Corporate firewall, run synthing over port 53/443/...?

Hello everyone,

does it make sense to run syncthing on my server on port 53/443 or anything similar to bypass a corporate firewall that seems to block syncthing otherwise?

Shouldn’t using the “relay” future also handle this since some relay servers already run on those ports?


They are blocking all outgoing traffic not on those ports? That’s odd and quite restrictive.

The standard advice is you should work with your IT department to come up with a solution (and any attempt to skirt their firewall may be a violation of this corporate policies.)

That said I don’t think a relay is gonna help unless there are relays that are operating on port 443. To provide more help I think you will need to provide more details about the networks between the two systems running syncthing that you’re trying to connect.

It is actually a hotel I am frequently in. So there isn’t much I can do… except booking a different hotel :stuck_out_tongue_winking_eye:

Yes it seems like everything is blocked. Nothing worked (dnscrypt, openvpn, wireguard, fortinet vpn,syncthing,…) except simple web browsing.

I run two servers with syncthing to sync/backup to them. One is also my web/mailserver in a datacenter and one is my homeserver with static IP as well.

So I am quiet flexible in configuring them as long as it doesn’t break the functionality of my web/mail server.

I would prefer to sync via my external webserver since I have configured the syncing to my homeserver via local network only.

It’s crazy that a hotel would be so restrictive. I mean if they cater at all to business travelers they have to allow VPN access to a variety of VPN suppliers.

Seriously I would talk to the front desk. The desk clerk won’t be able to help directly but during the day they may have an IT person that can help. Unless of course the hotel is in China or another country to super restrictive Internet controls at which point I wouldn’t bother.

Anyway if you have control of the other end, you could possibly have your other syncthing instance listen on 443. You may have to setup a static IP or dynamic DNS kind of thing and set the connection manually since the hotel probably blocks communication with the discovery server too.

There are indeed a few relays on port 443 for roughly this reason. You can also have your own Syncthing listen on 443, preferably via a port forward to avoid having to listen on a privileged port. (Unless “get a better hotel” is an option; if I were to stay somewhere frequently, quality of connectivity would be high up on the list of deciding factors…)

Hmm the thing is, on my webserver the port 443 is already in use. But it seems like the relays with port 443 didn’t help. Syncthing couldn’t connect on from my laptop and also not from my smartphone. But that means that forcing syncthing to use 443 via my webserver wouldn’t work either?

Another solution could be: Connect my Laptop and Smartphone via VPN (port 443 TCP) to my router (which is the OpenVPN server). Then I could let them sync directly. But for some reason the two devices do not find each other (configued with “dynamic”). But I can ping their local IPs. The OpenVPN has local network access.

I actually carry a travel router with me for hotels. It establishes a connection with my openVPN server at home and I have full connectivity with my home network. I never leave home intending to stay overnight somewhere without it. You may want to consider something similar. Find a decent WiFi extender with openwrt support and you can do this pretty easily. Theres an openwrt package called travelmate that will find your hotel network and automatically connect after you teach it the first time. If there’s no captive portal, you literally plug it in and it works. If there is, plug it in, wait 2 minutes, complete the captive portal from your phone, and the vpn connects and all your connectivity is established.

Something to consider.

1 Like

Did you try running an OpenVPN server on 443/tcp? I doubt that they’re doing deep packet inspection.

To verify connectivity, you might want to try:

sudo traceroute --tcp --port=your_dest_port your_destination

If it doesn’t get there, …

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.