 1 — Enable BBR#

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Verify:

sysctl net.ipv4.tcp_congestion_control
# Expected: net.ipv4.tcp_congestion_control = bbr

Step 2 — Install Tailscale#

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Authenticate via the printed link, then install Tailscale on your remote device from tailscale.com using the same account.

Step 3 — Configure HAProxy#

sudo apt install haproxy -y
sudo nano /etc/haproxy/haproxy.cfg

Add to the bottom, replacing YOUR_NAS_LAN_IP with your NAS’s local IP:

frontend synology_gate
    bind *:5000
    mode tcp
    timeout client 1h
    default_backend synology_nas

backend synology_nas
    mode tcp
    timeout server 1h
    server nas YOUR_NAS_LAN_IP:5000 check
sudo systemctl restart haproxy
sudo systemctl enable haproxy

Step 4 — Connect Your Device#

Point your Synology app at the VM’s MagicDNS hostname:

<machine-name>.<tailnet-name>.ts.net

Leave HTTPS unchecked when you login with Synology Photos on your mobile app. Tailscale encrypts everything end-to-end with WireGuard.

Throughput should approach the slower end of the connection: upload on one side, download on the other.

Notes#

Multiple services — Port 5000 covers DSM, Drive, and Photos. Add a frontend/backend block for each additional port. Full port list →

Tailscale relay fallback — If Tailscale can’t establish a direct connection it falls back to a relay, which tanks your throughput. A nearby cloud VPS running Tailscale avoids this. Check bandwidth limits on low-tier plans. More →

VMM auto-start — If the VM runs on the NAS via VMM, enable auto-start so remote access survives a reboot.

Synology BBR roadmap — Synology’s development team is evaluating BBR for a future DSM release. No timeline confirmed.