Title: Run your own Syncthing discovery server on OpenBSD
Author: Solène
Date: 18 October 2023
Tags: syncthing openbsd privacy security networking
Description: In this article, you will learn how to configure a
syncthing discovery server on OpenBSD.
# Introduction
In a previous article, I covered the software Syncthing and mentioned a
specific feature named "discovery server".
The discovery server is used to allow clients to connect each other
through NATs to help connect each other, this is NOT a relay server
(which is a different service) that serves as a proxy between clients.
A motivation to run your own discovery server(s) would be for security,
privacy or performance reasons.
* security: using global servers with the software synchronizing your
data can be dangerous if a remote exploit is found in the protocol,
running your own server will reduce the risks
* privacy: the global servers know a lot about your client if you sync
online: time of activity, IP address, number of remote nodes, the ID of
everyone involved etc...
* my specific use case where I have two Qubes OS computer with multiple
syncthing inside, they can't see each other as they are in separate
networks, and I don't want the data to go through my slow ADSL to sync
locally...
Let's see how to install your own Syncthing discovery daemon on
OpenBSD.
(HTM) Syncthing discovery daemon documentation
Related blog posts
(HTM) Presenting Syncthing features
(HTM) Blog post about the complementary Relay server
# Setup
On OpenBSD, the binary we need is provided by syncthing package.
```shell
# pkg_add syncthing
```
The relay service is done by the binary `stdiscosrv`, you need to
create a service file to enable it at boot. We can use the syncthing
service file as a template for the new one. In OpenBSD-current and
from OpenBSD 7.5 the rc file will be installed with the package.
```shell
# sed '/^daemon=/ s/syncthing/stdiscosrv/ ; /flags/ s/".*"/""/' /etc/rc.d/syncthing > /etc/rc.d/syncthing_discovery
# chmod a+x /etc/rc.d/syncthing_discovery
```
You created a service named `syncthing_discovery`, it's time to enable
and start it.
```shell
# rcctl enable syncthing_discovery
```
You need to retrieve the line "Server device IS is XXXX-XXXX......"
from the output, keep the ID (which is the XXXX-XXXX-XXXX-XXXX part)
because we will need to reuse it later. We will start the service in
debug mode to display the binary output in the terminal.
```shell
# rcctl -d start syncthing_discovery
```
Make sure your firewall is correctly configured to let pass incoming
connections on port TCP/8443 used by the discovery daemon.
# Client configuration
On the client Web GUI, click on "Actions" and "Settings" to open the
settings panel.
In the "Connections tab", you need to change the value of "Global
Discovery servers" from "Default" to `https://IP:8443/?id=ID` where IP
is the IP address where the discovery daemon is running, and ID is the
value retrieved at the previous step when running the daemon.
Depending on your use case, you may want to have the global discovery
server plus yours, it's possible to use multiple servers, in which case
you would use the value `default,https://IP:8443/?id=ID`.
# Conclusion
If you change the default discovery server by your own, make sure all
the peers can reach it, otherwise your syncthing clients may not be
able to connect to each other.
# Going further
By default, the discovery daemon will generate self-signed certificate,
you could use a Let's Encrypt certificate if you prefer.
There are some other options like prometheus export for getting metrics
or changing the connection port, you will find all the extra options in
the documentation / man page.