Self-hosting Syncthing on OpenBSD

15 Mar 2025

Background

I set up 40gb of storage ($1/mo) on a remote server ($5/mo) through the Tech Independence guide, but the only way to access it was via FreeFileSync or WinSCP, and I don't care for either of these apps. I wanted a Dropbox / Google Drive-like experience where my files are available on multiple devices and automatically sync to the cloud. So I decided to achieve this with Syncthing and File Browser.

(See follow-up notes at: Self-hosting File Browser on OpenBSD.)

I referred to a bunch of guides & documentation while installing this, which I'm listing below in References. Email me suggestions for improvements.

What I did

Every step that has only text styled like this means that I typed/pasted it into PowerShell and pressed enter afterwards. When I use mg to edit a file, I save & exit by pressing ctrl + x, then ctrl + c (to exit), then y to save changes.

Install Syncthing on server

1. SSH into server
   • ssh username@server-ip-address
2. doas pkg_add syncthing
3. There was a warning, but I moved on
4. doas rcctl enable syncthing
5. doas rcctl start syncthing
6. Increase maximum open files for Syncthing
   • doas mg /etc/login.conf
   • Add to the bottom:

syncthing:\
        :openfiles-max=60000:\ 
        :tc=daemon:

7. doas cap_mkdb /etc/login.conf
8. doas mg /etc/sysctl.conf
   • Add to the bottom:

kern.maxfiles=80000

9. sysctl kern.maxfiles=80000
10. doas mg /etc/rc.d/syncthing
    • Add -gui-address=127.0.0.1:8384 to daemon_flags:

daemon_flags="-no-browser -gui-address=127.0.0.1:8384"

11. doas -u _syncthing -- syncthing -paths
    • Find path for config.xml
12. doas mg path/to/syncthing/config.xml
    • Find <gui enabled="true" ... > line
    • Add <insecureSkipHostcheck>true</insecureSkipHostcheck> to the section

Set up subdomain + security certificate

1. Set up syncthing.example.com subdomain
   • +doas mg /etc/relayd.conf
     • Add table <syncthing> { 127.0.0.1 } to the existing list
     • Add pass request quick header "Host" value "syncthing.example.com" forward to <syncthing> to the existing list
     • Add forward to <syncthing> port 8384 to the existing list
2. Set up security certificate for syncthing.example.com subdomain
   • doas mg /etc/acme-client.conf
     • Add syncthing.example.com
3. Update and apply new security certificate
   • doas su
   • domain=yourdomain.com
   • acme-client -v $domain
   • rcctl restart relayd
   • rcctl restart syncthing

Set up Syncthing's web GUI

Very important! Anyone can access this Syncthing website until authentication is set up.

1. Go to syncthing.yourdomain.com
2. Go to Settings > GUI
3. Create GUI Authentication User and generate GUI Authentication Password
4. Tick the box for Use HTTPS for GUI
5. Select Save

Give Syncthing access to /mnt

1. Go back to PowerShell
2. Create a new shared group
   • doas groupadd storagegroup
3. Add my user + Syncthing user to the new shared group
   • Confirm username with echo $USER, then replace $user in below steps with username
   • doas usermod -G storagegroup $user
   • doas usermod -G storagegroup _syncthing
4. Confirm that both users are in the new shared group
   • id $user
   • id _syncthing
   • See the new group on the list: 9999(storagegroup)
5. Change the group ownership of /mnt to the new shared user group and give the group read / write / execute permission
   • doas chown -R $user:storagegroup /mnt
   • doas chmod 770 /mnt
6. Check if Syncthing user can access /mnt
   • doas -u _syncthing find /mnt
   • A list of directories + files in /mnt displayed — huzzah! Syncthing has access
7. Restart Syncthing (to apply new permissions?)
   • doas rcctl restart syncthing
8. Set Syncthing's default folder to /mnt
   1. Go to syncthing.yourdomain.com
   2. Go to Settings > General > Default Configuration > Edit Folder Defaults
   3. Under the General tab, update Folder Path to /mnt
   4. Select Save

