Config for computer with multiple IP addresses

haertig · July 25, 2024, 3:58pm

I have a laptop that can have three different IP addresses (only one at a time - not multiple network adapters).

When in my house connected via WiFi: 192.168.0.70
When in my house connected via Ethernet cable: 192.168.0.80
When out and about connected via OpenVPN (the VPN server runs on my router): 192.168.1.90 (note that this is a different network from the above two, it is a routed “tun” VPN)

It’s all the same laptop so I want SyncThing to look for any of these IP addresses when trying to connect outgoing to the laptop, and also accept incoming connections from any of these IP’s and know it’s the same laptop.

Is there any tutorial or notes on how to configure this if special SyncThing config is needed? I am new to SyncThing - just installing it now, but have never used it before. I can do testing to figure out if this multiple IP address is a doable thing, but I thought I’d ask here first - if others have done this it would save me from doing redundant testing trying to discover how to do something that has already been done.

I do not want to use any relay servers in my setup. I do not want to open any more external holes in my firewall (no port forwarding) - the one hole in my firewall is for OpenVPN, and I want to leave things as only this one hole. I want SyncThing traffic to go over the VPN, not around it.

I could create a second VPN that uses “tap” so the laptop connects to the same network as my LAN. That should in theory allow any auto-discovery that requires the same network to succeed. I am not an expert on tap however, and would prefer to continue using tun if possible. Even if I have to manually configure something that would normally be auto-discovered.

I did try RTFM - I briefly scanned it - but did not find any references or mention about what I’m wanting to do.

My laptop is Linux, the computers it really needs to sync with are Linux (but there could be some optional syncing with a few Windows boxes), and my router runs Linux. Not that I think the OS makes any difference in all this.

Thanks in advance for any help/suggestions!

martinleben · July 25, 2024, 5:14pm

Welcome @haertig !

This works out of the box. No special config is needed at all.

When adding devices, do not specify IP address or names and everything will just work.

gadget · July 25, 2024, 6:11pm

By default, Syncthing will use publicly accessible discovery servers. The Syncthing Discovery Server documentation page is about setting up a self-hosted server, but it should help answer some of your questions about how two or more Syncthing hosts find each other on the internet.

Each Syncthing host also uses network broadcasts for local discovery (similar technique used for network printers and other devices).

The only wrinkle I see is with your OpenVPN connection. In tun mode, Syncthing’s local discovery broadcasts to 255.255.255.255 won’t traverse your subnets, but as long as you don’t disable Syncthing’s global discovery and your network routing supports connections from 192.168.1.90 to 192.168.0.70 and 192.168.0.80, it should just work out-of-the-box.

haertig · July 26, 2024, 2:46am

Thanks for the replies and information @martinleben and @gadget. Much appreciated. I should have some time tomorrow to start implementing what I want to do. It looks like I should have just tried what I wanted to see if it would work out of the box before worrying myself that it wouldn’t.

The VPN part will take longer to test. Since to log my laptop into the VPN I must go somewhere off-site. You can’t login into a VPN when you are already connected to the same network that the VPN is trying to connect you to (or route you to, in the case of tun). I guess I should be more precise and say that you can log in to the VPN - it’s just the routing of your network traffic that won’t work correctly. At least not in my experience. There may be ways to work around this, but hacking up your environment to run a test doesn’t really end up with a valid test IMHO.

Thanks again!

haertig · August 3, 2024, 6:31pm

I got Syncthing configured to work the way I wanted it to - to sync seamlessly whether my laptop was connected via Wifi, via an Ethernet cable, and most important to me - when connected via VPN.

When I have received good help from a forum, I like to post back details of how I applied that help. So this might hopefully help others looking at the thread. This is a long post, but maybe it will help others looking to do what I just did.

—

I have “Global Discovery” and “Enable Relaying” both DISABLED in Syncthing->Actions->Settings->Connections on all computers because I want everything under my control and not dependent on external resources.

On my desktop computer, in Syncthing->RemoteDevices[my_laptop_device]->Edit->Advanced I changed the “Addresses” field from the default of “dynamic” to “tcp://192.168.0.70,tcp://192.168.0.80,tcp://192.168.1.90”

192.168.0.70 is the IP address of my laptop when connected via WiFi
192.168.0.80 is the IP address of my laptop when connected via Ethernet cable
192.168.1.90 is the IP address of my laptop when connected over VPN (note that this is on a different subnet due to the VPN being "tun")

On my laptop computer, in Syncthing->RemoteDevices[my_desktop_device]->Edit->Advanced I changed the “Addresses” field from the default of “dynamic” to “tcp://192.168.0.10”

192.168.0.10 is the IP address of my desktop when connected via Ethernet cable (which is the only way it ever connects)

Given the above setup, Syncthing works transparently syncing my desktop and my laptop not matter which of the three ways my laptop is connected to my home network.

