Connection failure over VPN tunnel

Have syncthing running on my CentOS server, desktop can connect, phone can connect over WiFi/4G.

Don’t have a terribly large amount of trust in the 4G network or public WiFi networks so the phone is tunnelled through one of my other servers with OpenVPN. With the VPN connected syncthing never connects to the server and connections to 6/8 relays time out. Port 22000 TCP and 21027 UDP are forwarded via OpenVPN to the device, port 22000 is detected open by port scanners when syncthing is running (and only when its running) on the device so I’m certain that much is working.

On the desktop without the VPN active it connects via router address: [UU2B7] 17:44:39 INFO: Established secure connection to JWCLTFW at 192.168.0.5:49956-103.247.154.59:22067 (relay-server) (TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305) On the desktop running the same OpenVPN .ovpn file as the phone is using, as you can see it is connecting from the VPN interface: [UU2B7] 17:42:17 INFO: Established secure connection to JWCLTFW at 10.8.0.5:49569-62.210.207.27:22000 (tcp-client) (TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305) On the phone without the VPN running: [4UT5G] 07:53:57 INFO: Established secure connection to JWCLTFW-ONB7H4L-L6OSJ3J-WO4B4XX-JDIPEMZ-YH5OO72-DIID52U-X4ZH5QJ at 192.168.0.8:55882-62.210.207.27:22000 (tcp-client) (TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305) On the phone with the VPN running, full log and config. The log was a link but I’m not allowed more than one per post for some reason. [4UT5G] 08:03:06 INFO: Invalid IGD response: invalid device UUID upnp-InternetGatewayDevice-1_0-b07fb9699f13 (continuing anyway) [4UT5G] 08:03:25 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace] [4UT5G] 08:03:36 INFO: UPnP parse: Get http://192.168.0.1:80/RootDevice.xml: dial tcp 192.168.0.1:80: i/o timeout [4UT5G] 08:03:36 INFO: Detected 0 NAT devices [4UT5G] 08:03:45 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.629785 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace] [4UT5G] 08:04:05 INFO: Entering the backoff state. [4UT5G] 08:04:05 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (2.026491 failures of 2.000000), restarting: false, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace] [4UT5G] 08:04:28 INFO: Restarting [4UT5G] 08:04:28 INFO: Exiting [4UT5G] 08:04:28 INFO: syncthing v0.14.29 "Dysprosium Dragonfly" (go1.8 linux-arm64) felix@P50 2017-05-18 05:47:51 UTC [noupgrade] [4UT5G] 08:04:28 INFO: My ID: 4UT5G35 [4UT5G] 08:04:29 INFO: Single thread SHA256 performance is 889 MB/s using minio/sha256-simd (72 MB/s using crypto/sha256). [4UT5G] 08:04:30 INFO: Hashing performance with weak hash is 452.01 MB/s [4UT5G] 08:04:30 INFO: Hashing performance without weak hash is 761.29 MB/s [4UT5G] 08:04:30 INFO: Weak hash disabled, as it has an unacceptable performance impact. [4UT5G] 08:04:30 INFO: Ready to synchronize "KeePass" (ihmnp-jatx6) (readwrite) [4UT5G] 08:04:30 INFO: Send rate is unlimited, receive rate is unlimited [4UT5G] 08:04:30 INFO: Rate limits do not apply to LAN connections [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v4-2.syncthing.net/v2/?id=DVU36WY-H3LVZHW-E6LLFRE-YAFN5EL-HILWRYP-OC2M47J-Z4PE62Y-ADIBDQC [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v4-3.syncthing.net/v2/?id=VK6HNJ3-VVMM66S-HRVWSCR-IXEHL2H-U4AQ4MW-UCPQBWX-J2L2UBK-NVZRDQZ [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v4-4.syncthing.net/v2/?id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v6-2.syncthing.net/v2/?id=DVU36WY-H3LVZHW-E6LLFRE-YAFN5EL-HILWRYP-OC2M47J-Z4PE62Y-ADIBDQC [4UT5G] 08:04:30 INFO: TCP listener ([::]:22000) starting [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v6-3.syncthing.net/v2/?id=VK6HNJ3-VVMM66S-HRVWSCR-IXEHL2H-U4AQ4MW-UCPQBWX-J2L2UBK-NVZRDQZ [4UT5G] 08:04:30 INFO: Using discovery server https://discovery-v6-4.syncthing.net/v2/?id=LYXKCHX-VI3NYZR-ALCJBHF-WMZYSPK-QG6QJA3-MPFYMSO-U56GTUK-NA2MIAW [4UT5G] 08:04:30 INFO: Completed initial scan (rw) of "KeePass" (ihmnp-jatx6) [4UT5G] 08:04:31 INFO: Invalid IGD response: invalid device UUID upnp-InternetGatewayDevice-1_0-b07fb9699f13 (continuing anyway) Using DNS servers: [61.9.211.1:53 61.9.211.33:53] [4UT5G] 08:04:31 INFO: Device JWCLTFW is "helmetOverlord" at [tcp://helifreak.club] [4UT5G] 08:04:31 INFO: Device 4UT5G35 is "ZTE A2017G" at [dynamic] [4UT5G] 08:04:31 INFO: No automatic upgrades; STNOUPGRADE environment variable defined. [4UT5G] 08:04:31 INFO: GUI and API listening on 127.0.0.1:8384 [4UT5G] 08:04:31 INFO: Access the GUI via the following URL: https://127.0.0.1:8384/ [4UT5G] 08:04:32 INFO: UPnP parse: Get http://192.168.0.1:80/RootDevice.xml: dial tcp 192.168.0.1:80: getsockopt: no route to host [4UT5G] 08:04:41 INFO: Detected 0 NAT devices [4UT5G] 08:04:51 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.000000 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace] [4UT5G] 08:05:11 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (1.629814 failures of 2.000000), restarting: true, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace] [4UT5G] 08:05:31 INFO: Entering the backoff state. [4UT5G] 08:05:31 INFO: c.S.listenerSupervisor: Failed service 'dynamic+https://relays.syncthing.net/endpoint' (2.026470 failures of 2.000000), restarting: false, error: "{dynamic+https://relays.syncthing.net/endpoint dynamic+https://relays.syncthing.net/endpoint} returned unexpectedly", stacktrace: [unknown stack trace]

