Title: Run your own Syncthing discovery server on OpenBSD | |
Author: Solène | |
Date: 18 October 2023 | |
Tags: syncthing openbsd privacy security networking | |
Description: In this article, you will learn how to configure a | |
syncthing discovery server on OpenBSD. | |
# Introduction | |
In a previous article, I covered the software Syncthing and mentioned a | |
specific feature named "discovery server". | |
The discovery server is used to allow clients to connect each other | |
through NATs to help connect each other, this is NOT a relay server | |
(which is a different service) that serves as a proxy between clients. | |
A motivation to run your own discovery server(s) would be for security, | |
privacy or performance reasons. | |
* security: using global servers with the software synchronizing your | |
data can be dangerous if a remote exploit is found in the protocol, | |
running your own server will reduce the risks | |
* privacy: the global servers know a lot about your client if you sync | |
online: time of activity, IP address, number of remote nodes, the ID of | |
everyone involved etc... | |
* my specific use case where I have two Qubes OS computer with multiple | |
syncthing inside, they can't see each other as they are in separate | |
networks, and I don't want the data to go through my slow ADSL to sync | |
locally... | |
Let's see how to install your own Syncthing discovery daemon on | |
OpenBSD. | |
Syncthing discovery daemon documentation | |
Related blog posts | |
Presenting Syncthing features | |
Blog post about the complementary Relay server | |
# Setup | |
On OpenBSD, the binary we need is provided by syncthing package. | |
```shell | |
# pkg_add syncthing | |
``` | |
The relay service is done by the binary `stdiscosrv`, you need to | |
create a service file to enable it at boot. We can use the syncthing | |
service file as a template for the new one. In OpenBSD-current and | |
from OpenBSD 7.5 the rc file will be installed with the package. | |
```shell | |
# sed '/^daemon=/ s/syncthing/stdiscosrv/ ; /flags/ s/".*"/""/' /etc/rc.d/synct… | |
# chmod a+x /etc/rc.d/syncthing_discovery | |
``` | |
You created a service named `syncthing_discovery`, it's time to enable | |
and start it. | |
```shell | |
# rcctl enable syncthing_discovery | |
``` | |
You need to retrieve the line "Server device IS is XXXX-XXXX......" | |
from the output, keep the ID (which is the XXXX-XXXX-XXXX-XXXX part) | |
because we will need to reuse it later. We will start the service in | |
debug mode to display the binary output in the terminal. | |
```shell | |
# rcctl -d start syncthing_discovery | |
``` | |
Make sure your firewall is correctly configured to let pass incoming | |
connections on port TCP/8443 used by the discovery daemon. | |
# Client configuration | |
On the client Web GUI, click on "Actions" and "Settings" to open the | |
settings panel. | |
In the "Connections tab", you need to change the value of "Global | |
Discovery servers" from "Default" to `https://IP:8443/?id=ID` where IP | |
is the IP address where the discovery daemon is running, and ID is the | |
value retrieved at the previous step when running the daemon. | |
Depending on your use case, you may want to have the global discovery | |
server plus yours, it's possible to use multiple servers, in which case | |
you would use the value `default,https://IP:8443/?id=ID`. | |
# Conclusion | |
If you change the default discovery server by your own, make sure all | |
the peers can reach it, otherwise your syncthing clients may not be | |
able to connect to each other. | |
# Going further | |
By default, the discovery daemon will generate self-signed certificate, | |
you could use a Let's Encrypt certificate if you prefer. | |
There are some other options like prometheus export for getting metrics | |
or changing the connection port, you will find all the extra options in | |
the documentation / man page. |