So new to SyncThing, have done some reading on the documentation, wanted to be sure my understanding was correct.
First, SyncThing isn’t exactly a “server” and “clients”, it’s 2 or more peer hosts that, via Device ID, allow each other to sync folders and files between each other. However, this relies on being on the same LAN to see each other directly.
To overcome this, there’s some global servers and relays that essentially allow for rendezvous and relay connections so that data/syncing can go between each of the hosts. The global servers (SyncThing run) and relays (nice strangers on the Internet) are required so, for example, my NAS at home and my phone when I’m elsewhere can talk to each other when they need to sync.
If I want to directly connect the hosts, I’ll need to run my own Relay (private or publicly listed), and point my non-home devices (e.g. phone, laptop, etc) to the hostname I setup on my dyndns (with port forward rules) which points to where I’ve setup my relay.
Global listing and global relays can be turned off on the hosts, which means I’d need to be on the local network and/or private relay.
Due to the design of the system, I can’t, for example, use Nginx reverse proxy with Lets Encrypt auto-updating certificates?
Security is TLS, and I can configure keys/certificates, but there’s no automatic Lets Encrypt auto-update certs for a given domain/host. Not necessarily a problem, the Device ID (e.g. TLS/cert fingerprint) of the requesting host is compared to a list of allowed IDs. Since it’s computed/sent by the Private key, and can be verified by the Public key, this provides assurances it’s the actual remote host you want to allow.
However…it’s potentially possible to intercept these certificate exchanges, which would then allow impersonating of devices.
This certificate exchange is done once, whenever a new device is setup on the other hosts to allow access? So if I’m on my own local network, with the other devices, should be secure because it’s done once locally, and thereafter the public/private key generates the session keys/etc as per TLS/SSL? This isn’t made clear to me in Security Principles — Syncthing documentation
Otherwise, I should just do SSH tunneling, or VPN setup to my own network so it appears I’m local.
EDIT: Found this doc page Understanding Device IDs — Syncthing documentation does a better job of explaining to me the key exchange/device id. Basically the TLS public key (or cryptographic part) is hashed to generate the Device ID. As part of the TLS connection/setup/key exchange, each device on the other side confirms the Device ID via the Public Key, and the Public Key is validated that it’s talking to the correct other end due to the correctness of the TLS exchange/validation protocol.