I’m just starting to setup the complete syncthing eco-system by hosting server, rely and discovery on my server.
I can (and have) put syncthing (GUI) itself behind a proxy server with authentification. But the discovery server needs to be accessible without authentification. The discovery server in my current understanding is necessary so my clients when roaming around outside my LAN need to find the other devices (in fact only one central “server” so far). For that I don’t want to use the global discovery.
But at the same time I want to prevent other devices to register to my discovery server.
While for the other way around: preventing clients to connect to a rouge discovery server is possible. I don’t see how I can prevent “unknown” clients to register themselves to my private discovery server.
Is there a possibility to do this?
And the same goes for the relay server. As it is a private server running on a low power hardware and network connection, I can’t afford other traffic.
The relay server has support for some kind of auth token. The discovery server doesn’t. I don’t think there’s much of a risk though that random people are going to find your private discovery server and decide to use it.
Thanks for the clarification, Jakob. That makes sense, so basically the discovery server is more “open by design,” and the risk of random devices hitting it is low. Good to know!
Dear @marching I don’t know how you conclude from a “I don’t think” to “the risk is low.
I respect the opinion of @calmh . Thank you for the clarification that there is no such protection mechanism.
But the goal is to run a private instance. And private means private. We see everyday that security issues are abused for malicious purpose. So leaving the door open on purpose is not a good idea; and for sure not what I want. We/I try to secure my services as good as I can, shut down services which are not needed, remove option I don’t use. Thus it’s the most logical step for me to have a private relay server to be private, to have a private discovery server to be private.
If somebody has the resources to run and provide such services as a private person, that’s fine for me; but I don’t.
Random users of your discovery server may not find it very useful: only devices that connect to the same discovery server will be able to connect. A random user connecting to your private discovery server won’t find other devices unless those devices are also connected to the same discovery server.
Secondly, connecting to the same discovery server is not a breach of security: when a device connects to the discovery server it sends its TLS fingerprint and its IP address, then sends a list of devices it wants to connect to. If those devices have connected to that discovery server, the server will reply with the IP addresses of those devices.
Your device has no way of knowing who has connected to a discovery server, only the ones it already knows about.
The discovery server keeps a list of device IDs that have connected and their IP address.
In order for two devices to connect, they have to be introduced by each accepting the TLS certificate of the other. So even knowing a device ID, even if you could get the discovery server to send you a list of all the devices that have connected to it, would still not get you a connection to any random device.
The traffic to a discovery server is just a few kB per hour. The records.db on my private discovery server with 10 devices connecting, is only 2223 bytes.
This is my understanding of how discovery works – Corrections welcome.