Configuration to restrict syncing only when on same network

Hello experts,

I am finding some inconsistent behaviour when configuring SyncTrayzor “Global Discovery” and “Enable Relaying” and need a little guidance.

What I am trying to accomplish is to restrict syncing to occur ONLY when connected to the same local network, which is my home network. Let me explain:

I have a Windows 10 Pro desktop and a Windows 10 Home laptop. The desktop is on my local network and never physically moves elsewhere, but the laptop moves with me and connects to various networks. When I’m home and connect the laptop to my local network I want syncing to occur.

I have emulated this with two Windows 10 Pro virtual machines. In Actions → Settings → Connections I unchecked (disabled) both “Global Discovery” and “Enable Relaying” and syncing works without problems (thanks to recommendation from martinleben in response to my initial post).

When I configure the physical desktop and laptop systems in the same manner the connection between the two systems is not made when both are on the same network.

With a bit of peck-and-poke experimenting I found that if the desktop is configured to enable both “Global Discovery” and “Enable Relaying” and the laptop is configured to disable only “Enable Relaying” the connection between the two systems, when on the same network, is made. In all other respects SyncTrayzor is configured identically on both systems.

I am rather new to this so I am hoping that someone out there has some comments and/or recommendations.

Thanks very much.

You can disable everything and just put local DNS names or static IPs into the device addresses.

Thanks for the reply uok.

I can’t use a static IP on the laptop because it moves around to multiple networks so must rely on dynamic addressing via DHCP.

You should be able to get the router to do MAC based ip assignment, so the ip stays the same on the same network.

Once that is the case, you can just configure the device to be connected to via that specific address, oppose to dynamic which involves discovery.

Thanks AudriusButkevicius.

Why didn’t I think of setting the router to reserve/map ip addresses to specific MAC addresses? Temporarily asleep at the wheel I suppose :neutral_face:

In truth the physical setup of desktop/laptop is not in my home but that of another, so we’ll try that and report back here, hopefully with success.

Thanks again.

Dear experts,

I have installed Syncthing on two Macs to emulate the Windows systems.

One is a stationary iMac (always at home) and the other is a MacBook (could be on any network outside of home). Both use DHCP but, as advised above, each has a DHCP reservation to assure a static IP on my home network (for this example the iMac is 10.10.0.12 and the MacBook is 10.10.0.13).

I would like to confirm I have configured each correctly so that when the MacBook is away from home it is not announcing it is running Syncthing and neither is trying to find each other over the internet. Some might consider me to be overly cautious, or even paranoid. But I just don’t want to risk my data being exposed outside my home network.

In Settings → Connections I have set the “Sync Protocol Listen Address” to “tcp4://10.10.0.12:22000” on the iMac and “tcp4://10.10.0.13:22000” on the MacBook, and on both have unchecked “Global Discovery” and “Enable Relaying”. A screenshot of this on the iMac is below.

On my home network the shared folders sync just fine. But have I accomplished the security I am after?

Any comments/recommendations would be appreciated.

You can probably also disable NAT traversal, as you’re probably not interested in dynamic port forwardings or NAT hole punching.

I should also note that while there is nothing wrong with being cautious, syncthings connections are always encrypted and authenticated, so there is no real risk in running with default settings. Also, given the average crappy home router I usually wouldn’t consider the usual home network significantly more secure than the wide open internet :smiley:. But as long as your local connections work, these settings are fine.

Thanks for that Nummer378 I learned you only need to be paranoid when someone is after you :grinning: I unchecked “Enable NAT Traversal” and all is well.

I notice that under “This Device” the “Listeners” line has “0/1” in red text and when I select that to get the detailed status I see the details (from the iMac) below but don’t know how to interpret this.

syncthing-listener-fail

I also notice that under Actions → Advanced → Devices I see each device and the “Address” line for each is “dynamic”. Should I be specifying the IPv4 address of each device here?

Any comments would be apprecaited.

This error means that the configured address wasn’t available, e.g the host computer doesn’t consider this IP address to belong to itself.

