I’m running Syncthing 1.28.0 on NixOS with WireGuard VPN. My setup requires Syncthing to only communicate over specific WireGuard interfaces. I have multiple peers configured with static IP addresses on different WireGuard networks (10.x.0.x ranges).
The issue:
- At system boot, Syncthing starts before WireGuard connections are fully established
- Initial connection attempts fail with TLS handshake timeouts
- Despite having reconnectionIntervalS=60 configured, Syncthing never successfully establishes connections after these initial failures
- If I restart the Syncthing service after WireGuard is up, connections work perfectly
Logs show this pattern:
Jan 23 10:40:28 Lenovo2 syncthing[1410]: [KNWX3] 2025/01/23 10:40:28 INFO: Listen (BEP/tcp): TLS handshake: read tcp 10.12.0.11:22000->10.12.0.12:22000: i/o timeout
Jan 23 10:41:38 Lenovo2 syncthing[1410]: [KNWX3] 2025/01/23 10:41:38 INFO: Listen (BEP/tcp): TLS handshake: read tcp 10.12.0.11:22000->10.12.0.12:22000: i/o timeout
Jan 23 10:42:48 Lenovo2 syncthing[1410]: [KNWX3] 2025/01/23 10:42:48 INFO: Listen (BEP/tcp): TLS handshake: read tcp 10.12.0.11:22000->10.12.0.12:22000: i/o timeout
I’ve tried:
- Using
reconnectionIntervalS=60
in config.xml - Binding to 0.0.0.0 instead of specific interfaces
- Pausing and unpausing devices through the GUI
- Clearing errors through the REST API
None of these approaches resolve the issue. The only reliable fix is to restart the Syncthing service after WireGuard is fully connected.
Questions:
- Why doesn’t Syncthing retry connections properly after TLS handshake failures?
- Are there any TLS-specific settings that might help here?
- Is there a way to make Syncthing wait for successful peer connectivity before attempting TLS handshakes?
Any guidance would be appreciated.