Problems with Global Discovery when using a VPN —SOLVED—

Thank-you for your reply; in answer to your question:

Hi, when I run Syncthing with my VPN turned off, Global Discovery works fine, however when I turn on my VPN, Global Discovery no longer works!

…to elaborate, both computers find each other using Global Discovery when my VPN is turned OFF, When my VPN is turned ON however, the same computers no longer discover each other using Global Discovery and Syncthing reports Disconnected

Sorry if my poor wording (“does not work”) caused any confusion… I hope the situation is now clear?

Contacting discovery server does not require port forwarding or dynamic DNS.

This was simply an idea I tried, in a vain attempt to use Global Discovery whilst my VPN was active… I was hoping you guys would have better ideas than mine, to get two computers to find each other using Syncthing Global Discovery whilst a VPN is turned on…

I think global discovery does work (it still says 1/2 or OK in the web UI), it’s just that syncthing is failing to connect as it doesn’t have any ports open to the internet. If you are within a VPN, you need to make sure you are forwarding TCP port 22000 of the VPN gateway to TCP port 22000 on your machine, which should make it work.

Yes, Syncthing does indeed show 1/2 (again my bad, poor choice of wording!) So, Global Discovery is working, but not connecting when I run my VPN… OK,

when I saw: udp4://announce.syncthing.net:22026, udp6://announce-v6.syncthing.net:22026 in the syncthing Global Discovery Field I logged into my VPN client area and proceeded to use their service to forward the Port 22026 Protocol: TCP & UDP Local port: 22026 …but that did not solve the problem either, so I decided I would ask here on the forum to see if anybody had a better idea!

you suggest:

If you are within a VPN, you need to make sure you are forwarding TCP port 22000 of the VPN gateway to TCP port 22000 on your machine, which should make it work.

I am unsure as how to implement this suggestion! I thought I was doing that when I did the above using the client area of my VPN service provider?

are u suggesting that I need to also do some port forwarding on my router?

22026 is the discovery port, not the protocol port and has very little todo with two syncthings failing to connect to each other. The port you need is the protocol port (first field in the settings box) which by default is 22000.

!!! 22000 is not 22026 !!!

OK, I will go back to client area then and change the Port from 22026, to 22000 I just assumed since it was listed in the Global Discovery Field, that was the port I should be forwarding! Thanks for clearing that up!

Thank-you for your suggestion; but unfortunately it did not work… I went to the client area and added Protocol: TCP & UDP Local port: 22000 to the port forwarding…

restarted both machines… tested Global Connection with the VPN turned off… both machines found each other, no problem; Then I turned on the VPN which resulted in immediate disconnection… I restarted both instances of Syncthing on both computers…

still Disconnected upon turning off the VPN, both machines connect again…

have you got any other ideas maybe?

The port you need is the protocol port (first field in the settings box) which by default is 22000.

did you mean this? Sync Protocol Listen Addresses 0.0.0.0:44499

Well if you are using 44499, then you need to forward 44499 obviously, just like I suggested above.

Also, make sure that it’s the same port on both sides, if you forward 12345 to 44499 it will not work. It has to be the same port on both sides of the forwarding.

Nope, that port does not work either… I also changed both machines back to 22000 using the Sync Protocol Listen Address field in Syncthing and used my vpn client area to forward the port: Protocol: TCP & UDP Local port: 22000

the PCs just will not connect with global connect when my VPN is turned on!

a pity!

thanks again for all your help!

should you have any more suggestions, I will gladly try them out!

EDIT: Have any other users or developers here managed to connect 2 computers using global connect when you have a VPN turned on? I would be very interested to hear from you and what you did get a successful connection! thanks in advance for any further ideas!

…in the meantime, I guess I will just have to use the main Bittorrent Sync application which does not have these problems, but I would of course much prefer to use the open-source Syncthing! I will check back for more solutions here from time to time! hopefully we can get this working!

I think you should verify that your VPN is forwarding ports correctly, or that you’ve set it up correctly.

I ran the TCP test my VPN service provider have, it said that the port is reachable Protocol: TCP & UDP Local port: 22000 DDNS: syncthing

I also forwarded the Global Discovery Port, just to test! Protocol: TCP & UDP Local port: 22026 DDNS: global-discovery

and the global-discovery Port fails the test… but I am not sure if this helps, because you told me, that port has little to do with the connection process…

another thing, I just took a look at my router, I allowed UPnP for syncthing, Syncthing set up: External Port 20888 protocol TCP internal Port 22000

but that UPnP setting seems to work fine when the VPN is off…

I also asked at my VPN service providers forum, if they had any ideas as to why I can’t connect when using the VPN, but no answer of yet! should they provide any useful answers, I will forward them here!

UPnP is unlikely to work with your VPN. I think you just don’t have VPN configured correctly. After you setup the port forwarding, you should try to connect to port 22000 on the vpn geteway with openssl or something to make sure it still works.

