In an era of cloud surveillance and data monetization, Syncthing offers a radical alternative: real-time, encrypted file synchronization directly between devices, eliminating central servers. Its promise—"Your data is your data alone"—resonates strongly with privacy-conscious users and tech professionals. While FreeBSD's pkg system makes initial Syncthing installation trivial (pkg install syncthing), crucial configuration nuances separate a functional setup from an optimized, secure deployment.

The Default Installation Trap

FreeBSD launches Syncthing as the syncthing user by default. This creates a significant limitation:

% pkg install syncthing
% sysrc syncthing_enable=YES
% service syncthing start  # Runs as 'syncthing' user

Why this fails for real use: Syncthing needs access to your files—something the isolated syncthing user lacks. Simply starting the service syncs nothing meaningful. The solution? Run Syncthing as your account.

Running as Your User: Permissions and Paths

First, stop the service (service syncthing stop). Then, reconfigure ownership using sysrc:

% sysrc syncthing_user=yourusername
% sysrc syncthing_group=yourgroup  # Often same as username

This shift triggers two critical issues:
1. Logging Failure: /var/log/syncthing.log becomes inaccessible. Fix:

% mkdir /var/log/syncthing
% chown yourusername:yourgroup /var/log/syncthing
% sysrc syncthing_log_file=/var/log/syncthing/syncthing.log

2. Certificate Relocation: Syncthing generates TLS certs in syncthing_home. Default (/usr/local/etc/syncthing) is now unwritable. Redirect it:
% sysrc syncthing_home=/home/yourusername/syncthing  # Or preferred path

Unlocking Local Network Performance

Slow syncs? Syncthing may be tunneling traffic through relays if local discovery is blocked. Optimize your firewall (PF example):

pass in on $ext_if proto tcp to ($ext_if) port 22000  # Sync protocol (TCP)
pass in on $ext_if proto udp to ($ext_if) port 22000  # Sync protocol (UDP)
pass in on $ext_if proto udp to any port 21027        # LAN device discovery broadcasts

These rules enable direct LAN peer discovery (port 21027/UDP) and high-speed sync (22000/TCP/UDP), bypassing slower public relays.

Why This Matters Beyond FreeBSD

This configuration journey underscores a broader principle in self-hosted infrastructure: ownership dictates security and functionality. Syncthing’s power lies in its decentralization, but this shifts responsibility to the user. Properly assigning user contexts, managing file permissions, and controlling network access aren’t just BSD quirks—they’re foundational to any secure, self-managed service. The result? Truly private synchronization where you dictate data flow, storage, and access—no corporate intermediary required.

Source: Syncthing on FreeBSD (Kollerie's Blog, May 2021)