 |
Title: Run your own Syncthing discovery server on OpenBSD |
|
Author: Solène |
|
Date: 18 October 2023 |
|
Tags: syncthing openbsd privacy security networking |
|
Description: In this article, you will learn how to configure a |
|
syncthing discovery server on OpenBSD. |
|
|
|
# Introduction |
|
|
|
In a previous article, I covered the software Syncthing and mentioned a |
|
specific feature named "discovery server". |
|
|
|
The discovery server is used to allow clients to connect each other |
|
through NATs to help connect each other, this is NOT a relay server |
|
(which is a different service) that serves as a proxy between clients. |
|
|
|
A motivation to run your own discovery server(s) would be for security, |
|
privacy or performance reasons. |
|
|
|
* security: using global servers with the software synchronizing your |
|
data can be dangerous if a remote exploit is found in the protocol, |
|
running your own server will reduce the risks |
|
* privacy: the global servers know a lot about your client if you sync |
|
online: time of activity, IP address, number of remote nodes, the ID of |
|
everyone involved etc... |
|
* my specific use case where I have two Qubes OS computer with multiple |
|
syncthing inside, they can't see each other as they are in separate |
|
networks, and I don't want the data to go through my slow ADSL to sync |
|
locally... |
|
|
|
Let's see how to install your own Syncthing discovery daemon on |
|
OpenBSD. |
|
|
 |
Syncthing discovery daemon documentation |
|
|
|
Related blog posts |
|
|
|
Presenting Syncthing features |
|
Blog post about the complementary Relay server |
|
|
|
# Setup |
|
|
|
On OpenBSD, the binary we need is provided by syncthing package. |
|
|
|
```shell |
|
# pkg_add syncthing |
|
``` |
|
|
|
The relay service is done by the binary `stdiscosrv`, you need to |
|
create a service file to enable it at boot. We can use the syncthing |
|
service file as a template for the new one. In OpenBSD-current and |
|
from OpenBSD 7.5 the rc file will be installed with the package. |
|
|
|
```shell |
|
# sed '/^daemon=/ s/syncthing/stdiscosrv/ ; /flags/ s/".*"/""/' /etc/rc.d/synct… |
|
# chmod a+x /etc/rc.d/syncthing_discovery |
|
``` |
|
|
|
You created a service named `syncthing_discovery`, it's time to enable |
|
and start it. |
|
|
|
```shell |
|
# rcctl enable syncthing_discovery |
|
``` |
|
|
|
You need to retrieve the line "Server device IS is XXXX-XXXX......" |
|
from the output, keep the ID (which is the XXXX-XXXX-XXXX-XXXX part) |
|
because we will need to reuse it later. We will start the service in |
|
debug mode to display the binary output in the terminal. |
|
|
|
```shell |
|
# rcctl -d start syncthing_discovery |
|
``` |
|
|
|
Make sure your firewall is correctly configured to let pass incoming |
|
connections on port TCP/8443 used by the discovery daemon. |
|
|
|
# Client configuration |
|
|
|
On the client Web GUI, click on "Actions" and "Settings" to open the |
|
settings panel. |
|
|
|
In the "Connections tab", you need to change the value of "Global |
|
Discovery servers" from "Default" to `https://IP:8443/?id=ID` where IP |
|
is the IP address where the discovery daemon is running, and ID is the |
|
value retrieved at the previous step when running the daemon. |
|
|
|
Depending on your use case, you may want to have the global discovery |
|
server plus yours, it's possible to use multiple servers, in which case |
|
you would use the value `default,https://IP:8443/?id=ID`. |
|
|
|
# Conclusion |
|
|
|
If you change the default discovery server by your own, make sure all |
|
the peers can reach it, otherwise your syncthing clients may not be |
|
able to connect to each other. |
|
|
|
# Going further |
|
|
|
By default, the discovery daemon will generate self-signed certificate, |
|
you could use a Let's Encrypt certificate if you prefer. |
|
|
|
There are some other options like prometheus export for getting metrics |
|
or changing the connection port, you will find all the extra options in |
|
the documentation / man page. |
