Problems with Global Discovery when using a VPN —SOLVED—

Hi, when I run Syncthing with my VPN turned off, Global Discovery works fine, however when I turn on my VPN, Global Discovery no longer works! I do not wish to turn off my VPN just to use Syncthing! and I would like Global + Local Discovery to work

Any suggestions on how I might resolve this problem? should I maybe use a dynamic dns server? or use a private global discovery?

I have tried forwarding the port 22026 on the VPN website / client area, but that does not solve the problem either…

—Thanks!

Your private network might just be blocking UDP packets, given it’s behind a corporate firewall.

Global discovery works by figuring out and telling other devices what IP to connect to. You should probably be happy this does not work with your VPN, as that would make the VPN non-private.

I guess it also depends on the definition of what It does not work is

OK, thanks guys for all the info! but I am still confused as what to do next? How will I connect to the other computer when my VPN is turned on?

EDIT: my vpn service provider does also offer Dynamic DNS with port fowarding; can I do anything with this? ie instead of udp4://announce.syncthing.net:22026, udp6://announce-v6.syncthing.net:22026 I would use something like: syncthing.dynamicdns.org,

or would something more like: udp4://announce.syncthing.net:syncthing.dynamicdns.org be necessary?

would something like that help?

Contacting discovery server does not require port forwarding or dynamic DNS. Connecting to a syncthing instance might require that.

I am still not clear what it does not work mean.

Thank-you for your reply; in answer to your question:

Hi, when I run Syncthing with my VPN turned off, Global Discovery works fine, however when I turn on my VPN, Global Discovery no longer works!

…to elaborate, both computers find each other using Global Discovery when my VPN is turned OFF, When my VPN is turned ON however, the same computers no longer discover each other using Global Discovery and Syncthing reports Disconnected

Sorry if my poor wording (“does not work”) caused any confusion… I hope the situation is now clear?

Contacting discovery server does not require port forwarding or dynamic DNS.

This was simply an idea I tried, in a vain attempt to use Global Discovery whilst my VPN was active… I was hoping you guys would have better ideas than mine, to get two computers to find each other using Syncthing Global Discovery whilst a VPN is turned on…

I think global discovery does work (it still says 1/2 or OK in the web UI), it’s just that syncthing is failing to connect as it doesn’t have any ports open to the internet. If you are within a VPN, you need to make sure you are forwarding TCP port 22000 of the VPN gateway to TCP port 22000 on your machine, which should make it work.

Yes, Syncthing does indeed show 1/2 (again my bad, poor choice of wording!) So, Global Discovery is working, but not connecting when I run my VPN… OK,

when I saw: udp4://announce.syncthing.net:22026, udp6://announce-v6.syncthing.net:22026 in the syncthing Global Discovery Field I logged into my VPN client area and proceeded to use their service to forward the Port 22026 Protocol: TCP & UDP Local port: 22026 …but that did not solve the problem either, so I decided I would ask here on the forum to see if anybody had a better idea!

you suggest:

If you are within a VPN, you need to make sure you are forwarding TCP port 22000 of the VPN gateway to TCP port 22000 on your machine, which should make it work.

I am unsure as how to implement this suggestion! I thought I was doing that when I did the above using the client area of my VPN service provider?

are u suggesting that I need to also do some port forwarding on my router?

22026 is the discovery port, not the protocol port and has very little todo with two syncthings failing to connect to each other. The port you need is the protocol port (first field in the settings box) which by default is 22000.

!!! 22000 is not 22026 !!!

OK, I will go back to client area then and change the Port from 22026, to 22000 I just assumed since it was listed in the Global Discovery Field, that was the port I should be forwarding! Thanks for clearing that up!

Thank-you for your suggestion; but unfortunately it did not work… I went to the client area and added Protocol: TCP & UDP Local port: 22000 to the port forwarding…

restarted both machines… tested Global Connection with the VPN turned off… both machines found each other, no problem; Then I turned on the VPN which resulted in immediate disconnection… I restarted both instances of Syncthing on both computers…

still Disconnected upon turning off the VPN, both machines connect again…

have you got any other ideas maybe?

The port you need is the protocol port (first field in the settings box) which by default is 22000.

did you mean this? Sync Protocol Listen Addresses 0.0.0.0:44499

Well if you are using 44499, then you need to forward 44499 obviously, just like I suggested above.

Also, make sure that it’s the same port on both sides, if you forward 12345 to 44499 it will not work. It has to be the same port on both sides of the forwarding.

Nope, that port does not work either… I also changed both machines back to 22000 using the Sync Protocol Listen Address field in Syncthing and used my vpn client area to forward the port: Protocol: TCP & UDP Local port: 22000

the PCs just will not connect with global connect when my VPN is turned on!

a pity!

thanks again for all your help!

should you have any more suggestions, I will gladly try them out!

EDIT: Have any other users or developers here managed to connect 2 computers using global connect when you have a VPN turned on? I would be very interested to hear from you and what you did get a successful connection! thanks in advance for any further ideas!

…in the meantime, I guess I will just have to use the main Bittorrent Sync application which does not have these problems, but I would of course much prefer to use the open-source Syncthing! I will check back for more solutions here from time to time! hopefully we can get this working!

I think you should verify that your VPN is forwarding ports correctly, or that you’ve set it up correctly.

