Validating my thinking here…
I’m aware that Syncthing is not a backup tool.
But could be used for that purpose if the Syncthing “backup server” contains a folder for each Syncthing device. Which content is then completely overwritten on a daily or weekly basis. Meaning each Syncthing client overwrites the content on its folder on the Syncthing “backup server”.
Does this make sense? Is it supported? Meaning can the product doe this?
Certainly can. One thing to keep in mind are that bad data from the client will be synced just as happily as good data, so the server side needs to have some mechanism to roll back to earlier data – filesystem snapshots, versioning, periodic copies to somewhere else, whatever. The other is that (contrary to most backup solutions) you can’t easily initiate a restore from just the client side.
Thank you for the quick response and pointers.
The idea is to use Timeshift on the Syncthing “backup server”. In parellel there is a real backup application making copies to a local attached USB drive.
Using the backup application for this would require portforwarding and/or UPnP. Which is something I would like to avoid with this Syncthing approach.
Restoring is not an issue as the clients are actually basic application servers running multiple Docker containers. Where the dataset for all Docker containers is stored on a shared volume. Meaning system/application recovery will always require manual work - part of which is restoring and validating the data.
Anything else you would like to add?
You’re overcomplicating things.
Or, perhaps I should say that you seem to be making a custom solution, which may or may not keep you happy and satisfied, and that’s it.
A general backup solution works in more general cases without requiring docker automations or a file system with snapshots.
Check out the awesome Duplicati FOSS project for a backup solution with advanced features: https://duplicati.com/
Thank you for the suggestion.
You are right - a backup solution works better in more general cases.
However, as soon as containers and internet connectivity is involved, it is not a general case anymore. Hence Syncthing, Duplicati, Veeam and Kopie… it doesn’t really matter - they all have their pros and cons.
You’d mentioned port forwarding, so I’m guessing that some of your client hosts are outside of the LAN your backup server is on.
Unless you’re depending on Syncthing’s community run relay servers, or hosting your own, at least one side of the Syncthing connection will have be to reachable on port 22000 (or whatever port you’ve chosen as your listening port). Depending on the size of your backups, going through the relays could take a while.
Duplicacy, Duplicati, Kopia and other similar cloud-capable backup tools offer features that overlap with Syncthing + Timeshift without the need to cobble together two types of applications. With backups, it’s generally a good idea to keep the possible points of failure to a minimum.
Syncthing can definitely be a useful part of a backup system, but if the primary reason for using Syncthing is to avoid port forwarding for a purpose-built backup tool, it’s likely not as good as it sounds.
If port forwarding really isn’t an option, run your backups thru a VPN that uses similar NAT traversal techniques as Syncthing (there are plenty to choose from).
Give Tailscale peer to peer vpn a look. All syncthing servers will be on their own private subnet regardless of where they are located in the world.
It creates a private VPN network between your computer is regardless of where they’re located. Each machine will have a private encrypted IP address and you can do this completely for free.
I have my storage server and PCs and phone running this program so I can access it from anywhere.
You could put syncthing servers on that private encrypted Network.
No router or Gateway configuration necessary to pass port forwarding or anything like that.
This Tailscale looks interesting. It seems to be able to have all VPS-es connected to the local management vlan - kind-of-a VPN overlay.
Thank you for the hint! 
Yup, Tailscale is part of a group of overlay network mesh VPNs. Here are a couple of recent forum threads that might be of interest:
I haven’t tried Tailscale but getting Syncthing working over Nord’s Meshnet was super easy.
Yes, agreed. I’m a nordvpn subscriber and use meshnet as well.
Thats another good choice thats free.
Tailscale is integrated in my truenas server which is how i got started with it.
You simply enter Tailscale IP tcp://100.xxx.xxx.x in the address and the connection will be quick. No need for global or local discovery or relay
Just to make sure we are all on the same page: The idea is to build a mesh overlay network between a few VPS-es and the home office. With the expected result a any-to-any communication. Part of this any-to-any communication is Syncthing.
Ideally, each VPS and the home office can still work with local internet breakout for doing updates and e-mail (as an example).
It is not my idea to create an overlay between the systems running Syncthing.
Hi, @Airw0lf
Tailscale and Nord only add an additional IP address to your system. The main IP address for your system still works for everything that it’s working for now. You can set up the VPN and not worry about losing any existing connectivity and the software can be configured to use both the local IP address and the VPN address.
I use this successfully on both windows and Linux.
Yes. Here’s a nice intro to the overall concept (not unique to Tailscale): https://tailscale.com/kb/1151/what-is-tailscale
Yes, like with other VPNs, the routing table will determine which connections get sent to the mesh VPN and what gets sent to your internet gateway.
It’s certainly an option, but once you use a mesh VPN, it’s likely you’ll find other uses for it besides Syncthing.
And if you’re using Tailscale, there’s an option to configure access rules so that a host can only connect to a list of pre-approved hosts rather than it being any-to-any.