1STRELAYSRV(1) Syncthing STRELAYSRV(1)
2
6 strelaysrv - Syncthing Relay Server
7
9 strelaysrv [-debug] [-ext-address=<address>] [-global-rate=<bytes/s>] [-keys=<dir>] [-listen=<listen addr>]
10 [-message-timeout=<duration>] [-nat] [-nat-lease=<duration>] [-nat-renewal=<duration>]
11 [-nat-timeout=<duration>] [-network-timeout=<duration>] [-per-session-rate=<bytes/s>]
12 [-ping-interval=<duration>] [-pools=<pool addresses>] [-pprof] [-protocol=<string>]
13 [-provided-by=<string>] [-status-srv=<listen addr>] [-token=<string>] [-version]
14
16 Syncthing relies on a network of community-contributed relay servers.
17 Anyone can run a relay server, and it will automatically join the relay
18 pool and be available to Syncthing users. The current list of relays
19 can be found at https://relays.syncthing.net/.
20
22 -debug Enable debug output.
23 -ext-address=<address>
25 An optional address to advertising as being available on. Allows
26 listening on an unprivileged port with port forwarding from e.g.
27 443, and be connected to on port 443.
28 -global-rate=<bytes/s>
30 Global rate limit, in bytes/s.
31 -keys=<dir>
33 Directory where cert.pem and key.pem is stored (default “.”).
34 -listen=<listen addr>
36 Protocol listen address (default “:22067”).
37 -message-timeout=<duration>
39 Maximum amount of time we wait for relevant messages to arrive
40 (default 1m0s).
41 -nat Use UPnP/NAT-PMP to acquire external port mapping
43 -nat-lease=<duration>
45 NAT lease length in minutes (default 60)
46 -nat-renewal=<duration>
48 NAT renewal frequency in minutes (default 30)
49 -nat-timeout=<duration>
51 NAT discovery timeout in seconds (default 10)
52 -network-timeout=<duration>
54 Timeout for network operations between the client and the relay.
55 If no data is received between the client and the relay in this
56 period of time, the connection is terminated. Furthermore, if no
57 data is sent between either clients being relayed within this
58 period of time, the session is also terminated. (default 2m0s)
59 -per-session-rate=<bytes/s>
61 Per session rate limit, in bytes/s.
62 -ping-interval=<duration>
64 How often pings are sent (default 1m0s).
65 -pools=<pool addresses>
67 Comma separated list of relay pool addresses to join (default “‐
68 https://relays.syncthing.net/endpoint”). Blank to disable an‐
69 nouncement to a pool, thereby remaining a private relay.
70 -pprof Enable the built in profiling on the status server
72 -protocol=<string>
74 Protocol used for listening. ‘tcp’ for IPv4 and IPv6, ‘tcp4’ for
75 IPv4, ‘tcp6’ for IPv6 (default “tcp”).
76 -provided-by=<string>
78 An optional description about who provides the relay.
79 -status-srv=<listen addr>
81 Listen address for status service (blank to disable) (default
82 “:22070”). Status service is used by the relay pool server UI
83 for displaying stats (data transferred, number of clients, etc.)
84 -token=<string>
86 Token to restrict access to the relay (optional). Disables join‐
87 ing any pools.
88 -version
90 Show version
91 Installing
93 Go to releases <https://github.com/syncthing/relaysrv/releases> and
94 download the file appropriate for your operating system. Unpacking it
95 will yield a binary called strelaysrv (or strelaysrv.exe on Windows).
96 Start this in whatever way you are most comfortable with; double click‐
97 ing should work in any graphical environment. At first start, stre‐
98 laysrv will generate certificate files and database in the current di‐
99 rectory unless given flags to the contrary. It will also join the de‐
100 fault pools of relays, which means that it is publicly visible and any
101 client can connect to it. The startup message prints instructions on
102 how to change this.
103 The relay server can also be obtained through apt, the Debian/Ubuntu
105 package manager. Recent releases can be found at syncthing’s apt repos‐
106 itory <https://apt.syncthing.net/>. The name of the package is sync‐
107 thing-relaysrv.
