blog-contributions/opsec/syncthingvpn/index.html

379 lines
15 KiB
HTML
Raw Normal View History

2024-11-02 15:37:11 +01:00
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>One-on-One Large File Sharing (Syncthing over VPN)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>XMRonly - 2024 / 11 / 01</ba></p>
<h1>One-on-One Large File Sharing (Syncthing over VPN)</h1>
<img src="0.png" style="width:250px">
<p> </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Introduction</b></h2>
<p>
While many methods of sending files online exist - methods such as email attachments, FTP, <a href=https://blog.nowhere.moe/opsec/onionshare/index.html target=_blank>OnionShare</a> and even <a href=https://blog.nowhere.moe/opsec/p2ptorrents/index.html target=_blank>torrenting</a> - all of these methods have one thing in common. Once a file has been sent, no further changes to that file are tracked. For the use-case where you want to not only send a file or a group of files but also receive any updates to the file(s), that is where Syncthing comes in. Syncthing is a FOSS continous file synchronization program that enables users to securely share files across multiple devices in a decentralized manner. It uses peer-to-peer technology to ensure that data is end-to-end encrypted and transferred directly between enabled devices, eliminating any need for centralized cloud services. Syncthing can be completely self-hosted and is very versatile as sync locations can be a home server, VPS, mobile device or even a friend's computer! In this article, we will explore how Sam can set up Syncthing to privately share large files with Larry and track changes to those files, all while using a VPN to mask their internet activity.
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Setup</b></h2> </br> </br>
<p>
We start from the perspective of both Sam and Larry as both will complete these initial steps.
<br>
<img src="sam.png"> <img src="larry.png">
</p>
<p>
Sam and Larry are both using Debian and are on separate internet connections geographically distant from one another. It is presumed that both Sam and Larry have already purchased a subscription to a <a href=https://blog.nowhere.moe/opsec/vpn/index.html target=_blank>VPN</a>. For this example we will use Proton VPN, but other <a href=https://kycnot.me/?t=service&q=vpn target=_blank>non-KYC VPNs</a> that accept Monero, such as Mullvad, may also be used. To start, they will sign in to their VPN client, ensure kill switch is enabled in the Settings, connect to their VPN and verify their IP address.
<img src="1.png" class="imgRz">
</p>
<p>
Syncthing works by end-to-end encrypting files and sending them over the internet. To do this, Syncthing uses a <a href=https://docs.syncthing.net/users/stdiscosrv.html target=_blank>discovery server</a> to find peers and the Syncthing project maintains a global cluster of discovery servers for public use. If establishing a direct connection between devices is not possible, Syncthing will automatically use community-contributed publicly available <a href=https://docs.syncthing.net/users/strelaysrv.html target=_blank>relay servers</a> to route the file transfer instead. Because Syncthing is end-to-end encrypted, there is no need to trust these servers as they cannot read anything going through. With that being said, because Syncthing is fully open-source, it is possible to self-host both discovery and relay servers, but such configurations are beyond the scope of this article.
<br>
<br>
For self-hosting a working Syncthing instance, the official <a href=https://github.com/syncthing/syncthing/blob/main/README-Docker.md target=_blank>docker compose</a> instructions are as follows:
<pre>
<code class="nim">
---
version: "3"
services:
syncthing:
image: syncthing/syncthing
container_name: syncthing
hostname: my-syncthing
environment:
- PUID=1000
- PGID=1000
volumes:
- /wherever/st-sync:/var/syncthing
ports:
- 8384:8384 # Web UI
- 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers
- 21027:21027/udp # Receive local discovery broadcasts
restart: unless-stopped
healthcheck:
test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1
interval: 1m
timeout: 10s
retries: 3
</code>
</pre>
</p>
<p>
For this article, however, both Sam and Larry will install Syncthing on their computers from their package managers according to the <a href=https://apt.syncthing.net/ target=_blank>official instructions</a> rather than self-hosting an instance:
<pre>
<code class="nim">
# Add the release PGP keys:
sudo mkdir -p /etc/apt/keyrings
sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg
# Add the "stable" channel to your APT sources:
echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
# Update and install syncthing:
sudo apt-get update
sudo apt-get install syncthing
</code>
</pre>
</p>
<p>
Both Sam and Larry will create a systemd unit to automate the process of starting Syncthing. Sam and Larry will both replace <b>USER</b> with their respective usernames.
<pre>
<code class="nim">
# Download the recommended systemd unit from the official Syncthing repository
wget "https://raw.githubusercontent.com/syncthing/syncthing/main/etc/linux-systemd/system/syncthing%40.service"
# Make the file owned by root
sudo chown root: syncthing\@.service
# Move the file to the appropriate directory
sudo mv syncthing\@.service /etc/systemd/system
# Reload the daemon with the changes made
sudo systemctl daemon-reload
# Enable the service on startup
sudo systemctl enable syncthing@<b>USER</b>
# Start the service
sudo systemctl start syncthing@<b>USER</b>
# Check the status
sudo systemctl status syncthing@<b>USER</b>
# Example output for Sam
syncthing@sam.service - Syncthing - Open Source Continuous File Synchronization for sam
Loaded: loaded (/etc/systemd/system/syncthing@.service; <font color="5af68d"><b style="color:inherit; background-color:inherit; border:none">enabled</b></font>; preset: enabled)
Active: <font color="5af68d"><b style="color:inherit; background-color:inherit; border:none">active (running)</b></font> since Fri 2024-10-25 12:15:35 EDT; 1h 46min ago
Docs: man:syncthing(1)
Main PID: 3634 (syncthing)
Tasks: 17 (limit: 4622)
Memory: 35.8M
CPU: 19.790s
CGroup: /system.slice/system-syncthing.slice/syncthing@sam.service
\u251c\u25003634 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0
\u2514\u25003641 /usr/bin/syncthing serve --no-browser --no-restart --logflags=0
</code>
</pre>
</p>
<p>
Syncthing is now running as a daemon, and will sync files in the background. Because of its continuous file synchronization, file transfers will restart automatically should any interruptions in VPN connection or power supply occur.
