Comments
You can use your Fediverse (e.g., Mastodon) account to reply to this post .
Syncthing is a great tool to synchronize data between different hosts. It is very robust and secure. In this article we will combine Syncthing with Wireguard to establish direct connections between two hosts. Switching off any dynamic discovery and relay functionality.
One of the main selling points of Syncthing is the capability to run behind NAT and the discovery and relay nodes that allow dynamic routing of traffic between Syncthing nodes. In this article we will be using direct connections and switch off this discovery and relay functionality.
Host a Syncthing instance on a server and connect to it from a laptop running Wireguard. The laptop is connected either internally or via unsecure and untrusted networks. The server is hosted internally and not exposed to
Requirements:
The following diagram outlines the physical and logical setup of the approach. As Wireguard VPN Gateway pfSense is used, but any other Wireguard deployment works too.
This design has multiple advantages:
Bind the Syncthing instance to the Wireguard interface for the mobile devices and the configured static IP for the static one. This assures that the Syncthing instance is only reachable via the Wireguard tunnel and not via any other interface.
Connect both instances with their respective internal IPs, either the Wireguard
IP or the LAN IP for the static instance. If they are in different subnets Syncthing
will detect the status as TCP WAN
instead of TCP LAN
. Add the subnets to
the internal networks configuration to avoid this.
Set the allowedNetworks
to the subnet to the respective IP address of the other
peer or peers.
More ideas how to protect your data can be found in Multi Tiered Data Management With Ransomware Protection article.