Syncthing Docker Guide: Secure Multi-Device File Sync Without Clouds
Sync files directly and securely between your devices without third-party clouds. Learn how to deploy Syncthing on a VPS using Docker Compose.
How to Self-Host Syncthing on a VPS with Docker Compose
Self-hosting Syncthing on a Virtual Private Server (VPS) allows you to establish a secure, centralized, and "always-on" node for syncing files across multiple devices (desktops, laptops, phones) without relying on public cloud storage providers like Google Drive, Dropbox, or OneDrive.
This technical guide walks you through deploying Syncthing using Docker Compose, configuring network ports, securing the web administration GUI, and establishing connection settings between your devices.
Why a VPS Syncthing Node?
In a standard peer-to-peer (P2P) setup, Syncthing requires both devices to be online concurrently to sync files. By hosting a node on an always-on VPS, you create a central hub: 1. Asynchronous Sync: Device A uploads changes to the VPS. When Device B comes online later, it pulls those changes from the VPS. 2. Data Backup: The VPS serves as an off-site replica of your shared directories. 3. NAT Traversal Avoidance: Because the VPS has a public IP address, your devices can connect directly to it, bypass symmetric NAT firewalls, and maximize transfer speeds without relying on slow public relay servers.
1. Prerequisites
Before starting, ensure your VPS meets the following requirements: * A Linux-based VPS (Ubuntu 22.04 LTS or Debian 12 recommended). * Docker and Docker Compose installed. * Non-root user with sudo privileges. * A registered domain or subdomain pointing to your VPS IP address (if you intend to use a reverse proxy for TLS encryption).
2. Docker Compose Configuration
Create a dedicated project directory to manage your Docker Compose assets:
mkdir -p ~/syncthing/{config,data}
cd ~/syncthing
Create a docker-compose.yml file:
version: '3.8'
services:
syncthing:
image: syncthing/syncthing:latest
container_name: syncthing
hostname: vps-syncthing
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- ./config:/var/syncthing/config
- ./data:/var/syncthing/data
ports:
- "8384:8384" # Web GUI (accessible directly if firewalled, or routed via reverse proxy)
- "22000:22000/tcp" # Protocol listening port (TCP)
- "22000:22000/udp" # Protocol listening port (QUIC/UDP)
- "21027:21027/udp" # Local discovery (optional, usually not needed on a VPS)
restart: unless-stopped
security_opt:
- no-new-privileges:true
Configuration Details:
- PUID/PGID: Matches the user ID and group ID of the host system's user (usually
1000). This prevents file ownership issues where root-created files inside the container are unreadable by the host. Runid -uandid -gto check. - Volumes: The config directory preserves settings, certificates, and database indexes. The data directory is where synced directories will reside.
- Port 22000 (TCP/UDP): Used for actual device syncing. Opening both TCP and UDP (QUIC) is critical for performance and connection stability.
- Port 8384: The Web Admin GUI. By default, the official image configures the GUI to listen only on
127.0.0.1:8384or0.0.0.0:8384depending on internal settings. In Docker, it maps to0.0.0.0:8384inside the virtual bridge network.
3. Firewall Configuration
Your VPS firewall must permit traffic on the sync ports. If you are using ufw (Uncomplicated Firewall), configure it as follows:
# Allow Syncthing sync ports
sudo ufw allow 22000/tcp
sudo ufw allow 22000/udp
# (Optional) Allow Web GUI only from a specific IP for maximum security
# Replace 'YOUR_HOME_IP' with your actual public IP
sudo ufw allow from YOUR_HOME_IP to any port 8384 proto tcp
# Apply changes
sudo ufw reload
If you do not restrict access to port 8384 via firewall, anyone can access your Syncthing GUI initially before you set credentials.
