Addressing ST over VPN

ST on a server runs 24/7 on a VPN. I can’t open port 22000 on the VPN so I map port 18070 to 22000 and forward that. What addressing scheme do I need on the server so that ST is discoverable? I tried tcp://vpn-exit-ip:18070 but ST complains it cannot bind.

tcp://:18070 (i.e., port 18070 on all interfaces) should do

ST accepts tcp://:18070 but will not accept tcp:/vpn-exit-ip:18070. Any idea why not?

I couldn’t attach a screenshot but this is the text of the listeners

Syncthing is listening on the following network addresses for connection attempts from other devices:

dynamic+https://relays.syncthing.net/endpoint
quic://0.0.0.0:22000
tcp://0.0.0.0:22000

Some listening addresses could not be enabled to accept connections:

tcp://kinshamservers.org.uk:18070: listen tcp 84.39.116.180:18070: bind: cannot assign requested address

The above IP is the VPN exit IP and port 18070 is forwarded to 22000.

ST accepts tcp://:18070 but will not accept tcp:/vpn-exit-ip:18070. Any idea why not?

Can it be happen, if you launch vpn after you launch ST?

Not really sure about that. Both ST and VPN are Debian systemd services so the boot order is undefined AFAIK.

The listen address is what interface on the machine to listen on. Your vpn endpoint is presumably somewhere else than on the local machine. It’s not possible to listen on an address that doesn’t exist on the machine.

What do you mean by that? Which kind of VPN are we talking about and which node would access syncthing?

The ST server is a Debian box using an OpenVPN client. This is a client to the AirVPN server. AirVPN provides an exit IP which is persistent for a particular VPN server.

AirVPN provides a DDNS service which forwards up to 20 ports to ST server local ports. The user doesn’t have a free choice of AirVPN ports, I can only choose from a selection offered. The chosen port can be forwarded to any local port > 1024, e.g. 22000.

ST doesn’t appear to be able to recognize this exit IP. It can only recognize addresses on the ST server itself. The exit IP isn’t one of those. At the ST server end of the VPN connection is a VPN address but this is not persistent or predictable.

Syncthing is only able to discover network interface IPs or the external IP of the default route obtained via STUN.

So it seems the bottom line here is that ST on VPN must rely on sync servers to be accessible?

Or is there another way?

You say “exit IP”. If this is the IP that the Syncthing device gets as source IP when it talks to the discovery servers things should work out of the box. If it’s not, then it’s just some random IP that’s not visible to Syncthing and it’s not possible for Syncthing to automatically discover it.

I guess it should be as the exit ip is what Apache listens on and that works OK.

Is there actually a network adapter with that IP? If not, then it’s not an exit ip, and apache is probably just using whatever you specified as a host header check.

No there isn’t. This is my ifconfig:

The inet value of tun0 is not the exit IP of the AirVPN server.

enp5s0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 192.168.1.126 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fd0a:d74:f017:1:beae:c5ff:febe:892 prefixlen 64 scopeid 0x0 inet6 fe80::beae:c5ff:febe:892 prefixlen 64 scopeid 0x20 ether bc:ae:c5:be:08:92 txqueuelen 1000 (Ethernet) RX packets 603486060 bytes 146737944322 (136.6 GiB) RX errors 0 dropped 404972 overruns 0 frame 0 TX packets 941892828 bytes 1145481988810 (1.0 TiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=329<UP,LOOPBACK,RUNNING,PROMISC> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 79566064 bytes 81971482042 (76.3 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 79566064 bytes 81971482042 (76.3 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.25.2.183 netmask 255.255.255.0 destination 10.25.2.183 inet6 fe80::ccf6:717c:8c43:d101 prefixlen 64 scopeid 0x20 inet6 fde6:7a:7d20:1502::10b5 prefixlen 64 scopeid 0x0 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 20003623 bytes 14524979078 (13.5 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17329982 bytes 7499568822 (6.9 GiB) TX errors 0 dropped 2670 overruns 0 carrier 0 collisions 0

You cannot listen on an IP address that is not local to the system (that is, an IP address unknown to the OS).

2 Likes

You should use tcp://:18070 to listen, and then set tcp://vpn-exit-ip:22000 in the “Remote Devices” of the webui of another device (because you changed the port)