The above works because all of my IP addresses mentioned never change. Non-changing IP addresses are required when you are using a “tun” VPN. If your IP addresses can change - like if you are using DHCP like most people - then there will be problems when in fact your IP addresses do change. This is why Syncthing defaults to using “discovery mode” to locate computers that should be syncing. You don’t tell Syncthing the computers IP addresses - it “discovers” them. “Discovery mode” is identifiable by checking the “Addresses” field mentioned above and noting that it is set to “dynamic”. Discovery does not work when you have computers on different subnets. In my case, my desktop computer is on the 192.168.0.x subnet (always) and my laptop (when connected via VPN) is on the 192.168.1.x subnet. Since discovery cannot work in a situation like this, you have to tell Syncthing the specific IP address(es) that it should use.

— Everything below this line is general network stuff, not Syncthing stuff —

So how do you assure that your IP addresses never change? The traditional way to do this was to set each computer (on that computer, not on the router) to have a “static” IP address. That can get messy at times. It works fine, but it can become difficult to administer if you have lots of computers. The way most home users do it these days is on their routers. Most router software supports something called “DHCP Reservation”. This feature may be called different things on different routers. I won’t go into how to configure this because it is different on different routers. But most likely your router has this feature. This is how you solve the need for non-changing IP addresses for the cases where your laptop is connected via WiFi or Ethernet. But it does not work to assign a non-changing IP address to the laptop when it is connected via VPN. At least it doesn’t on my router, other routers may handle this scenario.

— Everything below this line is OpenVPN server specific stuff, not Syncthing or general networking stuff. You may not need to do any of this. —

So I use features in my VPN server to assign non-changing IP addresses to my laptop when it is connected via VPN. I use “OpenVPN” so what I describe below is specific to that particular VPN server software. I am running OpenVPN on my router, which runs Linux, so the details below are specific to both OpenVPN and to Linux. But it should be easy to translate things to Windows equivalents. Some routers contain VPN software built in, and let you configure that from a GUI. So what I describe below may be doable by just marking appropriate checkboxes on your router’s GUI interface. I wouldn’t know. The problem with my routers firmware, is that it gives you checkboxes to push routing and internet redirect commands to clients, but it does not give you the ability to assign specific IP addresses. And that is the exact functionality that we need here. So I had to do the IP address stuff manually in config files, abandoning the checkboxes provided in the router’s GUI.

I run “FreshTomato” third party firmware on my router. It has OpenVPN built in. You can get your VPN up and running using checkboxes. I choose to do it differently, and I specify things manually in config files, which gives me finer control than the checkboxes would.

On my router, in the OpenVPN config screens, under “Custom Configuration” I added the line:

client-config-dir /jffs/openvpn/ccd/tun

Also in the OpenVPN config screens, I unchecked “Push LAN to clients” and “Direct clients to redirect Internet traffic”. Because I handle these settings in my own config file described below, and not via checkboxes.

On my router, in the /jffs/openvpn/ccd/tun directory, I added a file with the name “my-laptop”, where “my-laptop” is the CN (“Common Name”) assigned to the certificate that the laptop uses to connect to OpenVPN. I assume if you’re using OpenVPN that you already know how to create client certificates. If not, I recommend researching “EasyRSA” which is an easy way to do all this VPN certificate stuff.

Here are the contents of that “my-laptop” file:

# Use the following ifconfig-push line to set IP address to 192.168.1.90 using subnet topology as supported by newer versions of OpenVPN server
ifconfig-push 192.168.1.90 255.255.255.0
# Use one or the other of the following two lines, not both
# Use the following redirect-gateway line to direct client to send all network traffic over the VPN and provide a route to the primary LAN
push "redirect-gateway def1"
# Use the following route line to provide a route to the primary LAN to the client and keep non-VPN destined network traffic off the VPN
#push "route 192.168.0.0 255.255.255.0"

— Special notes —

You may have to create some firewall rules on your router (if that’s where you run your firewall) to allow communication between your desktop computer and your laptop connected via VPN. I would expect the rules needed for basic connectivity would be automatically added by VPN software on your router, but maybe not. If your desktop computer and your laptop connected via VPN cannot ping each other or connect to each other over a tcp port, Syncthing obviously won’t work. Look at your firewall rules in that event.

system · September 2, 2024, 6:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.