These instructions are for Linux. Windows and macOS equivalents are noted where they differ. You don't need to be a security expert — just follow along step by step.
Check active connections with ss
While CoveSync is running, list all established TCP connections it has open. None should point to addresses outside your LAN range.
Step 1 — Find the CoveSync process ID
pgrep -a covesync
Note the PID (the number at the start of the output).
Step 2 — Show its network connections
ss -tnp | grep covesync
Each line is one connection. The Peer Address column shows where the connection goes. You should only see:
- Connections to addresses in your LAN range (e.g.
192.168.x.x,10.x.x.x, or172.16-31.x.x) - Connections to
127.0.0.1or::1(loopback — your own machine)
No connections to external IPs should appear during a sync operation.
On Windows
netstat -ano | findstr ESTABLISHED
Look for lines where the process column matches the CoveSync PID (visible in Task Manager → Details).
Capture traffic with Wireshark
Wireshark lets you see every packet your machine sends or receives. You can confirm that all CoveSync traffic stays on your LAN.
Step 1 — Install Wireshark
Download from wireshark.org or install via your package manager:
sudo pacman -S wireshark-qt # Arch / CachyOS sudo apt install wireshark # Debian / Ubuntu
Step 2 — Start a capture
Open Wireshark, select your LAN interface (usually eth0 or wlan0), and start capturing.
Step 3 — Apply a filter to show non-LAN traffic only
In the filter bar, enter this display filter (replace 192.168.1 with your subnet):
not (ip.dst matches "^192\\.168\\.1\\." or ip.src matches "^192\\.168\\.1\\." or ip.dst == "255.255.255.255" or ip.addr matches "^224\\.0\\.0\\.")
If CoveSync is truly LAN-only, no packets should appear from the covesync process while it is syncing. You can confirm which process owns a packet by right-clicking → Follow → TCP Stream.
Step 4 — Trigger a sync
Add or modify a file in a shared folder. Watch the Wireshark capture. All resulting packets should be to/from your LAN peers only.
Verify the TLS certificate fingerprint
Every CoveSync device has a unique self-signed certificate. The fingerprint shown in the UI should match what the server actually presents. This confirms no man-in-the-middle is intercepting the connection.
Step 1 — Get the fingerprint from the UI
Open the CoveSync web UI at https://localhost:8485. The fingerprint is displayed in Settings. Note the value — it looks like 0a5f:ee7b:…
Step 2 — Query it directly with openssl
openssl s_client -connect localhost:8485 </dev/null 2>/dev/null \ | openssl x509 -noout -fingerprint -sha256
The SHA-256 fingerprint in the output should match what the UI shows. If it matches, the certificate is genuine and no interception is occurring.
Block internet access entirely
The most thorough test: block all outbound internet for the covesync process and confirm sync still works perfectly.
On Linux with nftables
sudo nft add rule inet filter output skuid $(id -u) ip daddr != 192.168.0.0/16 drop
Replace 192.168.0.0/16 with your subnet. Run a full sync cycle. It should complete without errors. Then remove the rule:
sudo nft delete rule inet filter output handle <handle-number>
If sync works normally with internet access blocked, that confirms CoveSync requires nothing outside your LAN to operate.