4. Launching Syncthing
Deploy the container using Docker Compose:
docker compose up -d
Verify that the container is running and check the logs:
docker compose logs -f
5. Securing the Web Admin GUI
When running Syncthing on a remote VPS, you must secure the Web GUI. You have two primary options:
Option A: SSH Port Forwarding (Most Secure)
If you do not want to expose the Web GUI to the public internet at all, modify docker-compose.yml to map port 8384 only to local host loopback:
ports:
- "127.0.0.1:8384:8384"
- "22000:22000/tcp"
- "22000:22000/udp"
Apply the changes:
docker compose up -d
From your local machine, open an SSH tunnel to connect:
ssh -L 9090:127.0.0.1:8384 user@your-vps-ip
Open your local web browser and navigate to http://127.0.0.1:9090 to securely access the remote VPS Syncthing configuration interface.
Option B: Reverse Proxy with TLS (Nginx or Caddy)
If you require access to the GUI from anywhere without SSH, put Syncthing behind a reverse proxy like Caddy or Nginx with Let's Encrypt certificates.
Example Caddy configuration (/etc/caddy/Caddyfile):
syncthing.yourdomain.com {
reverse_proxy 127.0.0.1:8384
# Enforce basic authentication (highly recommended)
# Generate password hash with: caddy hash-password
basicauth {
admin JDJhJDE0JG5x...
}
}
Once you access the Web GUI for the first time, immediately go to Settings > GUI and configure a strong GUI Authentication User and GUI Authentication Password.
6. Linking Devices and Folders
With the VPS Syncthing node running, you can connect it to your local devices.
Step 1: Retrieve the VPS Device ID
- Open the VPS Syncthing Web GUI.
- In the top right corner, click Actions > Show ID.
- Copy the long alphanumeric string or keep the QR code visible.
Step 2: Add VPS Node to Local Device
- Open Syncthing on your local device (e.g., Syncthing-GTK on desktop or Syncthing on Android).
- Under Remote Devices, click Add Remote Device.
- Enter the VPS Device ID.
- Set a friendly name (e.g.,
VPS-Sync). - Under the Sharing tab, select any folders you want to sync to this device.
- Under the Advanced tab, specify the address as
tcp://your-vps-ip:22000instead ofdynamicto minimize discovery delays. - Click Save.
Step 3: Approve Connection on VPS
- Return to the VPS Syncthing Web GUI.
- A prompt will appear stating: "Device [ID] wants to connect."
- Click Add Device.
- Confirm the device settings and click Save.
Step 4: Share Folders
To sync a directory (e.g., Documents): 1. In the VPS GUI, click Add Folder (or edit an existing one). 2. Set the Folder Path to /var/syncthing/data/documents (inside the volume mounted container path). 3. In the Sharing tab, check the box next to your local device. 4. Under Folder Type, select: * Send & Receive (standard mutual sync) * Receive Only (if the VPS is purely a backup target) * Send Only (if the VPS distributes data to other nodes) 5. Save the folder configuration. 6. On your local device, accept the share prompt to start downloading the files.
7. Performance and Optimization Tuning
To maximize transfer rates on a VPS, adjust the following advanced parameters:
Increase system file watch limits
Syncthing uses inotify on Linux to monitor files for changes. The default kernel limit is often too low for large sync folders, leading to constant polling.
Increase this limit on the VPS host system:
echo "fs.inotify.max_user_watches=204800" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Adjust UDP Buffer Sizes for QUIC
Syncthing utilizes QUIC (UDP) for transport. Linux socket buffer defaults can throttle QUIC throughput. Add the following to /etc/sysctl.conf to improve speeds:
net.core.rmem_max=26214400
net.core.wmem_max=26214400
Run sudo sysctl -p to load the settings.
Enable File Versioning
To protect against accidental deletions on your local devices, enable versioning on the VPS folder configuration: 1. Edit the folder settings in the VPS Syncthing GUI. 2. Navigate to File Versioning. 3. Select Staggered File Versioning or Trash Can File Versioning. 4. Deleted files will be moved to a hidden .stversions folder on the VPS, functioning as an automated backup.