Hello there.
I have a Qube setup to run Syncthing which I use to sync my data between my laptop and my android device. It works only when I allow global discovery and relays in Syncthing configurations. I am looking for a method so that I can work my syncing with local network discovery only. Can a VM be allowed via ssh tunnel or port forward to other device. What if I want to use proxyVM for my syncthing qube. Is it possible? I have not much understanding in qubes firewall so any help will be appreciated.
Youâll probably have to port-forward. But one thing you may be able to do is use the qubeâs firewall settings to only allow access to the local network. Then you shouldnât have to worry about it reaching to the global relays.
I am not using Syncthing for some time now but what I remember is that if you turn off global discovery it is good to point each of the clients to exact IP address of the other one and it works then. So in this case set phone IP to static and AppVM Syncthing client to this IP. For Qubes firawall you may set it in AppVM setting to limit outgoing connections to only this one IP. for example 192.168.1.50/32
How to do that?
Adding 192.168.1.1/24 to âLimit outgoing internet connections toâŚâ on the âFirewall rulesâ tab on the qube settings, I would say.
1 Like
Iâm bumping on old thread but I hope others will find the help as I havenât been able to find any newbie friendly steps to get this working. I created VMs off the debian template and edited the firewall rules in the qubes settings . However I still cannot get local discovery and Iâm not able to connect. Can someone who has a working syncthing please help me/us out.
Adding
192.168.1.1/24to âLimit outgoing internet connections toâŚâ on the âFirewall rulesâ tab on the qube settings, I would say.
I did this
I am not using Syncthing for some time now but what I remember is that if you turn off global discovery it is good to point each of the clients to exact IP address of the other one and it works then. So in this case set phone IP to static and AppVM Syncthing client to this IP. For Qubes firawall you may set it in AppVM setting to limit outgoing connections to only this one IP. for example 192.168.1.50/32
I have it pointing to my IP address on a different computer .
It could be that syncthing has to connect first to relay servers in order to identify that your other computer is on the local network. But at this point itâs not an issue with Qubes. You could try looking up how to use syncthing exclusively on a local network / offline.
I had syncthing working successfully. Now I needed to reinstall Qubes OS and I donât get it running anymore. Not in a debian qube nor in a fedora qube. Syncthing version is 1.19.2 ⌠It simply does nothing, meaning after install even âsyncthing -vâ does not lead to a result.
Anybody else with this issue. In syncthing github there is no indication that there is a problem with syncthing.
I have syncthing running in my local network.
For this, i created a syncthing qube and whenever i need to sync something, i open the firewall with unmans script: in.sh add <syncthing-qube> tcp 22000
When syncing between two qubes systems, only one of them have to open the port for them to connect. I have disabled global and local discovery.
This script opens the port only temporarily, if you want this to persist, you could add the corresponding command to your ~/.profile for it to be executed on login.
Hello,
Iâm pretty new to Qubes so this might be a dumb question:
Is it possible for a syncthing instance in its own cube to sync a files in another cube?
I would like to maintain my keepass db syncthed between my phone and computer. And do it properly.
Thanks,
- me.
What has this to do with syncing between qubes?
I believe the OP means something like this:
vault <--- qrexec? ---> sys-usb <--- USB ---> phone
(db) (syncthing)
Thank you
Iâm going to try to clarify a bit what Iâm trying to say. I could be saying nonsense since Iâm really new to QubesOS.
What I have:
- A KeePass DB inside a vault qube.
- A KeePass DB inside my phone.
What would be the most correct way of syncronizing those two DBs?
Because having a vault qube conected to the innternet with syncthing running on it seams like a bad idea so there should be a better way.
If using Syncthing in this case would result impossible or insecure I would look into ways of syncronizing it via USB and a script or something like that. But thatâs out of the scope of this thread.
Best regards,
- me.
There is no most correct. The most secure i could think of would be:
- Create an extra qube with syncthing
- Create a dom0 script that does the following:
2.1 shutdown keypass in your vault
2.2 start sync qube, copy the db into your syncthing qube
2.4 open the port
2.5 close it after syncing is complete and optionally remove network capabilities, delete the file and shut it down
This ensures that no network touches your vault.
However there are a few caveats: For example, that your phone most likely now is the weak point, which makes an isolated vault not totally unnecessary, but⌠well maybe in that case you may just install syncthing in your vault and give it selectively network to sync, while preemptively closing the vault so that the db is never open when network is applied. All of those decisions are yours, as you have to balance simplicity and ease of use against your desired need for security.
Tip for opening the ports: unmans script
I know this is not 100% a qubes related problem, and i am absolutely certain that you do not try to be mean.
However the port forwarding in qubes necessary for this is a qubes problem, and without your script it is complicated and awful to set up.
Also thinking about how to setup a compartmentalized system that offers maximum security for the objective is a nice little qubes problem 
Sorry for necroing, but this randomly popped up and i think it is a worthy thing to solve in a qubes way
1 Like
I would never, ever keep my whole keepassdb on the phone, and especially transfer it to vault and use it from there thenâŚ