Is there a way to make a relay sever only allow relaying on certain clients? I see how to prevent its announcing itself as a public relay, but I see no way to prevent someone from using it as a relay once they know it’s there.
There is a feature request for private relays but I think it was opened before I started using ST.
Edit: I thought it was older than that but this is the first one I found…
Thank-you for the reply. I have been using a central ST node on a virtual hosted server that runs my email. It’s the central node in a star configuration, since it has real internet visibility. But now I have folders I want to share between outer nodes that exceed the central node’s hosted space. From what I have read in others looking for private relay capability, this seems to be a common thread.
TBH, I would consider the lack of relay authentication to be an omission nowadays that at the level of a bug, considering the security concerns of open relays in virtually every other internet service. I wonder if enough relay servers were known what the DDOS potential would be for them.
Thinking about this feature, I think it would be better to have relaying rolled right in to ST than to have authentication bolted on to the existing relay server. I suspect it would be far easier anyway, adding relaying as a function the program which already has all the UI you need for adding and maintaining node authentication would likely be easier than jury rigging authentication into the relay server. To that end, I would be willing to toss a few hundred dollars at the bounty to see relaying added right into ST. Anyone else willing to toss some cash this way?
I don’t think this makes sense. Relay server is a completely different application, it’s used by syncthing and inherits some concepts, but in theory can be used for any sort of traffic.
I can’t see why anyone would want this in general.
Relay servers only accept connections from others, they do not send packets outward on the instructions of clients. They should be no more of a DDOS potential than for example a regular HTTP server is.
Imagine this. You have 5 nodes, one with real internet visibility. The four other nodes connect to it in the normal way, and they all use the existing authentication method. On the central node you check “allow relaying” in its config. Now suddenly every remote node can see every other remote node like old StarLans. On one of those remote nodes you click “add remote device” and automatically populated in the dialog are all the other devices connected to the central relaying node. You click on one of those, the authentication for those two nodes occurs like normal, and when done they can talk to each other as if it were direct.
Relaying now becomes seamless and integrated into the actual client. You don’t need a separate server. You don’t need to add authentication to the relay server, because the authentication and the UI that is built into ST does that for you. I think this is a great system to shoot for.
Thank-you calmh for the education on relay servers. I’m still not 100% confident that there is no DDOS potential if using intentionally malformed connection packets, but I am glad the relay server only accepts connections. That being said, even if there is no DDOS potential, there is still abuse potential and the more popular Syncthing becomes the more potential there will be. I think this makes the current model of no relay authentication unsustainable in the long term. As traffic through public relay servers increase, the fewer people will want to run them. As public relay servers drop off or become congested with traffic, the private ones with less traffic through them become more shiny.
BTW, as an added benefit to putting relay capability into the client, it might promote more people to allow public relaying. Especially if you put in the rate limits for non-authenticated clients. I would be inclined to donate a certain amount of relay capability, especially if I could set it up so that my authenticated clients don’t have limits but where only, say, 4 public connections are allowed with traffic restrictions.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.