Private Relay Server w/ no local and IPv4, IPv6

Hello,

I recently setup a private relay server on a VPS. Everything is working correctly over 443 and my nodes are connecting to each other just fine. However, It seems they default to the relay. Under the Sync Protocol Listen Addresses should i put dynamic prior to my relay address? If my nodes are all local I’d like for them to make the connection via a local address prior to reaching out to the relay.

I have Enable NAT traversal, Local Discovery, and Enable Relaying currently turned on in my GUI and the relay server is the only thing in the listeners.

Last question are there any characters we should not be using or a maximum bit length for the token with the private relay?

Thanks!

If a device is only listening via the relay server, it can only be reached via that relay server.

Not dynamic (that would be for remote devices - you can’t discover your own listen address), but tcp://:22000 if you want incoming TLS on syncthing’s default port (22000).

It’s just an UTF-8 string being send over the wire, so nothing in particular. You may run into URL-encoding issues if you use special characters though, those may need escaping.

Thanks for the tips.

So, adding the below tcp:// to my Sync Protocol Listen Addresses will first attempt to discovery sync nodes on it’s local assinged subnet then after exhausting that it will look for the relay?

TCP wildcard and port (tcp://0.0.0.0:22000, tcp://:22000) These are equivalent and will result in Syncthing listening on all interfaces, IPv4 and IPv6, on the specified port.

Yes, syncthing can be configured this way. Assuming you haven’t explicitly configured the other’s remote device address on a device (it’s “dynamic”): Syncthing will use local and, if enabled, global discovery to discover potential addresses to connect on. This includes LAN ip addresses and ports, but also relay addresses. Syncthing will then attempt connections to each of the discovered address, prioritizing local connections over WAN connections and WAN connections over relay connections.

Okay, can i uncheck enable NAT traversal or will that break my relaying?

Enable NAT traversal, Local Discovery, and Enable Relaying

I have global discovery unchecked. What are the implications of each of these?

  • Enable NAT traversal - Controls NAT (Network Address Translation) related settings. This mainly controls automatic port forwarding on your router (if supported). This helps with establishing WAN connections to other devices that are also behind NAT. (The goal is to avoid having to fallback to relays, instead establishing a direct Peer-to-Peer connection. Without port forwarding, establishing P2P connections through NATs becomes harder, thus a fallback to relays may be more frequent)
  • Enable Relaying - controls whether relays can be used (if not, relay addresses are ignored)
  • Global Discovery - Global Discovery announces the device to a specific discovery server (the syncthing project hosts these by default; you can self-host them). Other devices query the discovery server to obtain address information (IP addresses, ports, available relays) for a device they want to connect to.
  • Local Discovery - similar to global discovery, but works without a central announcement server. Instead, discovery packets are broadcasted through the local network in order to “discover” other devices in the same network.

I should also highlight that in a typical network setup, there should be no need for a relay, if all devices are always in the same LAN. Within the same LAN, there’s no NAT present, thus all NAT related problems do not apply. Unless the firewalls are overly strict, a direct P2P connection should always succeed - thus making the relay superfluous.

Relays are only used when a direct P2P connection through the internet is not possible due to strict NAT and/or firewalls. However, with global discovery disabled, a device will not be able to automatically determine the relay address of another device that is not reachable through local discovery. Thus no relay connection will be established in this case (unless the relay address is “hardcoded” in the remote device address configuration).

1 Like

Thank you for the explanation. This is helpful. My issue right now is getting my iPhone to connect to my home server via its 5G connection. I’m using mobius sync. I’ll note that prior to adding your recommended tcp://:22000, all of my servers (less my phone) were connecting successfully through the relay server. So, the relay server is operating correctly. I can also see in the mobius app it’s listening to the relay over IPv4 and the IPv6 address on the relay errors out saying “…response code 2: already connected”. I can confirm that syncing is also working over IPv6 as well because some of my devices have established IPv6 connections to my relay and successfully synced.

So, how can I get my phone off 5G to connect back to my server at home? Do I need to enable global discovery just on my phone? This is a private relay so I was thinking that would not do the trick.

Do I have to open an inbound connection to my WAN and open a port from the VPS to my server at home? Doesn’t that defeat the purpose of the relay?

What you’re describing is expected, given the configuration. While both devices are probably connected to the same relay, they can’t talk to each other through it. By design, a relay does not disclose the list of devices connected to it. So the devices aren’t aware of each others addresses, and therefore won’t connect.

You need to either enable global discovery (but not just on one device - for global discovery to work, both devices need to use it) or manually tell syncthing where a given device can be reached.

2 Likes

Okay, I added the relay IP under each remote device individually and they’re now able to connect over 5G. Thanks.

2 Likes