Further Information about Listen Addresses tcp4://0.0.0.0:22000

Hello there,

background: i want to setup Syncthing and restrict any synchronization aswell as visibility only to my local home network (LAN) → i would like to use it completely isolated from the internet. Therefore I’ve created a configuration, describe in this thread, but I have a more in depth question about the Sync Protocol Listen Addresses (configured in Actions → Settings → Conntections):

Do I understand the documentation correctly?

1. When settings it to " TCP IPv4 wildcard and port (tcp4://0.0.0.0:22000 , tcp4://:22000 )", the documentation says: These are equivalent and will result in Syncthing listening on all interfaces via IPv4 only.
   a. What exactly does this mean?
   b. Will syncthing only listen to ipv4 addresses in my local home network or also on public ipv4 addresses in the internet?
   c. Depending on the answer to b. would you recommend me setting it to tcp4://0.0.0.0:22000 or rather setting it as described in 2.?
2. When setting it to “TCP IPv4 address and port (tcp4://192.0.2.1:22000 )”, i have to enter the ip address of device that syncthing is running on?

Thank you very much for your support

The listening address does not limit which remote addresses can connect, unless the listening address is 127.0.0.1 (localhost only, no remote machines can connect). Leave it as :22000 and use firewalls or allowedNetworks to limit which addresses can connect.

Your computer uses so-called network interfaces for connectivity. If you have any type of ethernet cable or wifi card connected, you have at least one interface for this physical connection. In addition, modern computers will have lots of virtual interfaces: A loopback interface for same-machine traffic, interfaces for VPN networks and so on. If you are on a multi-homed machine with multiple physical connections, these typically also have their own interface.

Each (available) interface has at least one IP address, which is where your computer considers itself to be reachable on. In today’s NAT networks, this is often an RFC1918 address, though it doesn’t really matter.

By default, syncthing listens on all interfaces = IP adresses your machine has available. This is generally what you want in most scenarios, except some special network setups.

This is commonly the same thing. In today’s NAT networks, your computer only has an RFC1918 address where it is reachable on. This applies for both LAN and WAN connections - most consumer IPv4 devices do not have a separate WAN IP. Your router has a WAN IPv4 address (if you’re not behind CG-NAT at least) which it transparently uses for internet-wide connections. This is completly invisible to your computer and syncthing. The listen address will be the exact same, for both LAN and WAN connections. Restricting connections to certain networks (i.e. LAN) can only be done via firewalls, or alternatively allowedNetworks (see @calmh’s post above) should work as well.

I’d wish to clarify what may not be so obvious, still.

The 0.0.0.0 address will effectively make the server software (Syncthing, in this case) bind its server port to all interfaces. Basically; any physical path into the machine.

So, that sounds alarming, no?

No! Absolutely not. Because most consumer devices are likely sitting behind a router (or call it a “forward proxy”, as opposed to the “reverse proxy” commonly found sitting in front of servers).

The router has a public IP, yes, but the devices behind the router (e.g. your computer, a couple of phones, maybe even a fridge these days lol) do not. Had that been the case, given the large number of devices we have, internet would’ve crashed a long time ago because of an insufficient amount of available public addresses (as it pertains to IPv4).

Hence, only the router has a public address, and the router will through magic port mapping forward traffic it receives to the intended [but not public] device behind it.

For example. Suppose a web browser wants to retrieve a web page. The browser sends out some packages or whatever, which goes through the router. The packages sent from the computer has a local source address which is not public (i.e. it’s local, router-internal, private IP).

But before forwarding these packages out into the great unknown internet, the router hacks the source address to become its own public IP in combination with a unique port which is designated for the sending device in question.

The router will internally keep a routing table (hence the name, I think), such that it knows “hey when I get traffic coming back destined for my public IP and such and such magic port that I reserved, then I know to forward the traffic to device X”.

Server software (again, Syncthing in this case!), unlike a client’s outbound connection (implicitly), does not in any shape or form preannounce to the router its willingness to connect to and talk with the outer world. And so normally, the server will just sit there patiently awaiting new client connections which never arrives, because it’s just not reachable; should incoming client connection requests hit a particular port blah blah on the router which the router does not know about it will simply discard them.

In the old world, what one had to do was to manually go and configure the router like “hey, when traffic comes in on port blah blah, please forward this to device X port Y”, and voila, the server software is now reachable.

In today’s world, we have certain methods to try to make that configuration happen automagically, which is what is meant by “NAT traversal”.

In conclusion; if global discovery, relay servers, NAT traversal, and version updates are all turned off, then Syncthing should in theory only be running on the local network.

Now I say in “theory”, because I noticed through monitoring my network that Syncthing was still trynna’ reach public servers to query what new software versions may be available. I cannot explain that one, given how I disabled automagic version updates in Syncthing.

Suffice it to say that my firewall is blocking all traffic that I do not explicitly approve lol, and this is just one example of how important such firewall configuration is! All software is inherently unreliable.