private relay to reduce need to open firewall ports

I am looking into setting up syncthing on the laptops of several tens of users, with a syncthing instance running for each user, in a docker container, on a server with a fixed IP address.

The configuration will be in such a way that access to the gui is not needed, and I would just let syncthing grab a port that is free (which is not exposed beyond the container)

As I understand it, the connection port is chosen in the same way (the first instance taking 22000 and then probably using some scanning mechanism).

Instead of opening a range of ports for the connections, I thought about setting up a private relay server (–pool=“”) on the container as well, open only that port on the server firewall and forward that to the container. And provide the relay server information explicitly to both all instances of syncthing running in the container and to the individual syncthing installations on the laptops.

Has this been done before (if so where can I find some information)?

I expect this to have some, but a lot of performance impact, given that the syncthing instances and the relay run in the same container. Is that wishful thinking?

I’m not sure why a relay would help if you are running syncthing on the same machine?

The point of a relay is to aid when two syncthing instances cannot connect. If you run synching on the same machine, you should just get them to connect directly.

1 Like

So you are saying is that all instances will be using port 22000 even though there are 70 or so instances of syncthing running on the server.

Yes, you can use a private relay as single point of connection for all the things. I don’t think there are any more details than setting it as listen address and device address on both sides.

I don’t understand why you need a relay if all of your instances are on the same machine.

I think in general your explanation of what you are trying to achieve, where things will be running, etc, thus far is a bit lacking to provide any concrete advice.

If Syncthing’s web GUI isn’t needed, then it sounds like you have enough control over the server that it might not be necessary to run dozens of Syncthing instances.

If you don’t mind…

  • Could you describe what the end goal is?
  • What level of access do the users have to the server?
  • Is Syncthing part of a backup system for the laptops?

The network port that Syncthing listen for new connections on, yes.

So if I understand correctly, you’re interested in setting up something like the following diagram?


“Syncthing 1” is peered to “Laptop 1”, Syncthing 2 → Laptop 2, etc.

  • Are the laptops on the same LAN as the server?
  • Will the laptops be connecting to the server over the internet?

I’ve seen other forum threads discussing components of your proposed setup, but nothing quite like it.

The performance hit is going to depend a lot on the amount of data being synced, the network bandwidth, plus your server configuration.

The OS on the server can be a significant factor. If it’s Windows/macOS, then the Docker container will be inside a Linux virtual machine, which in turn is running on a hypervisor in Windows/macOS, so two layers of abstraction are involved. And if it’s necessary to run a Linux VM, the type of CPU and amount of free RAM will also be important.

1 Like

@AudriusButkevicius I wrote that there are several tens of laptops, those are actually physical machines that the users carry around, not VMs on the server. So only half of the instances of syncthing are not on the “same machine” and the other half spread out over the world.

I would add if one of the existing machines will have access to all the folders then the relay server becomes unnecessary as that machine will receive and store all the data and can resend to the remote machines. (It basically becomes a delay. It just holds onto the data.)

@mraneri None of the existing machines has access to the folders. Each instance of syncthing will have its own configuration and its own base directory where a user’s synced folders are stored. The base directories do not intersect.


Could you describe what the end goal is?

To allow the users of laptops to have a copy of selected folders synced to the server. (Syncthing on the server will accept additional folders).

What level of access do the users have to the server?

They cannot login, but the server also runs (docker containers) for IMAP, radicale (CALDAV) and some webservices.

Is Syncthing part of a backup system for the laptops?

There is a separate backup system in place.

Are the laptops on the same LAN as the server?

The laptops are never going to be on the same LAN, the server is in a data center.

Will the laptops be connecting to the server over the internet?

Yes, always.

The OS on the server can be a significant factor....

The server is running Linux, I am aware that the Docker services have some overhead, but that was never a problem in the last 9 years. On the laptops the syncthing will run directly on macOS/Windows/Linux.

I made progress with the container, should be able to test it with 3 machines and accounts tomorrow, and then automate the addition extra users (and deactivate them once accounts get switched off), by copying+patching a sample config.xml.

Ah, so the server is send-only to the laptops?

But even if it’s send/receive on all endpoints, have you considered running a single instance of Syncthing on the server that’s peered to the 70 laptops?

So the server is safe from the users altering Syncthing’s settings. Sounds like a single instance might work.

I’m assuming that the Syncthing relay will either be visible on the internet, or perhaps over a VPN connection.

That’s great. Docker on Linux is comparatively lightweight, so unless the server is really tight on system resources, the overhead shouldn’t be very noticeable.

Docker on Windows and macOS is an entirely different animal. Docker has done a great job of masking the complexity, but there are a lot of moving parts involved compared to the simplicity of Docker on Linux.

My work setup isn’t exactly the same, but it shares some similarities. I’ve got a “pizza box” in a data center with a Linux hypervisor which hosts a Linux VM running a single instance of Syncthing for multiple users syncing from the same LAN and also across the internet.