How to Install Syncthing on Debian desktop/server
This tutorial will show you how to install Syncthing on Debian. Syncthing is a free, peer-to-peer continuous file synchronization program that allows you to synchronize your files across multiple devices, available for Linux, BSD, macOS, Windows, Android and Solaris.
It’s an open-source alternative to the popular Resilio Sync (formerly known as BitTorrent Sync) application. The creation, modification or deletion of files on one machine will automatically be replicated to your other devices. Syncthing does not upload your files to a central server like Nextcloud, but exchange your data directly between your devices. All your data is encrypted with TLS when transmitting between your devices.
Install Syncthing on Debian via Official Deb Repository
Use curl to download the GPG key then import the key with apt-key.
sudo apt-get install curl curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
If you see OK in the terminal, that means the GPG key is successfully imported. Then add the official deb repository with the following command.
echo "deb https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
Becaue this repository uses https, we need to install the apt-transport-https package, so the APT package manager can establish https connection with this repository.
sudo apt-get install apt-transport-https
Update local package index and install syncthing on Debian.
sudo apt-get update sudo apt-get install syncthing
Using Systemd to Set Up Syncthing as a System Service
The official Syncthing deb package ships with the needed systemd service file. Under /lib/systemd/system/ directory, you will find a [email protected] file. Enable syncthing to auto start at boot time by running the below command. Replace username with your actual username.
sudo systemctl enable syncthing@username.service
The above command will create a symbolic link that points to the [email protected] file.
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /lib/systemd/system/[email protected].
Now we can start the Syncthing service with the following command.
sudo systemctl start syncthing@username.service
Check status
systemctl status syncthing@username.service
Output:
Hint: If the above command doesn’t quit immediately, press Q to gain back control of the terminal.
We can see that Syncthing autostart is enabled and it’s running.
The syncthing systemd service creates configuration files under /home/username/.config/syncthing/ and a folder /home/username/Sync as the default sync folder. The main config file is /home/username/.config/syncthing/config.xml.
Install Syncthing on other OS
Go to Syncthing download page and install Syncthing on other operating systems like Windows, macOS, BSD, Android.
Open Port 22000 in the Firewall
Syncthing uses port 22000 to communicate with peers. If your computer or server enabled the UFW firewall, then you need to allow port 22000 with the following command.
sudo ufw allow 22000/tcp
Accessing the Debian Syncthing Web Interface
By default, Syncthing service listens on 127.0.0.1:8384. Now in your Web browser’s address bar, type 127.0.0.1:8384 to access the Syncthing Web interface. You can add other Syncthing devices and share folders with them.
If you install Syncthing on a remote Debian server, you can enable remote access to Syncthing web interface by editing the configuration file.
nano /home/username/.config/syncthing/config.xml
Find the following two lines.
<gui enabled="true" tls="false" debugging="false">
<address>127.0.0.1:8384</address>
Change tls="false" to tls="true", so the HTTP traffic will be encrypted. And change 127.0.0.1 to the public IP address of the Debian server. Save and close the file. Restart Syncthing for the changes to take effect.
sudo systemctl start syncthing@username.service
Now type server-ip-address:8384 in the web browser to access the Syncthing Web interface. Obviously you need to use the Debian server’s real IP address. You will be asked to set a username and password for protect the Syncthing web interface.
You can also set up a reverse proxy with Nginx or Apache in order to access the web UI, which is explained later in this tutorial.
Start Syncing Files between Your Devices
Once we have two devices running Syncthing, we can start syncing files between them.
In the Syncthing web interfce, click on Actions > Show ID on the upper-right corner. You will see the device ID, which is a long string of letters and numbers. The QR code, which is also the device ID, is used for configuring Syncthing on smartphones.
Copy the device ID, then open the Syncthing Web interface of the second device, click Add Remote Device on the bottom-right corner. Then paste the Device ID and give the device it a name. Click the Save button.
Now the second device will try to connect to the first device. Refresh the Web interface on the first device, you will see the following message. Click Add Device to add the second device to the device list of the first device.
Now the two devices are connected.
One the left pane of Web interface is the default sync folder (/home/username/Sync). Click the Add Folder button to add a new folder. Give a descriptive label for this folder and set the folder path.
Syncthing runs as your own user account, so you need to have write permission on the shared folder. If you see the following error message while sharing a folder, it means you don’t have write permission on that folder.
2020-06-21 20:05:49: Failed to create folder marker: mkdir .stfolder: read-only file system
You can grant write permission with setfacl.
sudo apt install acl
sudo setfacl -R -m u:username:rx /folder/path/
In the Sharing tab, select your other Syncthing device.
In the Advanced tab, you can choose the folder type, rescan interval, etc.
Click Save button to begin syncing. A message will appear in the Web interface of the other device. Click Add to receive files.
Now the two devices are syncing files. On the right side, you can see the download rate, upload rate, local folder size, etc.
