How to exclude syncting for using VPN

Mannshoch · April 13, 2017, 4:30pm

could I somehow exclude a VPN being used by syncthing for discovering new clients?

calmh · April 13, 2017, 4:44pm

If you can specify the networks it should be allowed to use, you can maybe use the new “allowed subnets” setting per device in 0.14.27.

Mannshoch · April 13, 2017, 5:15pm

I thought Its maybe more easy to exclude the Network I do not want instead to allow the rest of the Internet.

Should that look like that? 255.0.0.0/8, 254.0.0.0/8 … 11.0.0.0/8, 9.0.0.0/8, … 1.0.0.0/8

It seems to be a bit much to allow 254...* IP-addresses to exclude 10.10..

calmh · April 13, 2017, 5:20pm

Yeah, that’s a bit cumbersome. You can aggregate a bit; 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1 will cover all of 32.0.0.0-255.255.255.255 for example. But it’s still a quite sucky way to do it. The details around 10.10.10.0/24 or whatever are no fun to do manually.

File a feature request - negative entries are a no brainer here, really.

Mannshoch · April 13, 2017, 5:27pm

Is there maybe a way to block these addresses by system rules? Maybe with SystemD, a firewall or something else? in many applications there is a way to setup the interfaces applications could use . Is there a way in syncthing to block it that way?

calmh · April 13, 2017, 5:28pm

You can set the sync protocol listen address to an address specific to your LAN adapter, if you have a static IP on it. That won’t prevent Syncthing from connecting out to other addresses though, and depending on routing it may still accept connections to it from the VPN.

Mannshoch · April 13, 2017, 5:34pm

You speak aboutthis one? default

Could I also enter two addresses (one W-Lan and on LAN)? I miss a doc page for this Option.

calmh · April 13, 2017, 5:35pm

Yes. There is a “Help” link on that field that takes you to the doc entry.

But negative ACL entries are simple, so I filed a pull request on it for you:

Mannshoch · April 13, 2017, 5:37pm

Thanks !

calmh · April 26, 2017, 1:09am

This is now in 0.14.28-rc.1 if you want to test it. Set the allowed subnets to !10.10.0.0/16, 0.0.0.0/0 for the device in question.

Mannshoch · April 26, 2017, 8:17am

Great

Sorry I’m not able to test it.

Tom · May 18, 2017, 9:46am

am I on the wrong version, or is this not working ? [GRRPC] 10:52:32 INFO: syncthing v0.14.28 “Dysprosium Dragonfly” (go1.8.1 windows-amd64)jenkins@build.syncthing.net 2017-05-06 15:36:12 UTC

[GRRPC] 11:16:10 INFO: Listener for !10.5.1.0/24: unknown address scheme ""
[GRRPC] 11:16:10 INFO: Listener for 0.0.0.0/0: unknown address scheme ""
[GRRPC] 11:16:10 INFO: Disconnected from relay relay://95.97.92.221:22067
[GRRPC] 11:16:10 INFO: TCP listener ([::]:22000) shutting down

AudriusButkevicius · May 18, 2017, 10:08am

You’ve put the networks in the wrong field

Tom · May 18, 2017, 10:37am

right, this should be entered in the field : Actions/Advanced/Device “YourRemoteDevice”/allowedNetworks

oregonjohn · June 14, 2017, 8:30am

Is this in the newest version yet?

And, I too would like the negative … I need to not use 10.22.0.x

Thanks. I’m almost ready to report on my success with Syncthing.

calmh · June 14, 2017, 8:56am

Yes

system · July 14, 2017, 9:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.