Install and set up Syncthing on my computer

1. Download the Syncthing Windows Setup
2. Open the .exe file and follow instructions (I didn't change any of the fields)
3. Upon completion, Syncthing's web GUI opens in my browser at 127.0.0.1:8384
4. Browser warns that connection is insecure (which is fine, because my localhost does not have a security certificate), so I continue to the page
5. Go to Settings > GUI
   1. Create a new GUI Authentication User and generate a new GUI Authentication Password
   2. Tick the box for Use HTTPS for GUI
   3. Select Save
6. Go to Settings > General > Default Configuration > Edit Folder Defaults
   1. Under the General tab, update Folder Path with preferred folder, e.g., D:\dump\sync
   2. Select Save

Connect my computer to server

1. Go to syncthing.yourdomain.com
   1. Go to This Device > Identification
   2. Copy the long string of characters above the QR code
2. Go to 127.0.0.1:8384
   1. Under Remote Devices, select Add Remote Device
   2. Paste the long string of characters into Device ID and enter a Device Name (my server name)
   3. Select Save
   4. Go to This Device > Identification
   5. Copy the long string of characters above the QR code
3. Go to syncthing.yourdomain.com
   1. Under Remote Devices, select Add Remote Device
   2. Paste the long string of characters into Device ID and enter a Device Name (my computer name)
   3. Select Save
4. Both Syncthing websites update when the devices are recognized, with a green "Connected (Unused)" status next to the device names

Create a folder to sync

1. Go to 127.0.0.1:8384
   1. Select Add Folder
   2. Under General
      1. Add a Folder Label
      2. Select Folder Path (a prettier Folder ID makes a prettier Folder Path, but be mindful of keeping them unique to prevent collisions)
      3. Select Save
   3. Go to Sharing > Unshared Devices
      1. Add a tick next to my server name
      2. Select Save
2. Go to syncthing.yourdomain.com
   1. Accept the share & set up a folder on the server
3. Both Syncthing websites recognize the shared folder, with a green "Up to Date" status next to the device names and folders
4. Confirm things sync
   1. Add a hello.txt file to my computer's sync folder
   2. Go back to PowerShell
   3. find /mnt
   4. See my hello.txt file listed

My newbie mistakes

I unmounted my /mnt storage with m-x per the Tech Independence guide and saw this error:

umount: /mnt: Device busy
unmounted

Oops. I kind of thought this would be a bad idea and did it anyway. I live life on the edge like that.

I then tried to remount and saw this error:

/mnt: filesystem must be mounted read-only; you may need to run fsck

On syncthing.example.com, there were big yellow notices about a missing path and the shared folder had a red "Stopped" status next to its name.

So to fix this situation, I did the following:

1. Stop Syncthing from running
   • doas rcctl stop syncthing
2. Unlock the encrypted storage
   • doas bioctl -c C -l sd1a softraid0
3. Run the file check
   • doas fsck /dev/sd2a
4. Mark file system clean?
   • y
5. Check what's in there
   • find /mnt
   • Looks like all the folders & files are still in there...
6. Unmount it and remount it, check that everything works as usual again
   • m-x
   • m
7. Start Syncthing again
   • doas rcctl start syncthing

In the future, I'll stop + start Syncthing as needed:

• Before unmounting: doas rcctl stop syncthing
• After mounting: doas rcctl start syncthing

I will eventually figure out how to add this to the m and m-x shortcuts.

References

I read the following guides, documentation, and posts while learning how to do the stuff above. I also used ChatGPT to explain some stuff.

• How to install Syncthing on OpenBSD (every guide was different, so I did the stuff that was the same)
  • Syncthing server setup on OpenBSD
  • Syncthing on OpenBSD
  • How to Run Syncthing as a Daemon on OpenBSD
  • Running Syncthing on OpenBSD
  • The net/syncthing port
• What is my encrypted storage anyway (what's softraid?)
  • The ti.sh shell script
  • softraid(4)
• OpenBSD manual pages (what is all this stuff I'm typing into PowerShell?)
• Syncthing docs & forum
  • Syncthing Configuration
  • Can't create directory
  • What’s a gui authentication user
  • WARNING: Don’t leave your web GUI open to the world
  • Folder ID: what does it do?
  • Nginx reverse proxy config should explicitly set 'proxy_set_header Host localhost'
• Github issues & StackExchange posts
  • Mounting a device — role of /dev, /media and /mnt, and the mount command
  • What are the daemon user and group for?
  • How do I remove a directory and all its contents?
  • Periodic connection losses to webui because docker image doesn't support upgrade
  • javascript /rest/system/upgrade Error 500

Notes

• syncthing cloud backup...in 5 mins? via Easypanel on Linux
• racknerd + easypanel: self-hosting tips