Set Up Reverse Proxy
Since it listens on 127.0.0.1:8384, Syncthing Web interface is only available to connections from the same computer. To be able to access the Syncthing Web interface from a remote computer, we can set up a reverse proxy for Syncthing with Nginx or Apache.
Nginx
Nginx is a very populuar web server and reverse proxy. If you prefer to use Nginx, run the following command to install it.
sudo apt install nginx
Then create a server config file.
sudo nano /etc/nginx/conf.d/syncthing.conf
Add the following content to this file. Replace syncthing.example.com with your preferred domain name. You should also add a DNS A record for this sub-domain. If you don’t have a real domain name, I recommend going to NameCheap to buy one. The price is low and they give whois privacy protection free for life.
server {
listen 80;
server_name syncthing.example.com;
access_log /var/log/nginx/syncthing.access.log;
error_log /var/log/nginx/syncthing.error.log;
location / {
proxy_pass http://127.0.0.1:8384;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Save and close the file. Test Nginx configuration and reload Nginx.
sudo nginx -t sudo systemctl reload nginx
After you point your domain name to the IP address of Debian, type your domain name in the browser address bar and you should see the Syncthing Web interface.
If your browser can’t connect to the Syncthing web interface, perhaps you need to open port 80 in firewall. For example, if you use UFW, then run the following command.
sudo ufw allow 80/tcp
Apache
Apache is well-known web server that can also be used as a reverse proxy. If you prefer Apache to Nginx, install it with:
sudo apt install apache2
Start Apache and enable auto start.
sudo systemctl start apache2 sudo systemctl enable apache2
To use Apache as a reverse proxy, we need to enable the proxy modules and the header module.
sudo a2enmod proxy proxy_http headers proxy_wstunnel
Now create a virtual host file for Syncthing.
sudo nano /etc/apache2/sites-available/syncthing.conf
Copy and paste the following lines in to the file. Replace syncthing.example.com with your real domain name. You should also add a DNS A record for this sub-domain. If you don’t have a real domain name, I recommend going to NameCheap to buy one. The price is low and they give whois privacy protection free for life.
<VirtualHost *:80>
ServerName syncthing.example.com
ErrorDocument 404 /404.html
ProxyPass / http://127.0.0.1:8384/
ProxyPassReverse / http://127.0.0.1:8384/
ErrorLog ${APACHE_LOG_DIR}/syncthing_error.log
CustomLog ${APACHE_LOG_DIR}/syncthing_access.log combined
</VirtualHost>
Save and close the file. Then enable this virtual host.
sudo a2ensite syncthing.conf
Restart Apache
sudo systemctl restart apache2
Now you can access the Web UI via syncthing.example.com.
If your browser can’t connect to the Syncthing web interface, perhaps you need to open port 80 in firewall. For example, if you use UFW, then run the following command.
sudo ufw allow 80/tcp
Secure the Syncthing Web UI with HTTPS
To encrypt the HTTP traffic when you visit Syncthing web UI via a domain name, we can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. First, open port 443 in the firewall.
sudo ufw allow 443/tcp
Then run the following command to install Let’s Encrypt client (certbot).
sudo apt install certbot
If you use Nginx, then you also need to install the Certbot Nginx plugin.
sudo apt install python3-certbot-nginx
Next, run the following command to obtain and install TLS certificate.
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d syncthing.example.com
If you use Apache, install the Certbot Apache plugin.
sudo apt install python3-certbot-apache
And run this command to obtain and install TLS certificate.
sudo certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d syncthing.example.com
Where
--nginx: Use the nginx plugin.--apache: Use the Apache plugin.--agree-tos: Agree to terms of service.--redirect: Force HTTPS by 301 redirect.--hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.--staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.
The certificate should now be obtained and automatically installed.
Refresh your Syncthing Web GUI, you will find HTTP connection is automatically redirected to HTTPS secure connection.
Enable User Authentication
By default, anyone can access your Syncthing web interface after reverse proxy is setup. We can enable user authentication to restrict access. Click the Actions button on the upper-right corner, then select Settings -> GUI.
Enter a username in GUI Authentication User field, enter a password in GUI Authentication Password field. Then save your settings.
Please note that you don’t need to tick on the Use HTTPS for GUI box, which enables Syncthing to use a self-signed certificate. We have already installed a valid certificate in Apache/Nginx which is trusted by mainstream Web browsers.
Once you save the changes, restart Syncthing systemd service, or you might see a 502 bad gateway error when reloading the page.
sudo systemctl restart syncthing@username.service
Now log into the Syncthing Web interface with your new username and password.
Send-Only & Receive-Only Folders
When sharing a folder in Syncthing, you can go to the Advanced tab and choose one of three folder types:
- Send & Receive (default)
- Send Only
- Receive Only
You might want to choose send-only or receive-only. For example, If you have 3 computers: A, B, and C, and you want to aggregate folders on computer A and B to a single folder on computer C. Then you can set the folder type to receive-only on computer C. In this way, computer C will have all of the files in a single folder. Computer A and B still have the original files. No more and no less.
