2023-05-30
I've been going down the self-hosting rabbit hole recently and decided to try out Syncthing as a way of syncing notes across my devices. I decided to run a node on a VPS so that I would have one node running 24/7 that my devices can sync to. This guide will help you set up Syncthing on a VPS and secure it using ufw and fail2ban. This guide will only use the command line (no web GUI).
The installation process varies depending on which OS you are running on the server but most common Linux distros should have a version of Syncthing packaged in the default repositories. We are also going to install fail2ban for security.
For Ubuntu or Debian server:
$ sudo apt install syncthing fail2ban
For Arch:
$ sudo pacman -S syncthing ufw fail2ban
For Fedora:
$ sudo dnf install syncthing ufw fail2ban
I am not a security expert. Do your own research before following these instructions.
fail2banAll you have to do to enable fail2ban is run
$ systemctl enable fail2ban
$ systemctl start fail2ban
The ports we are going to need open for Syncthing are 22000 and 21027/udp. Your VPS provider should have instructions on opening ports.
ufwufw (uncomplicated firewall) is an easy-to-use firewall tool that we will use to drop all incoming traffic on ports other than the Syncthing ports. We can allow traffic on Syncthing ports by running
$ sudo ufw allow syncthing
If you are using SSH to access your VPS it is also important that your open the SSH port so you don't get locked out. To do this, run sudo ufw allow ssh.
To generate a Syncthing config on the server, run
$ syncthing generate
This should output a device ID, make sure to save this for later. I will refer to this as SERVER_ID from now on.
These next instructions will show you how to connect a device, such as a laptop or desktop computer, to the server. First, make sure Syncthing is running on both the device and the server. Start Syncthing on the server by running the following two commands:
$ systemctl enable syncthing@USER.service
$ systemctl start syncthing@USER.service
where USER is replaced by your username.
First, we will need the device ID of the device. Run syncthing -device-id to get it. I will refer to this as LOCAL_ID from now on. On your local device, run
$ syncthing cli config devices add --device-id LOCAL_ID
and on your local device run
$ syncthing cli config devices add --device-id SERVER_ID
To configure the server to auto-accept folders from the local device, run the following command on the server:
$ syncthing cli config devices LOCAL_ID auto-accept-folders set true
Now you can add a folder from your local device. On the local device, run
$ syncthing cli config folders list
and copy the folder ID of the folder you want to add. Then run
$ syncthing cli config folders FOLDER_ID devices add --device-id SERVER_ID
to add the folder.
Please feel free to email me with any questions or comments about this article.