1SYNCTHING-NETWORKING(7) Syncthing SYNCTHING-NETWORKING(7)
2
6 syncthing-networking - Firewall Setup
7
9 Port Forwards
10 If you have a NAT router which supports UPnP, the easiest way to get a
11 working port forward is to make sure UPnP setting is enabled on both
12 Syncthing and the router – Syncthing will try to handle the rest. If it
13 succeeds you will see a message in the console saying:
14 Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.
16 If this is not possible or desirable, you should set up a port forward
18 for port 22000/TCP (or whichever port is set in the Sync Protocol Lis‐
19 ten Address setting). The external forwarded port and the internal
20 destination port has to be the same (e.g. 22000/TCP).
21 Communication in Syncthing works both ways. Therefore if you set up
23 port forwards for one device, other devices will be able to connect to
24 it even when they are behind a NAT network or firewall.
25 In the absence of port forwarding, relaying may work well enough to get
27 devices connected and synced, but will perform poorly in comparison to
28 a direct connection.
29 Local Discovery
31 The router needs to allow/forward broad-/multicasts for local discovery
32 to work. Usually these are allowed by default in a single local sub‐
33 net, but may be blocked between different subnets or even between a
34 bridged Wi-Fi and LAN.
35 If you are unable to set up your router thus or your firewall as shown
37 below, and your devices have static IP addresses, you can specify them
38 directly by changing the default dynamic setting for Addresses to some‐
39 thing like: tcp://192.168.1.xxx:22000, dynamic.
40
42 If your PC has a local firewall, you will need to open the following
43 ports for incoming and outgoing traffic:
44 · Port 22000/TCP (or the actual listening port if you have changed the
46 Sync Protocol Listen Address setting.)
47 · Port 21027/UDP (for discovery broadcasts on IPv4 and multicasts on
49 IPv6)
50 Uncomplicated Firewall (ufw)
52 If you’re using ufw on Linux and have installed the Syncthing package
53 <https://apt.syncthing.net/>, you can allow the necessary ports by run‐
54 ning:
55 sudo ufw allow syncthing
57 If you also want to allow external access to the Syncthing web GUI,
59 run:
60 sudo ufw allow syncthing-gui
62 Allowing external access is not necessary for a typical installation.
64 You can then verify that the ports mentioned above are allowed:
66 sudo ufw status verbose
68 In case you installed Syncthing manually you can follow the
70 instructions to manually add the syncthing preset
71 <https://github.com/syncthing/syncthing/tree/main/etc/firewall-ufw> to
72 ufw.
73 Firewalld
75 If you are using Firewalld <https://www.firewalld.org/> it has included
76 support for syncthing (since version 0.5.0, January 2018), and you can
77 enable it with:
78 sudo firewall-cmd --zone=public --add-service=syncthing --permanent
80 sudo firewall-cmd --reload
81 Similarly there is also a syncthing-gui service.
83
85 To be able to access the web GUI from other computers, you need to
86 change the GUI Listen Address setting from the default 127.0.0.1:8384
87 to 0.0.0.0:8384. You also need to open the port in your local firewall
88 if you have one.
89 Tunneling via SSH
91 If you have SSH access to the machine running Syncthing but would
92 rather not open the web GUI port to the outside world, you can access
93 it through a SSH tunnel instead. You can start a tunnel with a command
94 like the following:
95 ssh -L 9999:localhost:8384 machine
97 This will bind to your local port 9999 and forward all connections from
99 there to port 8384 on the target machine. This still works even if
100 Syncthing is bound to listen on localhost only.
101
103 Syncthing can use a SOCKS5 proxy for outbound connections. Please see
104 proxying.
105
107 The Syncthing Authors
108
110 2014-2019, The Syncthing Authors
111v1 Feb 17, 2021 SYNCTHING-NETWORKING(7)