When you use the same folder path on computer C, Syncthing might warn you that “this path is a subdirectory of an existing folder”. You can ignore this warning because you have a receive-only folder. Existing files in the folder won’t be deleted.
Syncing via Relay Servers
If two Syncthing instances can’t connect to each other, then Syncthing will try to use a relay server to transfer files.
A common reason why they can’t connect to each other is that one of them is behind a NAT device and didn’t configure port forwarding. Once you configure port forwarding, you can disable relay servers. Here’s how. Click the Edit button and select the Advanced tab, Change the address from dynamic to tcp://ip-address:22000. Of course you need to use your real IP address.
Troubleshooting
If your Syncthing instances can’t connect to each other, you can use the ss (socket stats) utility to check if Syncthing is listening on TCP port 22000.
sudo ss -lnpt | grep syncthing
As you can see from the screenshot below, my Syncthing is listening on port 8384 (web interface) and 22000 (peer to peer connection).
If not, you can edit the configuration file.
nano ~/.config/syncthing/config.xml
Find the following line.
<listenAddress>default</listenAddress>
Change default to tcp://your-IP-address.
<listenAddress>tcp://12.34.56.78</listenAddress>
Save and close the file. Then restart Syncthing.
sudo systemctl restart syncthing@username.service
Missing the .stfoler File
The .stfoler file is required by Syncthing to work. This is an empty file. You don’t need to add anything to it. If the .stfolder file is missing under your sync folder, then the synchronization will stop. You can create the following Cron job to automatically create the file.
@hourly touch /path/to/sync/folder/.stfolder
The touch command will create the file if it’s missing. If the file already exists, it will update the file timestamp.
Wrapping Up
I hope this tutorial helped you install and use Syncthing on Debian. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂
Thanks for the great tutorial! As a variant without nginx, one can also enable network access to the WebGUI by changing the listening address in /home/syncthing/.config/syncthing/config.xml from 127.0.0.1:8384 to 0.0.0.0:8384 and then setting user authentication and/or https in the WebGUI. (See https://docs.syncthing.net/users/guilisten.html)
For another alternative to accessing the web gui, which usually is needed only occasionally one can simply create a temporary tunnel to the server:
and then just open the browser at
after doing your work, simply press ctrl+c in the terminal.
This way there is no safety risk in running a steady server for occasional accessing the gui.
Thanks for the guide. I found it extremely helpful!
Just thought I’d make a point of dropping a message to let you know your device ID is readable from the QR code you’ve included an image of so you may want to blur that (or otherwise obfuscate it) as well.
Oh! And your apache instructions didn’t work for me, but after a lot of trial and error the following did
RewriteEngine On ProxyRequests Off ProxyPreserveHost On ServerName syncthing.example.com ErrorDocument 404 /404.html ProxyPass / "http://localhost:8384/" ProxyPassReverse / "http://localhost:8384/" Require all granted ErrorLog ${APACHE_LOG_DIR}/syncthing_error.log CustomLog ${APACHE_LOG_DIR}/syncthing_access.log combinedArgh, that didn’t quite go the way I wanted sorry. See image. :/
Thanks for the nice tutorial. I am doing well up to and including getting two devices on my local network to sync files. But here is what I am trying to accomplish:
On the local network, which is accessible remotely with a dynamic DNS address alias, I have a Windows desktop and the Raspberrry Pi, with the Pi running continuously and acting as the server. We have two iPhones that need to sync with the Pi server wherever they are (much of the time remotely on some other network) and a desktop far away on another network, but which has its own dynamic dns and is accessible that way from anywhere.
I have Apache2 on the Pi because I originally thought I would need OwnCloud, but now I don’t really think that is necessary, plus I don’t really know how to set up Apache. So I would like to be able to connect to the instances of Syncthing on the other devices without the Apache setup, and I was thinking I could set up port-forwarding rules on each network that pointed one port to the Syncthing gui on the desktop and another port to the Syncthing gui on the Pi.
I just downloaded Mobius Sync for the phones and haven’t set them up yet.
Would appreciate any ideas…very new to Debian and similarly new to Syncthing.
I ran into “read only file system” issues – it turns out it was because I was trying to share a /usr/folder that was protected automatically by systemd.
Adding `ReadWritePaths=/usr/folder/` and daemon-reload + restarting the systemdb unit fixed it.
There’s a typo in “Missing the .stfoler File” and in the text under it. “.stfoler” should be “.stfolder”
I don’t know the update policy, but this manual needs one. This page still appears at the top of the search results for “how to install synching on Debian.”
The bit about the config file location is out of date. It’s now under $HOME/.local/state/syncthing”