I run WireGuard on all my machines, but I use it pretty much exclusively as a remote access tool, and not to protect traffic. Due to having miserably-slow American residential upload speeds as a bottleneck, it’s usually the slowest method of accessing any of my other machines if there’s another route available.
Syncthing thinks my WireGuard network is a LAN (fair enough, as it does use the 10.0.0.0/8 block), meaning that whenever the WireGuard network is up - which it always is - Syncthing always prefers to connect via that. When first started up, it does usually select real LAN connections over WireGuard ones, but since the WireGuard interface is the most reliable (if slowest) method of contacting remote machines, it inevitably switches away from temporary LAN connections as soon as they go down, and then never switches back if they return.
My workaround for now is to use the “allowed networks” advanced-settings option to restrict all connections to fe80::/16
(link-local IPv6 addresses), which - since my WireGuard network does not use link-local IPv6 addresses - effectively prevents Syncthing from using the WAN at all, making it only sync over my fast LANs. This situation is acceptable, but not ideal, since it means that my home and work machines are only synced when I bring my laptop back and forth between them and connect to the respective LANs.
What I really want to be able to do is simply prevent Syncthing from seeing or touching my WireGuard network, which I never intended to use with Syncthing anyway. I suppose I could try to run it in some kind of restricted container or jail, but that seems like a lot of extra sysadmin work on my end for something as simple as this. (If it came to that, I’d probably just keep using it in “LAN-only mode” like I currently do.)
My suggestions for ways to make this easier, in order of what I (naïvely) assume to be easiest to hardest:
- Add a complementary “disallowed networks” advanced option in addition to the “allowed networks” option that already exists, allowing certain IP address ranges to be blocked out from use by Syncthing while allowing all others.
- Add a complementary “never local nets” advanced option in addition to the existing “always local nets”, allowing the WireGuard address range to be treated the same as the WAN. This might actually be better for some users, since it allows the WireGuard network to still be used when no other route exists, but be correctly identified by Syncthing as a slower option. I would still prefer option 1, personally, but this would still be a large improvement.
- Add the ability to restrict the network interfaces Syncthing can access. Either an allow-list or a deny-list would work for my purposes, but both would be ideal. This would have the advantage of being useful to those who want Syncthing to only connect over their VPN, although “allowed networks” already does well for this.
There may well be other things I haven’t thought of that would make more sense, but the above (especially option 1) seem most logical to me.
I am also willing to consider other workarounds, but I’d like to preemptively head off any suggestions to change how I use WireGuard, pay for faster internet, buy a bigger server, etc, since I don’t think these are reasonable things to have to do in this situation.
I appreciate any developer attention this gets. Syncthing is already working great for me, but finding a solution to this would make it substantially better.