Does outbound traffic from Syncthing follow an straightforward pattern such that I can mark it with a firewall rule?
I’m asking because I have two hosts at different physical locations which are behind an always-on VPN at each location, so UPnP etc doesn’t work, and they are stuck relaying. However, if outbound Syncthing traffic follows a specific pattern, I can tag it to bypass the VPN and thus prevent fallback to relaying.
This seems to work for Tailscale, when I mark all UDP traffic originating from port 41641 to bypass the VPN, Tailscale does not fall back to relaying.
However, marking all TCP+UDP traffic originating from port 22000 to bypass the VPN does not work so well for Syncthing. The hosts connect at first with a non-relayed connection, but no data is transferred and the connection times out. I’m guessing that once the hosts link up, the actual data transfer is accomplished via traffic which does not originate from port 22000.
It’d be nice if there were an easy way to mark outbound Syncthing traffic coming from behind a router for this reason. I know it’s an edge case, so if it’s not possible, it’s not possible, but maybe there are additional mark rules I could add to my firewall to handle all outbound traffic?