1SYNCTHING-NETWORKING(7)            Syncthing           SYNCTHING-NETWORKING(7)
2
3
4

NAME

6       syncthing-networking - Firewall Setup
7

ROUTER SETUP

9   Port Forwards
10       If  you have a NAT router which supports UPnP, the easiest way to get a
11       working port forward is to make sure UPnP setting is  enabled  on  both
12       Syncthing and the router – Syncthing will try to handle the rest. If it
13       succeeds you will see a message in the console saying:
14
15          Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.
16
17       If this is not possible or desirable, you should set up a port forward‐
18       ing  for ports 22000/TCP and 22000/UDP (or whichever port is set in the
19       Sync Protocol Listen Address setting).  The  external  forwarded  ports
20       and   the  internal  destination  ports  have  to  be  the  same  (e.g.
21       22000/TCP).
22
23       Communication in Syncthing works both ways. Therefore  if  you  set  up
24       port  forwards for one device, other devices will be able to connect to
25       it even when they are behind a NAT network or firewall.
26
27       In the absence of port forwarding, relaying may work well enough to get
28       devices  connected and synced, but will perform poorly in comparison to
29       a direct connection.
30
31   Local Discovery
32       The router needs to allow/forward broad-/multicasts for local discovery
33       to  work.   Usually these are allowed by default in a single local sub‐
34       net, but may be blocked between different subnets  or  even  between  a
35       bridged Wi-Fi and LAN.
36
37       If  you are unable to set up your router thus or your firewall as shown
38       below, and your devices have static IP addresses, you can specify  them
39       directly by changing the default dynamic setting for Addresses to some‐
40       thing like: tcp://192.168.1.xxx:22000, dynamic.
41

LOCAL FIREWALL

43       If your PC has a local firewall, you will need to  open  the  following
44       ports for incoming and outgoing traffic:
45
46       • Port 22000/TCP: TCP based sync protocol traffic
47
48       • Port 22000/UDP: QUIC based sync protocol traffic
49
50       • Port  21027/UDP:  for  discovery broadcasts on IPv4 and multicasts on
51         IPv6
52
53       If you configured a custom port in the  Sync  Protocol  Listen  Address
54       setting, you have to adapt the firewall rules accordingly.
55
56   Uncomplicated Firewall (ufw)
57       If  you’re  using ufw on Linux and have installed the Syncthing package
58       <https://apt.syncthing.net/>, you can allow the necessary ports by run‐
59       ning:
60
61          sudo ufw allow syncthing
62
63       If  you  also  want  to allow external access to the Syncthing web GUI,
64       run:
65
66          sudo ufw allow syncthing-gui
67
68       Allowing external access is not  necessary for a typical installation.
69
70       You can then verify that the ports mentioned above are allowed:
71
72          sudo ufw status verbose
73
74       In  case  you  installed  Syncthing  manually  you   can   follow   the
75       instructions     to     manually     add     the    syncthing    preset
76       <https://github.com/syncthing/syncthing/tree/main/etc/firewall-ufw>  to
77       ufw.
78
79   Firewalld
80       If you are using Firewalld <https://www.firewalld.org/> it has included
81       support for syncthing (since version 0.5.0, January 2018), and you  can
82       enable it with:
83
84          sudo firewall-cmd --zone=public --add-service=syncthing --permanent
85          sudo firewall-cmd --reload
86
87       Similarly there is also a syncthing-gui service.
88

REMOTE WEB GUI

90       To  be  able  to  access  the web GUI from other computers, you need to
91       change the GUI Listen Address setting from the  default  127.0.0.1:8384
92       to  0.0.0.0:8384. You also need to open the port in your local firewall
93       if you have one.
94
95   Tunneling via SSH
96       If you have SSH access to  the  machine  running  Syncthing  but  would
97       rather  not  open the web GUI port to the outside world, you can access
98       it through a SSH tunnel instead. You can start a tunnel with a  command
99       like the following:
100
101          ssh -L 9999:localhost:8384 machine
102
103       This will bind to your local port 9999 and forward all connections from
104       there to port 8384 on the target machine.  This  still  works  even  if
105       Syncthing is bound to listen on localhost only.
106

VIA A PROXY

108       Syncthing  can  use a SOCKS5 proxy for outbound connections. Please see
109       proxying.
110

AUTHOR

112       The Syncthing Authors
113
115       2014-2019, The Syncthing Authors
116
117
118
119
120v1                               Apr 15, 2021          SYNCTHING-NETWORKING(7)
Impressum