Syncthing inside VM for syncing over Internet ?

Hi new to syncthing here, so bear with me. I’d like to know whether it’s possible to use syncthing inside a VM for syncing local folder with other user over the Internet. VM because it adds a security layer, so the other party can’t fiddle around in my HD. Is this possible and easy to do ? If so, are there any virtualization programs that are more compatible with syncthing than others ? I’m on Apple Silicon, so the ones i know of are Parallels, Vmware fusion and UTM.

Syncthing should “just work” inside a VM. I’ve been using it personally inside VirtualBox machines for quite a long time.

However, what exactly is the security risk as described in


Through Syncthing no-one can just fiddle around the disk, the only access the other side has is the folder that you’ve shared with them and the files that are inside it.

thx for the info. Well it seems that VB axed their support for apple silicon macs, so i’ll have to try with another app. Good to know syncthing does work in a VM. Is it possible to program the syncing in a one-directional way (i.e. source folder to destination folder) or does the syncing automatically happens both way ?

In the end, a VM is nothing but an OS running on top of some hypervisor - it’s usually barely noticeable for software as the magic happens quite some layers under it. Syncthing runs on quite a lot of architectures and so far I haven’t come across any that’s really not supported - and this includes virtual environments.

Also note that one could argue hat Docker is a mini-VM as well, and Syncthing offers a default config to get a container up and running - it’s worth a look if that’s what you’re after (although decent knowledge of Docker is always preferred in this case).

But, as already pointed out, from a security perspective it won’t add super much as Syncthing makes sure that the configured folder isn’t being ‘escaped’ (purposefully or accidentally).

You can configure syncthing to sync in only one direction as well, see the available folder types in the docs (Send only in your case) Folder Types — Syncthing documentation

oh the send only folder is a nice one thanks ! Yea i can get the argument, simply running the app from within a VM just adds that extra layer of (feeling of) security for me. Are ST’s speeds ok or sould i expect much lower ones than f.ex. uploading sites or so ?

The last question will depend wildly on the situation, but inherently lower than uploading sites is (from my experience) rare. In the end Syncthing tries to make an ‘as direct connection as possible’, from that point on it’s all up to your OS, hardware, network and configuration. What comes out of that for number is hard to estimate. The average upload-site usually doesn’t offer that great of an upload speed anyways.

One big point is the use of relays. When using relays (perhaps other than the ones in your direct own management), the speeds can be significantly limited. But this should also be available as note in the docs.

these relays are what ? Discovery relays to connect the two peers ? If so, once the connection is established, they dissapear from the picture right, so they can’t botch the speeds any longer.

Discovery servers are indeed solely used to get two instances to connect to one and another - if needed. These shouldn’t affect the speeds.

Relays, however, are used when a direct connection is not possible (Relaying — Syncthing documentation). So the (encrypted) traffic flows through those if this is deemed to be required and if a device is configured to be allowed to do so (one can enable/disable this in the regular settings → connections).

ok i see. In what user cases this could be necessary though once the discovery server connects the peers?

Peers still need to be able to reach each other behind whatever firewalls exist. So if the firewall ports aren’t open, they may or may not be able to establish the connection, even if they have the connect address (IP address and port)

Depending on the firewalls on either end of the two machines, a direct connection may not be possible so the relay is used. If you have access to configure one of the two firewalls then usually the relay is not necessary.

ok i see. Thanks. And can the relays snoop into the traffic between the peers, which is encrypted by TLS ?

The traffic is encrypted before transmitting to the relay, and the relay doesn’t have the decryption key. It passes the encrypted traffic straight through to the receiving peer. Only the receiving peer can decrypt the traffic.

The relay cannot snoop the traffic.

ok that’s great.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.