Really not sure what the actual issue is here. I’ve tried setting the phone’s address to the VPN endpoint on the server, leaving it as dynamic, setting the listen address on the phone to the VPN endpoint, as well as leaving it as dynamic. I also forwarded a port through the VPN for an FTP running server on the phone as a test and it connected successfully.

Not sure it’s of any help but the desktop is running v0.14.30-rc.1, Windows (64 bit), server is running v0.14.30-rc.1, Linux (64 bit) (previously v0.14.18, Linux (64 bit), with same issue), Phone is running v0.14.29, Linux (AArch64).

It seems one of your devices has hardcoded addresses configured which might not be accessible from the VPN or resolved incorrectly. Regardless, you should check how many listeners each devices is advertising and what addresses the other side is discovering (they are shown even while disconnected) and see if there is a valid route. I think it should work if one side is behind a VPN, as it should still be able to dial out, as long as the other side is available on the internet

Sorry about the delay in replying, been pretty busy with a server migration.

Good advice on looking at the discovered addresses while disconnected, turns out it was trying to connect over port 1385, after forwarding that port and rebooting the VPN it connected.

Bit of a confusing one as https://docs.syncthing.net/users/firewall.html doesn’t mention anything about that port.

1385 isn’t the default port for Syncthing - Syncthing uses 22000 by default.

Is 1385 your VPN port?

Syncthing picks a random port on first startup if 22000 is unavailable, could be that as well.

Yes it uses 8384 for the GUI but not for actual connections. Open VPN is connecting via UDP 1194.

It disconnected over night but after rebooting the VPN connection it connected back up on port 1385 again. Set a static connect address on the server for the phone and it’s going through port 22000 on the VPN address now and working fine - still it should be the server with a static address IMO.

It’s a bit weird but is (probably) fully working now. When the phone isn’t over the VPN tunnel, it uses the static address to connect to the server directly. When it is over the VPN tunnel, the server uses the static address to connect over the VPN address directly.