I ran the TCP test my VPN service provider have, it said that the port is reachable Protocol: TCP & UDP Local port: 22000 DDNS: syncthing

I also forwarded the Global Discovery Port, just to test! Protocol: TCP & UDP Local port: 22026 DDNS: global-discovery

and the global-discovery Port fails the test… but I am not sure if this helps, because you told me, that port has little to do with the connection process…

another thing, I just took a look at my router, I allowed UPnP for syncthing, Syncthing set up: External Port 20888 protocol TCP internal Port 22000

but that UPnP setting seems to work fine when the VPN is off…

I also asked at my VPN service providers forum, if they had any ideas as to why I can’t connect when using the VPN, but no answer of yet! should they provide any useful answers, I will forward them here!

UPnP is unlikely to work with your VPN. I think you just don’t have VPN configured correctly. After you setup the port forwarding, you should try to connect to port 22000 on the vpn geteway with openssl or something to make sure it still works.

Well I just took a look on Windows 8 and it’s quite a similar result. Here are my findings, connecting through a FritzBox-Router using some IPSEC magic VPN that routes all traffic through the VPN tunnel.

Networks involved:

Work: 87.173.x.x WAN / 192.168.0.0/24 LAN (currently at)
Home: 79.255.x.x WAN / 192.168.79.0.0/24 LAN (VPN target)

Devices involved:

SJ3BZVN nas@home
DE5FWBU laptop@work

Starting Syncthing normally gives me

[DE5FW] 14:35:26 INFO: Starting web GUI on http://127.0.0.1:8384/
[DE5FW] 14:35:26 INFO: Starting UPnP discovery...
[DE5FW] 14:35:32 INFO: UPnP discovery complete (found 2 devices).
[DE5FW] 14:35:32 INFO: Created UPnP port mapping for external port 9848 on UPnP device 'FRITZ!Box Fon WLAN 7390' (192.168.0.1).
[DE5FW] 14:35:32 INFO: Starting local discovery announcements
[DE5FW] 14:35:32 INFO: Local discovery over IPv6 unavailable
[DE5FW] 14:35:32 INFO: Starting global discovery announcements
[DE5FW] 14:35:42 INFO: Established secure connection to SJ3BZVN at 192.168.0.190:22000-79.255.x.x:51491

Everything fine so far. Now I activate my VPN. Nothing happens in the logfiles. I decided to drop a new file into one of the shares to trigger a process. Now the following happens:

[DE5FW] 14:38:37 INFO: Connection to SJ3BZVN closed: WSARecv tcp 192.168.0.190:22000: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.

Connected devices appear now offline.

Error messages approx. translation: “A connection attempt failed due to no correct response of the endpoint.” Problems seems to be that Syncthing is not aware of a local IP change and does not try to rediscover the network settings. It assumes that the client still has the same active connection.

Restarting the Syncthing instance now, while VPN is active, leads to nothing better:

[DE5FW] 14:41:04 INFO: Starting web GUI on http://127.0.0.1:8384/
[DE5FW] 14:41:05 INFO: Starting UPnP discovery...
[DE5FW] 14:41:29 INFO: Get http://192.168.0.1:49000/igddesc.xml: dial tcp 192.168.0.1:49000: ConnectEx tcp: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.
[DE5FW] 14:41:29 INFO: Get http://192.168.0.1:49000/igddesc.xml: dial tcp 192.168.0.1:49000: ConnectEx tcp: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.
[DE5FW] 14:41:29 INFO: UPnP discovery complete (found 0 devices).
[DE5FW] 14:41:29 INFO: Starting local discovery announcements
[DE5FW] 14:41:29 INFO: Local discovery over IPv6 unavailable
[DE5FW] 14:41:29 INFO: Starting global discovery announcements

Still assumes I’m in the work LAN, tries to UPnP the wrong router (it should be 192.168.79.1) and fails with the same error message. Does not discover the NAS instance on the new LAN through local discovery.

Looking at discovery through the REST API endpoint /rest/system show that the discovery is seems to be working:

"extAnnounceOK":{  
  "udp4://announce.syncthing.net:22026":true,
  "udp6://announce-v6.syncthing.net:22026":true
}

Connections to other devices though, do not work, looking at the /rest/conncetions endpoint:

{  
   "total":{  
      "At":"2015-03-18T14:46:36.0707896+01:00",
      "InBytesTotal":0,
      "OutBytesTotal":0,
      "Address":"",
      "ClientVersion":""
   }
}

Tricky thing is, I’m not a network guru and by all means, I have no fricking idea how this tunnel works. Nothing from ipconfig nor netsh shows any difference in configuration or routing when the VPN is active, yet it moves me out of my 192.168.0 net.

Skype, Chrome and btsync show activity as soon as I switch to VPN (looking with tcpview from Sysinternals) so there must a way to detect it, or they just register that the connection went down and retry it? Synthing on the other hand does not show any activity as soon as I switch to VPN, except it looses the one connection it had.

No idea if this helps in any way though.

UPnP is for the router NOT the VPN!

The VPN is configured correctly and working, *its not something I configured, they have their own software that takes care of all that…

The VPN service provider have their own test for the Port forwarding… the VPN service said the Port was reachable…

Thanks kreischweide Adrian Rudnik! Great to hear from other users facing the same problem!