How to exclude syncting for using VPN


(Mannshoch) #1

could I somehow exclude a VPN being used by syncthing for discovering new clients?


How to disable connecting over a specific network interface? (like hamachi or another VPN)
(Jakob Borg) #2

If you can specify the networks it should be allowed to use, you can maybe use the new “allowed subnets” setting per device in 0.14.27.


(Mannshoch) #3

I thought Its maybe more easy to exclude the Network I do not want instead to allow the rest of the Internet.

Should that look like that? 255.0.0.0/8, 254.0.0.0/8 … 11.0.0.0/8, 9.0.0.0/8, … 1.0.0.0/8

It seems to be a bit much to allow 254...* IP-addresses to exclude 10.10..


(Jakob Borg) #4

Yeah, that’s a bit cumbersome. You can aggregate a bit; 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1 will cover all of 32.0.0.0-255.255.255.255 for example. But it’s still a quite sucky way to do it. The details around 10.10.10.0/24 or whatever are no fun to do manually.

File a feature request - negative entries are a no brainer here, really.


(Mannshoch) #5

Is there maybe a way to block these addresses by system rules? Maybe with SystemD, a firewall or something else? in many applications there is a way to setup the interfaces applications could use . Is there a way in syncthing to block it that way?


(Jakob Borg) #6

You can set the sync protocol listen address to an address specific to your LAN adapter, if you have a static IP on it. That won’t prevent Syncthing from connecting out to other addresses though, and depending on routing it may still accept connections to it from the VPN.


(Mannshoch) #7

You speak aboutthis one? default

Could I also enter two addresses (one W-Lan and on LAN)? I miss a doc page for this Option.


(Jakob Borg) #8

Yes. There is a “Help” link on that field that takes you to the doc entry.

But negative ACL entries are simple, so I filed a pull request on it for you:


(Mannshoch) #9

Thanks !


(Jakob Borg) #10

This is now in 0.14.28-rc.1 if you want to test it. Set the allowed subnets to !10.10.0.0/16, 0.0.0.0/0 for the device in question.


(Mannshoch) #11

Great :slight_smile: :+1:

Sorry I’m not able to test it.


(Tom Staels) #12

am I on the wrong version, or is this not working ? [GRRPC] 10:52:32 INFO: syncthing v0.14.28 “Dysprosium Dragonfly” (go1.8.1 windows-amd64)jenkins@build.syncthing.net 2017-05-06 15:36:12 UTC

[GRRPC] 11:16:10 INFO: Listener for !10.5.1.0/24: unknown address scheme ""
[GRRPC] 11:16:10 INFO: Listener for 0.0.0.0/0: unknown address scheme ""
[GRRPC] 11:16:10 INFO: Disconnected from relay relay://95.97.92.221:22067
[GRRPC] 11:16:10 INFO: TCP listener ([::]:22000) shutting down

(Audrius Butkevicius) #13

You’ve put the networks in the wrong field


(Tom Staels) #14

right, this should be entered in the field : Actions/Advanced/Device “YourRemoteDevice”/allowedNetworks


(John Statler) #15

Is this in the newest version yet?

And, I too would like the negative … I need to not use 10.22.0.x

Thanks. I’m almost ready to report on my success with Syncthing.


(Jakob Borg) #16

Yes


(system) #17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.