108
110 Primarily, you need to decide on a directory to store the TLS key and
111 certificate and a listen port. The default listen port of 22067 works,
112 but for optimal compatibility a well known port for encrypted traffic
113 such as 443 is recommended. This may require additional setup to work
114 without running as root or a privileged user, see Running on port 443
115 as an unprivileged user below. In principle something similar to this
116 should work on a Linux/Unix system:
117 $ sudo useradd strelaysrv
119 $ sudo mkdir /etc/strelaysrv
120 $ sudo chown strelaysrv /etc/strelaysrv
121 $ sudo -u strelaysrv /usr/local/bin/strelaysrv -keys /etc/strelaysrv
122 This creates a user strelaysrv and a directory /etc/strelaysrv to store
124 the keys. The keys are generated on first startup. The relay will join
125 the global relay pool, unless a -pools="" argument is given.
126 To make the relay server start automatically at boot, use the recom‐
128 mended procedure for your operating system.
129 Client configuration
131 Syncthing can be configured to use specific relay servers (exclusively
132 of the public pool) by adding the required servers to the Sync Protocol
133 Listen Address field, under Actions and Settings. The format is as fol‐
134 lows:
135 relay://<host name|IP>[:port]/?id=<relay device ID>
137 For example:
139 relay://private-relay-1.example.com:443/?id=ITZRNXE-YNROGBZ-HXTH5P7-VK5NYE5-QHRQGE2-7JQ6VNJ-KZUEDIU-5PPR5AM
141 The relay’s device ID is output on start-up.
143 Running on port 443 as an unprivileged user
145 It is recommended that you run the relay on port 443 (or another port
146 which is commonly allowed through corporate firewalls), in order to
147 maximise the chances that people are able to connect. However, binding
148 to ports below 1024 requires root privileges, and running a relay as
149 root is not recommended. Thankfully there are a couple of approaches
150 available to you.
151 One option is to run the relay on port 22067, and use an iptables rule
153 to forward traffic from port 443 to port 22067, for example:
154 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 22067
156 Or, if you’re using ufw, add the following to /etc/ufw/before.rules:
158 *nat
160 :PREROUTING ACCEPT [0:0]
161 :POSTROUTING ACCEPT [0:0]
162 -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 22067
164 COMMIT
166 You will need to start strelaysrv with -ext-address ":443". This tells
168 strelaysrv that it can be contacted on port 443, even though it is lis‐
169 tening on port 22067. You will also need to let both port 443 and 22067
170 through your firewall.
171 Another option is described here <https://wiki.apache.org/httpd/Non‐
173 RootPortBinding>, although your mileage may vary.
174
176 The relay server listens on two ports by default. One for data connec‐
177 tions and the other for providing public statistics at
178 https://relays.syncthing.net/. The firewall, such as iptables, must
179 permit incoming TCP connections to the following ports:
180 • Data port: 22067/tcp overridden with -listen and advertised with
182 -ext-address
183 • Status port: 22070/tcp overridden with -status-srv
185 Runtime iptables rules to allow access to the default ports:
187 iptables -I INPUT -p tcp --dport 22067 -j ACCEPT
189 iptables -I INPUT -p tcp --dport 22070 -j ACCEPT
190 Please consult Linux distribution documentation to persist firewall
192 rules.
193
195 New in version 1.22.1.
196 Private relays can be configured to only accept connections from peers
199 in possession of a shared secret. To configure this use the -token op‐
200 tion:
201 $ strelaysrv -token=mySecretToken
203 Then configure your Syncthing devices to send the token when joining
205 the relay:
206 relay://<host name|IP>[:port]/?id=<relay device ID>&token=mySecretToken
208
210 syncthing-relay(7), syncthing-faq(7), syncthing-networking(7)
211
213 The Syncthing Authors
214
216 2014-2019, The Syncthing Authors
217v1.25.0 Oct 05, 2023 STRELAYSRV(1)