You blurred the IP’s, but based on your information above I presume the address is 10.10.0.12? (These are private IP addresses and not routable, thus not really sensitive)

I would check if the local IPv4 used by the computer (usually assigned via DHCP) really is 10.10.0.12, or if some address mismatch happened somewhere (maybe a typo somwhere, addresses set to static instead of DHCP…).

If this isn’t the case, syncthing may have attempted to start when the address wasn’t yet assigned, e.g before network connections were up. I don’t recall if syncthing retries automatically if this is the case. If the error goes away by itself, it was probably that.

This is expected and default behaviour. The actual addresses are discovered via the “Local Discovery” option [or Global Discovery, if it were enabled], which works by sending multicast/broadcast packets into the LAN to discover other syncthing nodes and their addresses in the same LAN. If your addresses are 100% static and will never change (or you are prepared to manually keep your configuration up to date), you can manually set the addresses of the other devices. This would make Local Discovery superfluous too.

This has nothing to do with the above error however.

In terms of security, I don’t see security changing much by turning most of these things off. These settings are adjustable mostly because it doesn’t harm having these things adjustable and it may help in certain special network setups, for example if defaults don’t work for some reason. They are not magic “turn this knob for better security” buttons. For privacy, I can understand users wanting to run without Global Discovery and relays. I don’t see significant benefit with manually configured addresses.

Is there an emoji for slapping yourself on the forehead for making a stupid mistake?

Yes, you’re absolutely right on all counts…I blurred the addresses in a fit of caution but for the example 10.10.0.12 is correct… I am on a completely different private/unroutable network, and YES, for goodness sake, I made a typo in the IP address. With that silly typo corrected “Listeners” is green and “1/1”.

On the last item, I specified the IP addresses and unchecked “Local Discovery” and VOILA! syncing continues.

This is great!

You are probably right about the lack of security in home routers, especially those provided by ISPs, and perhaps I’ve gone a bit overboard, but these configuration edits give me a measure of additional comfort.

Do I understand correctly that when you say “syncthing’s connections are always encrypted and authenticated” that the stream of the actual transfer of data itself in encrypted?

Thanks so much for your responsiveness, guidance and expertise.

1 Like

This is really important: The user needs to feel comfortable & safe using the system, so if these settings make you feel better, then yes - use them. I just wanted to note that the technical benefit is not that big, but if it feels better to you, it’s a good thing.

The protocol used is called TLS (Transport Layer Security). It’s an internet standard with long history. It is the same protocol used to secure HTTPS, E-Mail and literally over a hundred other protocols. The library implementing the protocol (the Go standard library) is well tested, audited and maintained by security professionals.

TLS provides authenticity, integrity and confidentiality. It encrypts the entire transport stream (transport stream referring to OSI layer 7). For syncthing this means that every message transmitted by syncthing is encrypted - be it management data, metadata or the actual files. This encryption is always End-to-End, so messages are encrypted before they are transferred over any network - and decrypted at the recipient, that is the syncthing application itself.

Syncthing also provides optional encryption at rest, meaning the files currently stored on the device can be encrypted to be inaccessible to the device storing the data itself - though that is an entirely different topic (and use case!) and the feature is currently in a sort-of beta. (Just noting this for completeness, it’s really completly unrelated to transport encryption).

Hey - thanks again.

I may have spoken too soon. Devices are not syncing right now.

The “Remote Devices” are reporting “Disconnected” and the “Address” line has the correct IP address of the remote device BUT read in red “unknown address scheme “” (18:24:21)”.

In the Address line under Advanced for each device I just put the IPv4 address. Is there a syntax I should have used?

Wait - I got it, I think.

Edit “Remote Devices” and in “Advanced” edit addresses to use “tcp://ip” (in my case). It appears to have added the default port (22000) itself, meaning I didn’t say “tcp://ip:port”.

1 Like

I believe you use the same syntax you used when configuring the “Sync protocol listen addresses” (URL with tcp4, quic6 (or whatever - syncthing supports a few) as the transport protocol, then address and port)

I deleted my post with details about the API not running as I believe the issue warranted its own topic, which may be found here:

API offline but Syncthing “Running (Offline)”

Thanks.