Configuration to Match Network?

Syncthing on my computer displays: Connection Type Relay (Client) with the red triangle with an exclamation mark (Connection via relays might be rate limited by the relay.) Currently I am connected via VPN. See explanation below.

My question is how to efficiently configure Syncthing in my network. We have about 100 users. One third are on the local network. The rest are remote. Sometimes they use VPN to connect to the network and sometimes they are independent from the network but always connected to the interweb ;o).

I currently have Syncthing running on a server on our main LAN. I am connected via VPN. I have yet to test off the VPN, because often my work requires I be on the VPN. RDP sessions… We are decoupling as many services as possible from the VPN by setting up HTTPS access to them. (On a side note, any suggestions for securing RDP off the VPN would be welcome.)

So far, I have one server running Syncthing and two remote users (including myself) running it. We are both connected via VPN.

I have the ability to try things like opening up external ports, etc… as long as I can justify and explain why :o)

I am pretty good at developing user oriented documentation. I like taking technical docs and creating reference documentation that stitches it together in a way that allows the user to achieve a goal. If you point me at the right documentation and describe what approach we are taking and why, I’d like to help create a few docs in this style.

If Syncthing can’t connect directly to a device, it uses a relay (which is normally rate limited). For direct connection the device must be either directly connected to the internet, or the router/firewall needs to open the port to the device (default port is 22000). It is sufficient if one of the two devices trying to connect has that open port.

For the devices to find each other, Syncthing uses local and global discovery. Local discovery uses broadcast/multicast to announce the ip and port to the network. Global discovery uses discovery servers to which the device will announce with what IP and port it is accessible from the internet.

I currently have Syncthing running on a server on our main LAN

If all devices sync with that server, opening the port to that server will suffice. But if the devices are a mesh, they will still connect to each other via relay. To force them to sync only to that server when they are not in local LAN, you can disable relay in the settings.

Thank you wweich!

So for optimal configuration (mesh) all devices should have port 22000 open?

Opening port 22000 on our server will allow direct connections to it. All other connections would be via relays unless port 22000 is open on each device. This will work while connected to the LAN…

To allow direct connections to the server while not on the lan, does it need to be in a DMZ or will port forwarding on our LAN firewall suffice? I don’t know how the external IP used for port forwarding would be discovered. (I know their could be some fun back end routing magic going on?)

Hi Darren.

You can edit the remote device you want (your server) and specify on Adresses (supposing your lan is

tcp://, dynamic

this way will try the LAN address first and then the dynamic - which include relays. This is very useful when is not always connected to the vpn.

Of course, if you know the external ip of your server just add it to the list :wink:


1 Like

Port forward will work. Global discovery (afaik) uses the IP from which the device connects. If it can be reached on different ips from the internet, you will have to make sure, that it uses the correct one for contacting the discovery servers. As @perewa stated, you can set multiple addresses when editing remote devices in syncthing. dynamic is for local and global discovery and relay ( depending on the overall settings)

I have set it as: global, “tcp://externalip:22000”.

Do i have to do this as I add individual users? Or can I set this as a global policy.

From your description, I may not even require the second entry? Maybe I will test without it.


I prefer always have my vpn addresses on list. This because eventually a I go to places where I get blocked to non-standard ports but I can use it through the vpn :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.