I used to have the same problem a number of years ago, in order to run Bittorrent over a firewall. There is any ‘easy’ solution if you are a power user. This has already been alluded to.
There are two major ways to solve this… (1) You (the ‘end user’) take corrective action , or (2) Corrective action / tunnelling is coded into the client and server software.
Since the latter will take forever to add as a feature , here’s my suggestions on the former.
(1) As mentioned by ernst, you can tunnel using ssh. What you need are (1) putty or similar ,and (2) a vps server or personal ec2 instance. Tunnel port 2200 and 51736. i noticed in my wireshark logs that the TLS hops from 22000 over to 51736 – not clear on whether this is a fixed port or a dynamically selected port.
You may run into issues with this, though, and I don’t know if ssh tunelling would actually solve all the problems. SSH tunelling is better for a single port , or creating a local SOCKS proxy to send your web browsing over ssh, stuff like that.
Not clear on whether it would solve the issue at hand, but there’s a good possibility you could configure it to work.
(2) A better solution , and one which I used to do all the time, is to use OpenVPN. The beauty of this solution is that you don’t have to worry about tunnelling individual ports over ssh (or worry about some protocol randomly hopping across tcp ports).
OpenVPN will tunnel ALL traffic while it’s turned on. I used to do this so that I could run Bittorrent over a firewall. Anyway, here’s the process in a nutshell. Download OpenVPN for your remote server. Install and set it up to listen on a tcp port that’s never firewalled. Good choices are TCP ports 25, 53, 80, 143, 443, 8080, etc. I used to use 80.
Anyway so then you need to set up an OpenVPN client. I did this on Linux so I couldn’t give you the process for Windows. But the basic idea is that both sides of openVPN have a symmetric key (a keyfile). Once the connection is up, you just need to add a route to make some or all traffic go over the openVPN tunnel.
This will go right past a firewall, because it will look like some sort of encrypted web traffic to the firewall. Or encrypted DNS. Depending on what port you picked.
One cavet: Make sure you tunnel over TCP . OpenVPN rarely can get thrugh firewalls with UDP , unless the UDP packets are on port 53. Most corpporate firewalls will drop UDP packets that’s aren’t DNS.
The ‘soluton’ for addding a firewall proofing feature to the codebae (which I don’t recommend) … But the solution would be similar. Add a button for ‘anti-firewall enabled’ to the clients and server.
More or less, you’d have Syncthing run it’s control port and web services on 8080, which I think it already does. And for the TLS BEP traffic, you’d have it run on port 80 instead of 22000. And you’d also have to make sure TLS didn’t jump ports.
This way, all the firewall would ever see would be encrypted TLS traffic on port 80 and 8080. And that’d get through no problem.