</p>
<p>
Sam and Larry will navigate to <b>localhost:8384</b> in their browsers to open the Syncthing web GUI. Sam and Larry are greeted with an option to allow anonymous reporting, which they can accept or deny.
<img src="2.png" class="imgRz">
</p>
<p>
Sam and Larry may choose to password protect their Syncthing web GUI, but in this article we'll just click OK.
<img src="3.png" class="imgRz">
</p>
<p>
We will switch to Larry's perspective.
<br>
<img src="larry.png">
</p>
<p>
Larry clicks on Actions -> Show ID to get the ID of his device.
<img src="4.png" class="imgRz">
</p>
<p>
Larry now starts a <a href=https://blog.nowhere.moe/opsec/anonsimplex/index.html target=_blank>SimpleX</a> chat with Sam using disappearing messages and sends his Syncthing Device ID.
<img src="5.png" class="imgRz">
</p>
<p>
We will switch to Sam's perspective.
<br>
<img src="sam.png">
</p>
<p>
Syncthing adds a Default Folder at <b>/home/sam/Sync</b> which will be used to share files. This can of course be changed if desired. Sam clicks to Add Remote Device and adds Larry's Device ID. Sam adds a Device Name as well.
<img src="6.png" class="imgRz">
</p>
<p>
Sam has 10GB of "Linux ISOs" he wants to share with Larry. Sam will start by moving the desired files to <b>/home/sam/Sync</b>.
<pre>
<code class="nim">
sam@debian:~$ mv *.iso /home/sam/Sync && ls -lh /home/sam/Sync
total 11G
-rw-r--r-- 1 sam sam 2.9G Oct 27 12:56 linux-1.iso
-rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-2.iso
-rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-3.iso
-rw-r--r-- 1 sam sam 1.5G Oct 26 17:06 linux-4-broken.iso
</code>
</pre>
</p>
<p>
From there, Syncthing will automatically detect the files and scan them.
<img src="7.png" class="imgRz">
</p>
<p>
Once scanning is complete, Sam is ready to share the files with Larry. On the Default Folder, Sam clicks Edit -> Sharing -> larry-computer and Save.
<img src="8.png" class="imgRz">
</p>
<p>
We will switch to Larry's perspective.
<br>
<img src="larry.png">
</p>
<p>
Larry receives a notification that Sam wants to connect and share something with him. Larry accepts the connection and shared Default Folder.
<img src="9.png" class="imgRz">
</p>
<p>
Notice how the IP address that is shown to Larry is that of a Syncthing relay server like mentioned previously. If a direct connection had been established, Sam's VPN IP address would have been shown instead.
<img src="10.png" class="imgRz">
</p>
<p>
The file transfer starts.
<br>
<img src="11.png" class="imgRz">
</p>
<p>
Once finished, Larry has a complete copy of all of the files in <b>/home/larry/Sync</b>. Larry notices that Sam sent a Linux ISO that is broken. Larry fixes this broken Linux ISO and also adds a Linux ISO of his own to the shared folder.
<br>
<img src="12.png" class="imgRz">
</p>
<p>
Back to Sam's perspective.
<br>
<img src="sam.png">
</p>
<p>
Because the file transfer is bi-directional by default, the changes that Larry made are synced back to Sam!
<pre>
<code class="nim">
sam@debian:~$ ls -lh /home/sam/Sync
total 12G
-rw-r--r-- 1 sam sam 1.5G Oct 30 10:47 larry-favorite.iso
-rw-r--r-- 1 sam sam 2.9G Oct 27 12:56 linux-1.iso
-rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-2.iso
-rw-r--r-- 1 sam sam 2.9G Oct 30 09:18 linux-3.iso
-rw-r--r-- 1 sam sam 1.5G Oct 26 17:06 linux-4-fixed.iso
</code>
</pre>
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Conclusion</b></h2> </br> </br>
<p>
Sam was able to privately share 10GB of files and automatically receive changes to those files all while keeping his internet activity hidden. Notice how Larry was able to overwrite a file that Sam originally shared. There may be cases where this is undesirable and this option can be changed under Default Folder -> Edit -> Advanced and selecting either Send Only or Receive Only.
<img src="13.png" class="imgRz">
</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: No Rights Reserved</br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4 class="readable">About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u>
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
</p></br>
<p style="word-wrap: break-word;"><u>Donate XMR to the author:</u>
8AHNGepbz9844kfCqR4aVTCSyJvEKZhtxdyz6Qn8yhP2gLj5u541BqwXR7VTwYwMqbGc8ZGNj3RWMNQuboxnb1X4HobhSv3</p>
<p class="readable"><u>Contact:</u> nihilist@contact.nowhere.moe (<a
href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>