Configuration Experience

Purpose of this thread is to set out how I configured syncthing, firewalls and routers for a reasonably standard setup, including what issues I faced, to help others facing the same issues.

2 Linux laptops, 2 Androids on multiple sub-lans.
The two Androids sometimes leave the lans and connect via mobile data.

1 Separate Listening Ports

Initially all connections were via relay.

Unblocked port 22000 on the local firewalls
and opened port 21027 on the firewalls
→ local discovery worked.

But when the Androids left the lan they would only connect through a relay
(because by default the listening port 22000 was blocked by the routers).

I then unblocked and forwarded 22000 on the routers.
but that meant the device the router was forwarding packets on 22000 to was getting packets meant for other devices
leading to errors in the log:

“Connected to myself (ZRTMZYA-) - should not happen”

Then separated the listening ports for different devices,
eg device 1 = 26711, device 2 = 26722,…
forwarded them appropriately on the routers,
and allowed them through the firewalls.

This then enabled global discovery.

Note that I did not reuse 22000 to reduce the ease of attack
in case Syncthing in future is found to have a weakness.

Note that to change the listening ports on the Androids,
I had to use the web gui.

2 Changed listening addresses to tcp4

I changed all listing addresses to just tcp v4
eg tcp4://
Reason: by default the log shows tcp v6 addresses, which I don’t recognise or manage.
Most of my tcp4 addresses are statically assigned,
so when I see them in the log, I recognise them.
This made the log much easier for me to read.

3 Options

nat traversal = uPnP disabled - it is disabled on the routers as a security risk.

Relaying disabled - I should not need it and if a connection can’t happen directly without relaying, I would like to know it.

1 Like

4 What I tried that didn’t work - addressing

Specified a dynamic dns address for a device:
eg tcp4://

This connected ok at the network address
but of course local discovery did not work.

So I put two addresses in the address field for the device, separated by a comma,
a local lan address and a global address,
eg tcp4://, tcp4://

a discovery when a device was on the mobile network worked
b discovery when a device was on the same sublan worked
c discovery when a device was on a different ublan did not work.
I could have got c to work by adding a 3rd address and forwarding the listening ports on the 2nd sublan router
I concluded setting address = “dynamic” and the global discovery servers work so well
that there was no need to mess with this.

If the global discovery servers ever stopped working, well, I’d have to come back here.

Hope all this is helpful to someone.

1 Like

5 Overall

I am now using it instead of dropbox and am so far very happy.

I have much more control than I had with dropbox.

Most importantly I am not forced to allow it to self update,
which messes with my machine version control.

Privacy was less important to me than for some others
but control over my own machine was absolutely non-negotiable
and dropbox was starting to erode it.

1 Like