Syncthing between three devices (Mac, Linux server, Android phone): the relay gotcha and how to set up trusted folders

by

Syncthing’s pitch is “set it up once and your folders are identical across every device.” That’s the truth, but the path to “set up once” has more sharp edges than the docs admit. The classic gotcha — Syncthing falls back to a public relay server, your sync mysteriously slows to 50 KB/s, your phone heats up — derails most three-device installations within the first week.

Here is the actual setup for three devices (a Mac, a Linux home server, an Android phone) that achieves direct LAN-speed transfers when devices are on the same network and direct WAN-speed transfers when they’re not — without going through a relay.

Why the relay gotcha matters

Syncthing’s design assumes peers can reach each other directly. When they can’t (NAT, firewall, mobile networks), it falls back to a community-run relay server that proxies bytes between them. Relay throughput is shared, slow, and capped — typical real-world numbers are 100-500 KB/s, which means a 5 GB folder takes hours instead of minutes. The Syncthing UI shows a small “via relay” indicator next to the device, which is easy to miss.

The fix isn’t on Syncthing’s side; it’s on the network side. Three options, in order of effort:

  • Same LAN. If both devices are on your home Wi-Fi, Syncthing finds each other via local discovery and goes direct, no port-forwards needed. Trivial.
  • Tailscale (or any modern VPN mesh) on all three devices. Tailscale gives every device a 100.x IP that’s reachable from any other device on the tailnet. Syncthing happily uses these for direct connections. This is what 90% of self-hosters end up doing because it’s free and zero-router-config.
  • Real port forward on the router. Forward TCP+UDP 22000 from the router to your Linux server. Now phone → server is direct over WAN. Cheaper than Tailscale (no third-party trust) but only works if your home network has a real public IP, which not every ISP provides.

Step 1 — install on all three

# Linux server
sudo apt install syncthing
sudo systemctl enable --now syncthing@$USER

# Mac
brew install syncthing
brew services start syncthing

# Android — install "Syncthing" from F-Droid or Play Store
# (the Google Play one and the F-Droid one are both maintained; Google Play is more
# polished UI, F-Droid is more battery-efficient on aggressive Android battery management)

After install, on the Linux server: http://localhost:8384 shows the web admin. On the Mac, same URL. On Android, the app’s internal UI.

Step 2 — pair the three devices in a triangle

Each Syncthing instance has a long Device ID (60-character base32). Adding a remote device means pasting that ID. To form a 3-device mesh you do this three times: server↔mac, server↔phone, mac↔phone.

  1. On the Linux server’s web UI: Actions → Show ID. Copy the long ID.
  2. On the Mac: Add Remote Device, paste the server’s ID, name it “Server”.
  3. The server’s UI now shows a popup: “New device wants to connect” — accept it.
  4. Repeat for server↔phone and mac↔phone.

Each device should now show two remote devices, both green / connected. The “Connection Type” hovering on each remote device tells you “TCP LAN”, “TCP WAN”, or “Relay”. You want one of the first two; if it says relay, jump to the network section above.

Step 3 — share folders, but mind the trust direction

Syncthing’s security model is per-folder, per-device. Sharing a folder with a remote device means the remote can read AND write that folder by default. For most personal-use cases (your laptop / phone / server are all “you”), that’s fine. Where it bites:

  • Send-only folder. If the server should be the source of truth and the phone should only receive, mark the server’s folder as “Send Only” and the phone’s as “Receive Only”. The phone can edit local files but the changes won’t propagate.
  • Untrusted device. If you ever add a friend’s device or a device you don’t fully control, mark it as “Untrusted” when adding. Syncthing will encrypt the folder data on that device — even though the bytes are stored there, only your trusted devices can decrypt them.
  • Versioning. Per folder, set “File Versioning” to “Staggered” or “Trash Can”. Without it, when one device deletes a file, all devices delete it. Syncthing has no undo built in.

Step 4 — Android-specific considerations

  • Battery optimization. By default Android will aggressively kill the Syncthing background service. In the app’s settings: Run conditionsAlways run in background + ask the system to disable battery optimization for the app. Without this, Syncthing only runs when the app is open in foreground.
  • Wi-Fi only. Syncthing on phone defaults to syncing on cellular. You almost certainly want Run on metered networks: never.
  • Ignore folders. The phone has a lot of system / cache stuff in its file system you don’t want to sync. Use .stignore files (Syncthing’s gitignore equivalent) at the folder root to exclude things. Common patterns: **/.thumbnails/, **/.cache/, *.tmp.
  • Storage permissions. Android 11+ requires “All Files Access” permission for Syncthing to sync arbitrary folders. The app prompts for it on first run; deny it and you can only sync within the app’s sandbox.

Verifying you’re not stuck on relay

The thing to check after the 24-hour shakedown:

# In any device's Syncthing web UI, click on the remote device.
# The "Address" line should show one of:
#   tcp://100.x.y.z:22000    ← Tailscale, direct (good)
#   tcp://192.168.1.x:22000  ← LAN, direct (good)
#   tcp://<your-public-ip>:22000  ← WAN with port forward (good)
#   relay://relay.syncthing.net:22067  ← bad, slow

# If it's stuck on relay, on each device:
# 1. Web UI → Settings → Connections → make sure "Enable Local Discovery" is on
# 2. Tailscale up on both ends, OR open port 22000 TCP+UDP on the router
# 3. Click the device, "Edit", and the connection should re-establish

Once direct, the throughput is “your network’s speed” — 50-100+ MB/s on a fast home Wi-Fi, 5-20 MB/s over a typical cellular connection, far higher than any relay can offer.

What I sync between three devices, in practice

  • ~/Notes — the plain-text notes folder from the previous post. Sync between Mac and server (no phone).
  • ~/Pictures/Phone-Camera — Android’s DCIM folder on phone, send-only to server. Effectively a real-time photo backup. Server runs versioning so a deleted photo on the phone is recoverable for 30 days.
  • ~/Documents/Active — current-projects folder on Mac, two-way with server, no phone.
  • ~/Audiobooks — receive-only on phone from server, where ripping happens.

None of those have a SaaS subscription attached. The cost is the time to set up Syncthing once (an evening) and the time to verify direct-connection quarterly. After that, it’s invisible.

Photo: Three screens showing similar content side-by-side by Bhavishya on Pexels.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.