Further Information about Listen Addresses tcp4://

Hello there,

background: i want to setup Syncthing and restrict any synchronization aswell as visibility only to my local home network (LAN) → i would like to use it completely isolated from the internet. Therefore I’ve created a configuration, describe in this thread, but I have a more in depth question about the Sync Protocol Listen Addresses (configured in ActionsSettingsConntections):

Do I understand the documentation correctly?

  1. When settings it to " TCP IPv4 wildcard and port (tcp4:// , tcp4://:22000 )", the documentation says: These are equivalent and will result in Syncthing listening on all interfaces via IPv4 only.
    a. What exactly does this mean?
    b. Will syncthing only listen to ipv4 addresses in my local home network or also on public ipv4 addresses in the internet?
    c. Depending on the answer to b. would you recommend me setting it to tcp4:// or rather setting it as described in 2.?
  2. When setting it to “TCP IPv4 address and port (tcp4:// )”, i have to enter the ip address of device that syncthing is running on?

Thank you very much for your support :slight_smile:

The listening address does not limit which remote addresses can connect, unless the listening address is (localhost only, no remote machines can connect). Leave it as :22000 and use firewalls or allowedNetworks to limit which addresses can connect.


Your computer uses so-called network interfaces for connectivity. If you have any type of ethernet cable or wifi card connected, you have at least one interface for this physical connection. In addition, modern computers will have lots of virtual interfaces: A loopback interface for same-machine traffic, interfaces for VPN networks and so on. If you are on a multi-homed machine with multiple physical connections, these typically also have their own interface.

Each (available) interface has at least one IP address, which is where your computer considers itself to be reachable on. In today’s NAT networks, this is often an RFC1918 address, though it doesn’t really matter.

By default, syncthing listens on all interfaces = IP adresses your machine has available. This is generally what you want in most scenarios, except some special network setups.

This is commonly the same thing. In today’s NAT networks, your computer only has an RFC1918 address where it is reachable on. This applies for both LAN and WAN connections - most consumer IPv4 devices do not have a separate WAN IP. Your router has a WAN IPv4 address (if you’re not behind CG-NAT at least) which it transparently uses for internet-wide connections. This is completly invisible to your computer and syncthing. The listen address will be the exact same, for both LAN and WAN connections. Restricting connections to certain networks (i.e. LAN) can only be done via firewalls, or alternatively allowedNetworks (see @calmh’s post above) should work as well.