So today I was using Syncthing to sync some files with my phone (GrapheneOS) from a Linux computer. I was using Local Discovery and Nat Traversal as the options on both.
I am behind Rethink DNS app on android and I had to disable Always on VPN option on my phone and had to select Exclude from DNS and Firewall option fn the Synching-Fork on Rethink in order for it to work locally. But before I did that I saw some DNS connections Syncthing-Fork was making, to STUN providers such as stun.internetcalls.com.
I believe you can stop these connections by turning off NAT Traversal .
But this got me thinking how private is Syncthing? Are the STUN servers seeing what I am sending? And yes the transfer was happening locally. I saw TCP LAN in the transfer info.
Syncthing-Fork is from F-Droid.
NAT traversal isn’t seeing any of your data, its just a service to enable clients behind NAT to talk to each other and make a direct connection for data transfer.
Local Discovery probably uses broadcasts and maybe mDNS to discover other syncthing clients on the same local network.
Global discovery is essentially a database of clients so they can find each other over the internet. This lets your client connect home when out on your phone and such.
But all of the actual data transfer is happening directly client to client. As long as relaying is disabled.
But this got me thinking how private is Syncthing? Are the STUN servers seeing what I am sending?
https://en.wikipedia.org/wiki/Syncthing
The network of community-contributed relay servers allows devices behind different IPv4 NAT firewalls to communicate by relaying encrypted data via a third party. The relay is similar to the TURN protocol, with the traffic TLS-encrypted end-to-end between devices (thus even the relay server cannot see the data, only the encrypted stream). Private relays can also be set up and configured, with or without public relays, if desired. Syncthing automatically switches from relaying to direct device-to-device connections if it discovers a direct connection has become available.
Here’s a post on the Syncthing forums where a developer answers the “What could a malicious discovery or relay server do?”: https://forum.syncthing.net/t/what-could-a-malicious-discovery-or-relay-server-do/21986
I think most information is passed through the global discovery api: https://docs.syncthing.net/specs/globaldisco-v3.html
STUN is only used to figure out public IPs and port and should store no information.
you should disable “global discovery”
as well as nat teaversal and relayingps
with netGuard i don’t need to disable ‘always on vpn’ or give syncthing any special permissionsDoes netguard support VPN through wireguard config?
