I have the following problem, on a machine in the office that receives files from other machines spread across other states in the country. So far I only have one machine connected in another state, but its connection type is WAN relay, which from what I’ve seen and researched is bad. My question is, is there any way I can put another type of connection on these machines, using a TCP WAN connection for example, or using a LAN with a VPN?
Sure, that is possible. In short you ‘just’ need to make sure that both devices can reach each other directly on the specific ports used by Syncthing. If that’s possible, then no relay would be required.
I (hopefully safely) assume that firewalls are in place and in use, so please make sure to take a look at Firewall Setup — Syncthing documentation
1 Like
Yes. There are some options. There are free and paid choices. I only have limited experience with products and I have not used any of that cost money so I can’t speak to how much better they might work than a free solution.
Search Google for things like encrypted tunnel, Mesh Net, etc…
If you have total control over the routers on each side you can try using the simple SSH Tunnel that forwards the Syncthing port over the tunnel. This requires port forwarding on each end.
Here are some SSH instructions I just came across. It will need some customization I’m sure. What is SSH Tunnel, SSH Reverse Tunnel and SSH Port Forwarding?
Personally I use a free software called Meshnet. You can Google it. It is not super fast but it will almost certainly be faster than random relay servers. Get on HPC the Chromebook HP
Here is another I have not yet tried.:
Connect remote computers to one local network Free Radmin VPN is trusted by 21 million users
1 Like
First step before going down this route is to investigate the firewall/router configuration. You don’t fundamentally need to install any software free or otherwise to solve this problem unless you determine that the firewall rules can’t be change because of your company’s policy. And if so they probably don’t want you installing an unauthorized VPN.
Check the router. If you don’t have access to it check with the IT guys that control it and send them the firewall config link.
See how far that gets you.
3 Likes
Correct go for the least obtrusive option first. If they’re both home routers and the person has permission to modify both of them that would be a good way to go. Some routers even have dynamic DNS built in.
My software has an optional VPN that I do not use it is strictly a private tcp/ip encrypted tunnel that gives each syncthing server its own unique IP address on the same network.
And yes unfortunately some corporations are fussy about employees installing software that hasn’t been pre-approved.
That’s why the first step should be an SSH tunnel using open SSH on each machine that way there shouldn’t be any problems with installing any third party software really considering if the machine is Windows Windows comes with it it’s built into the operating system.
1 Like
When you talk about the two devices reaching each other, are you talking about having ports on the router that allow the sync connection, which from what I understand are ports 22000 TCP/UDP? Is just determining the router ports enough to improve the connection?
It’s enough to setup port forwarding in one location.
https://docs.syncthing.net/users/firewall#router-setup
Just kindly ask your admin 
1 Like
Read the docs that bt90 posted. There are a few options there.
Say the router at location A has an external IP address of 192.168.20.20
On that router, you want to set up a port forwarding rule that forwards all inbound TCP packets on port 22000 to the internal IP address of the Syncthing server on port 22000.
Then, on the Syncthing server at location B, you tell the software that the server at location A is located at tcp://192.168.20.20:22000
I don’t know why you would not need to do this in both directions. I have ports forwarded on each external router.
1 Like
Here are the Syncthing docs for establishing a secure ssh tunnel.
If you do not have control over the routers and how they are able to port forward then this is an option that won’t work. The router would need to port forward the inbound ssh connection to the internal Syncthing server.
This documentation does not specifically cover how to do this over the Internet however I can assist you with those questions if you have them.
Autossh - keeps ssh tunnel active and alive.
1 Like
The port forwarding only needs to be set up on one side because each Syncthing instance will try to reach the other, and the first successful connection is sufficient. It is always full-duplex, meaning packets can go in both directions through the router, once a connection is established. Opening ports on both sides is fine and welcome, as it increases the probability that any connection at all succeeds.
3 Likes
Way cool,
Thanks for the explanation. Makes perfect sense now!
1 Like
Looks like your port forwarding is either not configured correctly or your provider is using CGNAT. To rule out the later, which provider are you using?
A 32 bit version of syncthing is also not going to improve speeds. Large databases in particular like a 64 bit build, and the memory situation will be a lot better if your hardware has some Gigs to spare.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.