Syncthing via Wireguard

Syncthing is a great tool to synchronize data between different hosts. It is very robust and secure. In this article we will combine Syncthing with Wireguard to establish direct connections between two hosts. Switching off any dynamic discovery and relay functionality.

One of the main selling points of Syncthing is the capability to run behind NAT and the discovery and relay nodes that allow dynamic routing of traffic between Syncthing nodes. In this article we will be using direct connections and switch off this discovery and relay functionality.

The Problem Statement

Host a Syncthing instance on a server and connect to it from a laptop running Wireguard. The laptop is connected either internally or via unsecure and untrusted networks. The server is hosted internally and not exposed to

Requirements:

  • The laptop’s Syncthing instance is bound to the Wireguard interface and hence only reachable via the Wireguard tunnel.
  • Both Syncthing instances are directly connected and do not use any discovery or relay functionality.

The Design

The following diagram outlines the physical and logical setup of the approach. As Wireguard VPN Gateway pfSense is used, but any other Wireguard deployment works too.

Syncthing via Wireguard Network Diagram

This design has multiple advantages:

  1. The Syncthing instances are directly connected and do not use any discovery or relay functionality.
  2. The Wireguard tunnel adds another layer of protection to the Syncthing traffic.
  3. It plugs into an existing Wireguard deployment that is used for other purposes too.
  4. On public networks the Syncthing traffic is not visible, minimizing the attack surface.

Implementation Details

Bind the Syncthing instance to the Wireguard interface for the mobile devices and the configured static IP for the static one. This assures that the Syncthing instance is only reachable via the Wireguard tunnel and not via any other interface.

Connect both instances with their respective internal IPs, either the Wireguard IP or the LAN IP for the static instance. If they are in different subnets Syncthing will detect the status as TCP WAN instead of TCP LAN. Add the subnets to the internal networks configuration to avoid this.

Set the allowedNetworks to the subnet to the respective IP address of the other peer or peers.

More ideas how to protect your data can be found in Multi Tiered Data Management With Ransomware Protection article.

Author

Alex Oberhauser

Alex Oberhauser is a tech-entrepreneur, innovator and former C-level executive. He is currently working on user controlled identities and the empowerment of the end-users, with privacy and security as part of the value proposition, not as an afterthought.

Comments

You can use your Fediverse (e.g., Mastodon) account to reply to this post .

  

Reply to obale's post

With an account on the Fediverse, such as Mastodon, you can respond to this post. Since Mastodon is decentralized, you can use your existing account hosted by another Mastodon server or compatible platform.

Copy and paste this URL into the search field of your favorite Fediverse app or the web interface of your Mastodon server.