Is there a way to limit syncthing GUI access to the LAN only?
The documentation just offers 127.0.0.1:8384 which limits access to the machine on which syncthing is running (not a lot of use on a headless system) and ‘0.0.0.0:8384’ which allows access from anywhere.
Surely ‘LAN only access’ would be a useful option.
Which LAN exposes every device to the internet? If you set it to 0.0.0.0:8384 and don’t add a port forward on your router, it will be “LAN only”.
Yes, I realise that, and in most cases it will be true with my LAN behind a NAT router.
So, given that, why am I getting the message:-
Danger! The Syncthing admin interface is configured to allow remote access without a password. This can easily give hackers access to read and change any files on your computer. Please set a GUI Authentication User and Password in the Settings dialog.getting the message:-
This is on a system on a small LAN (very small, a laptop when I’m there, a VOIP phone and a BeagleBone Black which is running Syncthing) they connect via a TP-Link router running in ‘WISP’ mode to a semi-public WiFi. Thus it’s rather different from the normal sort of home set-up and it would certainly be nice to limit access to the LAN, just to be sure.
We have no idea what lan means once you are listening on 0.0.0.0, as for all that we know you might have an internet routable address, in which case you should setup auth.
OK, so is it possible to specify an IP which is allowed?
I.e. can I put 192.168.0.104 as the address in the address field so that only that computer on the LAN can connect to the GUI? As I said I have several headless systems so ‘localhost’ is pretty pointless on them.
Ideally I’d like to be able to have two addresses as there are actually two systems on the LAN which have a GUI (a desktop and a laptop).
No, sorry.
the firewall on your host would be a great tool to achieve this.
“The firewall on your host”? By that do you mean the firewall on the system running Syncthing whose GUI I want to access? If this is what you mean then it’s “the firewall on several hosts” as (see above) I have quite a few headless systems running syncthing.
Also, I would still get the warning message from Syncthing wouldn’t I?
yes, you would to configure each host’s firewall. yes, you would still get the reminder to set a password for GUI access.
Couln’t you set a user/pass, and then store those in the browser’s password manager ?
“Couln’t you set a user/pass, and then store those in the browser’s password manager ?”
The ultimate security no-no! 
I never, ever store anything in my browser’s password (or anything else) manager.
It’s OK[ish] now that I’ve realised it’s an ‘advanced’ setting to say that no password on the GUI is acceptable.
However it would still be nice if one could be more selective.
That’s true for IPv4 but is not necessarilly the case for IPv6.
I’m not really sure how having no password is more secure than a password stored in a password manager…
I have my server set up with a static ip, then I set the GUI listen address to the server’s address. So its something like 192.168.1.50:8384 for the listen address. Set up this way, Syncthing refuses connections on anything else, even localhost:8384 and 127.0.0.1:8384. If I need to hit the GUI and I happen to be local, I can just edit the config file to change the listen address and restart the service. This does effectively what you are asking for, I think…
Is that a headless server or is it the system from which you usually view the GUI?
I’m getting a little confused now as to what “listen address” actually means. Does the syncthing server look for connections to that address, or does it look for connections from that address?
… but going back to your original idea, yes, obviously I could change the address to the specific one required for the GUI I’m using but that’s hardly particularly handy!
To. The above does nothing to prevent access from other computers on the LAN.
Which ‘above’?
I’m getting steadily more and more confused about what the ‘listen address’ actually does. If (for example) syncthing is running on a system with IP address 192.168.1.106 and the syncthing GUI listen address is set to 192.168.1.106 then where can one connect from? Is connection only allowed from 192.168.1.106?
I was referring to @TPSMono’s post above.
A listen address is an address that is listened on. If you say 192.168.1.106:8384 then you must connect to https://192.168.1.106:8384. If you say 0.0.0.0:8384, then any address on the computer will do (so 192.168.1.106, 127.0.0.1, etc).
Where you come from is totally immaterial, except in the default 127.0.0.1:8384 case where you must be able to reach 127.0.0.1 and that can only happen from the same computer.
I think this was quite well answered already, really:
Yes, except that ‘… on your host…’ is a bit vague! Is this the host I’m connecting from for the host I’m connecting to.
(Yes, I think I know now, but it wasn’t obvious at the time)
So, using localhost or 127.0.0.1 limits connections to the host on which syncthing is running, i.e. it’s no use at all for headless systems running syncthing. Setting the listen address to a LAN address will mean any system on the LAN can connect (including a NAT router if it’s set up to allow connections to port 8384).
I don’t think there’s any real ambiguity about on which host a host based firewall needs to be enabled. Expecting the attacker to thwart the attack by configuring a firewall on their own computer seems counterproductive after all.
Yes, yes, I know.
But in my original post I did mention that my question was about several headless systems so that does rather make things a bit more vague, thus I was obviously (I hope) asking about accessing a headless system from another system. Adding a firewall to a small (e.g.Raspberry Pi or Beaglebone Black) system isn’t the sort of thing one often does.
