Bypass strict corporate firewall

I have Syncthing running on my laptop, on my home computer, and on a VPS server. All on port 22000. The VPS has a static IP address.

All are able to talk to each other without problems when I use my laptop at home. But when using the laptop at work, the corporate firewall is really strict, not allowing me to connect on port 22000 to the VPS. Also the Syncthing global announce server can’t be reached.

What should I do?

Perhaps run the VPS on another port? What port would you suggest?

I also have the possibility to connect to the VPS via SSH (Putty) at work, so setting up a tunnel could be an idea as well. I was unable to get that working though, as I’m not sure what to fill in in Putty exactly and what to change in the laptop’s Syncthing configuration with regard to the url of the VPS.

To give an example of the strictness of the firewall: I can’t connect to any VPN and even this website (Syncthing discourse) can’t be loaded.

What can you connect to via the firewall? If you can SSH into the remote machine, then you can do SSH tunnelling as you suggest, which I am sure there is enough resources on the internet to help you out. Then you might need to change the dynamic address to localhost:<tunnel port>

Unfortunately I don’t know which ports I can connect to, of how to find that out.

I tried the following configuration in Putty. This forwards local port 20001 (not 20000 because there runs Syncthing on the laptop itself) to port 20000 on the VPS. I then changed the VPS-address to Unfortunately that did not work, it can’t connect.

As you can see I also forward port 80 on the local machine to port 8080 on the VPS. When I point by laptop-browser to ‘localhost:80’ I see the Syncthing web interface of the VPS, so the tunneling mechanism itself seems to work properly.

It uses 22000 by default (as shown in the config in the web UI by the way). You can forward remote 22000 as local 220001, and then in the remote device address just put in localhost:22001 instead of dynamic. Or you can put both dynamic and localhost:22001 so that it would try both.

Ah, that was a stupid mistake. It still did not work after correcting the ports in Putty though, but for some reason I also had to put in the public IP address of my server instead of in Putty. Now everything is working perfectly.

Hi, I am in the same situation: I only have Putty to make Syncthing work. On my server, I have also Syncthing. However, I can’t get Syncthing to work with the forwarded ports. Could you please make a screenshot of your current port forwardings in Putty and also from your settings dialog inside Syncthing? That would be great!

I used to have the same problem a number of years ago, in order to run Bittorrent over a firewall. There is any ‘easy’ solution if you are a power user. This has already been alluded to.

There are two major ways to solve this… (1) You (the ‘end user’) take corrective action , or (2) Corrective action / tunnelling is coded into the client and server software.

Since the latter will take forever to add as a feature , here’s my suggestions on the former.

(1) As mentioned by ernst, you can tunnel using ssh. What you need are (1) putty or similar ,and (2) a vps server or personal ec2 instance. Tunnel port 2200 and 51736. i noticed in my wireshark logs that the TLS hops from 22000 over to 51736 – not clear on whether this is a fixed port or a dynamically selected port.

You may run into issues with this, though, and I don’t know if ssh tunelling would actually solve all the problems. SSH tunelling is better for a single port , or creating a local SOCKS proxy to send your web browsing over ssh, stuff like that.

Not clear on whether it would solve the issue at hand, but there’s a good possibility you could configure it to work.

(2) A better solution , and one which I used to do all the time, is to use OpenVPN. The beauty of this solution is that you don’t have to worry about tunnelling individual ports over ssh (or worry about some protocol randomly hopping across tcp ports).

OpenVPN will tunnel ALL traffic while it’s turned on. I used to do this so that I could run Bittorrent over a firewall. Anyway, here’s the process in a nutshell. Download OpenVPN for your remote server. Install and set it up to listen on a tcp port that’s never firewalled. Good choices are TCP ports 25, 53, 80, 143, 443, 8080, etc. I used to use 80.

Anyway so then you need to set up an OpenVPN client. I did this on Linux so I couldn’t give you the process for Windows. But the basic idea is that both sides of openVPN have a symmetric key (a keyfile). Once the connection is up, you just need to add a route to make some or all traffic go over the openVPN tunnel.

This will go right past a firewall, because it will look like some sort of encrypted web traffic to the firewall. Or encrypted DNS. Depending on what port you picked.

One cavet: Make sure you tunnel over TCP . OpenVPN rarely can get thrugh firewalls with UDP , unless the UDP packets are on port 53. Most corpporate firewalls will drop UDP packets that’s aren’t DNS.

The ‘soluton’ for addding a firewall proofing feature to the codebae (which I don’t recommend) … But the solution would be similar. Add a button for ‘anti-firewall enabled’ to the clients and server.

More or less, you’d have Syncthing run it’s control port and web services on 8080, which I think it already does. And for the TLS BEP traffic, you’d have it run on port 80 instead of 22000. And you’d also have to make sure TLS didn’t jump ports.

This way, all the firewall would ever see would be encrypted TLS traffic on port 80 and 8080. And that’d get through no problem.

The port 51736 should be the outgoing port (which is random), Syncthing A connected from port 51736 to Syncthing B on port 22000. For tunneling you should only need 22000.

Ernst, here are my settings. Putty running on my laptop:

On both machines (laptop and server) the service listening address is port 22000. So on laptop I have forwarded local port 22001 to 22000 of the server (in Putty I have entered the public IP of the server because entering did not work for me)

On both computers the GUI listening address is 8080. On the laptop I have forwarded local port 80 to 8080 of the server (here I just use

D9870 you can ignore, is not related to Syncthing.

Then on my laptop I added the server as a device in Syncthing and entered the address

On the server I added the laptop as a device in Syncthing and just use address ‘dynamic’.

Because of the port forward for the GUI, on my laptop I can view the GUI of Syncthing running on the laptop via: and Syncthing’s GUI running on the server via:

Whether you should use http or https depends on whether you have activated the setting ‘Use HTTPS for GUI’. And of course this only works if there is no other webserver running on port 80 on the laptop.

Thanks, this works on my Windows laptop. I now try to setup this on my Linux laptop. I did the following (all on my laptop): $ssh -L 22002:localhost:22000

and in the config of the laptop’s syncthing I did: Sync Protocol Listen Addresses: default,tcp://

However, syncthing is complaining port 22002 is already in use. Did I do something wrong?

You are saying to ssh to listen on 22002 and if someone sends traffic 22002 forward it to socket listening on 22000, and then tell syncthing to listen on 22002 rather than 22000

Shouldn’t you use the forwarded address as device address for the device you are connection to over ssh and not as listen address of your local syncthing instance?

The listen address is how your device listens for connections from other devices.

To tel Synchting to connect to a device on a specific address, add the tcp:// to the address of the remote device, which most probably is currently set to dynamic.

Thanks for all your help!

I have set the remote syncthing to listen to dynamic,tcp:// How should I connect from my local machine to the remote machine? If I do ssh -L 22000:localhost:22002 (so I coonect from local to remote), my local syncthing tells me that the port is already in use. Do I forget a setting?

Edit: Ah, I forgot to edit the remote device location - how stupid. Thanks for your help, it is working now!