Self hosted syncthing relay with keepass, how secure is it? - eviltoast

I already have my keepassxc and syncthing setup on my phone and computers and it’s great, I’d like to go a step further and have my password database sync when I’m not on my home network. From my understanding I can use relays set up by other users and they are encrypted, but if I do not trust syncing personal (encrypted) data to someone else’s server how easy is it to set up a relay that only I use? I won’t be using Bitwarden because in theory if I can pull this off I can also use syncthing to sync other files as well. Is setting up a personal relay a lot of work or a potential security risk for my home network?

  • ShortN0te@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    8 months ago

    So you do not trust the syncthing encryption when it goes through someones server but when it goes through someones (your ISP and the ISP of the end device) router/server?

    I am not really understanding the thread model here.

    • kugmo@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      At my house, I’m already using a dynamic dns for some game servers because of a dynamic ip.

      • TCB13@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        8 months ago

        If you can create a port forward in your router and run stuff at your house what’s the point of a relay then? Just expose the ports that Syncthing uses and configure your client to connect to it using your dynamic DNS. No public or private relays are required.

        1. Port forward the following in your router to the local Syncthing host, any client will be able to connect to it directly:
        • Port 22000/TCP: TCP based sync protocol traffic
        • Port 22000/UDP: QUIC based sync protocol traffic
        1. Go into the client and edit the home device. Set it to connect using the dynamic DNS directly:

        For extra security you may change the Syncthing port, or run the entire thing over a Wireguard VPN like I also do.

        Note that even without the VPN all traffic is TLS protected.

  • adr1an@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 months ago

    Syncthing is p2p. The servers only see your devices IP addresses and let them connect to share data themselves. That’s why it’s a relay. But AFAIK files only goes from, and to, your syncthing clients; without passing through the relays. At most, the relay may see some metadata as filenames. I have been syncing passwords like this since long ago. Never jumped to Bitwarden because I didn’t had the need… May do so anyway because of OTP and Passkeys…

    • adr1an@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      Oh, and the syncthing encryption that you may enable for the folders is for these devices/ clients. This may be useful is you were to use a third part machine, like a VPS, as a 24/ 7 node for your files. That’s different from a relay, may be desirable if you want to sync ASAP and avoid conflicts. In any case, conflicts are rare… you would need to open the DB and add entries at the same time, or some quirky scenario…

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    8 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    TLS Transport Layer Security, supersedes SSL
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    6 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

    [Thread #595 for this sub, first seen 12th Mar 2024, 08:05] [FAQ] [Full list] [Contact] [Source code]