Limit Syncthing to only use local network: Review and suggestions appreciated

Support
1

Hello syncthing experts,

until now I have read several threads and documentation paragraphs to adapt my settings, so that syncthing will only use the local network to synchronize and furthermore will not be visible in any form to the internet. (=> use it completely isolated in my LAN)

I’m aware that syncthing is encrypted and the average user has no need to do that, but I want to keep my data only within my local network as this makes me sleep better at night :slight_smile:

In the following I will describe the settings I have made. I would be very happy about suggestions, additions and improvements :smiley:

  1. Actions β†’ Settings β†’ Connections: I have unchecked Enable NAT traversal, Global Discovery and Enable Relaying.
    image
    image773Γ—103 4.34 KB
  2. Edit all devices to use static ipv4 addresses: Remote Devices β†’ <device name> β†’ edit β†’ Advanced β†’ Addresses: tcp://192.168.178.xx:22000, for example:
    image
    image1111Γ—209 11.7 KB
  3. Actions β†’ Advanced β†’ Devices: Limit the allowed networks. Do this for all devices and also under Defaults β†’ Default Device to affect new devices:
    image
    image862Γ—111 9.29 KB
  4. Set β€œSync Protocol Listen Adresses” to the each device own ip address under Actions β†’ Settings β†’ Connections e.g. tcp://192.168.178.xx:22000. (EDIT: I have started a more detailed thread with a question related to this configuration entry: Further Information about Listen Addresses tcp4://0.0.0.0:22000) image
  5. Actions β†’ Advanced β†’ Options β†’ uncheck announceLANAddresses
  6. Actions β†’ Advanced β†’ Options β†’ uncheck Crash Reporting Enabled

If I have missed any configuration or if there are other things i need to take care of, please let me know.

This configuration is inspired by this thread created by @solo. I would also be very pleased about hints from @Nummer378 and @AudriusButkevicius.

1 Like
2

Number four has no desired effect for you, and it has an undesired effect in that everything will stop working if the address changes. I would leave it out. Otherwise it sounds good. You might want to make sure usage reporting is disabled (urAccepted = -1) and upgrade checks are disabled (autoUpgradeIntervalH = -1 and set releasesURL = http://example.com or something to be sure, or build yourself with --no-upgrade or use the Debian packages which are built like this).

Maybe write this up as an article for the documentation site as well, it would be good with a single documentation resource listing the required steps for the paranoid (I use the term with love). Perhaps somewhere in the vicinity of Configuration Tuning β€” Syncthing documentation

1 Like
3

With static addresses configured for all devices, local discovery has no effect so you can turn off that as well.

With global discovery disabled, changing this option has no effect.

2 Likes
4

Thank you very much. Yes, I will put this on my ToDo list :slight_smile: More likely in the further future.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.