Well I just took a look on Windows 8 and it’s quite a similar result. Here are my findings, connecting through a FritzBox-Router using some IPSEC magic VPN that routes all traffic through the VPN tunnel.

Networks involved:

Work: 87.173.x.x WAN / 192.168.0.0/24 LAN (currently at)
Home: 79.255.x.x WAN / 192.168.79.0.0/24 LAN (VPN target)

Devices involved:

SJ3BZVN nas@home
DE5FWBU laptop@work

Starting Syncthing normally gives me

[DE5FW] 14:35:26 INFO: Starting web GUI on http://127.0.0.1:8384/
[DE5FW] 14:35:26 INFO: Starting UPnP discovery...
[DE5FW] 14:35:32 INFO: UPnP discovery complete (found 2 devices).
[DE5FW] 14:35:32 INFO: Created UPnP port mapping for external port 9848 on UPnP device 'FRITZ!Box Fon WLAN 7390' (192.168.0.1).
[DE5FW] 14:35:32 INFO: Starting local discovery announcements
[DE5FW] 14:35:32 INFO: Local discovery over IPv6 unavailable
[DE5FW] 14:35:32 INFO: Starting global discovery announcements
[DE5FW] 14:35:42 INFO: Established secure connection to SJ3BZVN at 192.168.0.190:22000-79.255.x.x:51491

Everything fine so far. Now I activate my VPN. Nothing happens in the logfiles. I decided to drop a new file into one of the shares to trigger a process. Now the following happens:

[DE5FW] 14:38:37 INFO: Connection to SJ3BZVN closed: WSARecv tcp 192.168.0.190:22000: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.

Connected devices appear now offline.

Error messages approx. translation: “A connection attempt failed due to no correct response of the endpoint.” Problems seems to be that Syncthing is not aware of a local IP change and does not try to rediscover the network settings. It assumes that the client still has the same active connection.

Restarting the Syncthing instance now, while VPN is active, leads to nothing better:

[DE5FW] 14:41:04 INFO: Starting web GUI on http://127.0.0.1:8384/
[DE5FW] 14:41:05 INFO: Starting UPnP discovery...
[DE5FW] 14:41:29 INFO: Get http://192.168.0.1:49000/igddesc.xml: dial tcp 192.168.0.1:49000: ConnectEx tcp: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.
[DE5FW] 14:41:29 INFO: Get http://192.168.0.1:49000/igddesc.xml: dial tcp 192.168.0.1:49000: ConnectEx tcp: Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat.
[DE5FW] 14:41:29 INFO: UPnP discovery complete (found 0 devices).
[DE5FW] 14:41:29 INFO: Starting local discovery announcements
[DE5FW] 14:41:29 INFO: Local discovery over IPv6 unavailable
[DE5FW] 14:41:29 INFO: Starting global discovery announcements

Still assumes I’m in the work LAN, tries to UPnP the wrong router (it should be 192.168.79.1) and fails with the same error message. Does not discover the NAS instance on the new LAN through local discovery.

Looking at discovery through the REST API endpoint /rest/system show that the discovery is seems to be working:

"extAnnounceOK":{  
  "udp4://announce.syncthing.net:22026":true,
  "udp6://announce-v6.syncthing.net:22026":true
}

Connections to other devices though, do not work, looking at the /rest/conncetions endpoint:

{  
   "total":{  
      "At":"2015-03-18T14:46:36.0707896+01:00",
      "InBytesTotal":0,
      "OutBytesTotal":0,
      "Address":"",
      "ClientVersion":""
   }
}

Tricky thing is, I’m not a network guru and by all means, I have no fricking idea how this tunnel works. Nothing from ipconfig nor netsh shows any difference in configuration or routing when the VPN is active, yet it moves me out of my 192.168.0 net.

Skype, Chrome and btsync show activity as soon as I switch to VPN (looking with tcpview from Sysinternals) so there must a way to detect it, or they just register that the connection went down and retry it? Synthing on the other hand does not show any activity as soon as I switch to VPN, except it looses the one connection it had.

No idea if this helps in any way though.

UPnP is for the router NOT the VPN!

The VPN is configured correctly and working, *its not something I configured, they have their own software that takes care of all that…

The VPN service provider have their own test for the Port forwarding… the VPN service said the Port was reachable…

Thanks kreischweide Adrian Rudnik! Great to hear from other users facing the same problem!

It’s exactly the same issue as I described, most likely you don’t have port forwarding setup to punch out of the VPN, hence why the connection fails. One of your devices on the VPN responds to be a router (hence it tries UPnP).

The fact that your VPN service said something doesn’t mean it’s true. I use syncthing within a VPN and it works fine, you just need to know what you are doing.

After connecting to VPN and setting up port forwarding for the protocol port, get your public address (whatsmyip.com or something) and from another machine, that is not on the VPN, try connecting to the protocol port of the machine in the VPN. If that succeeds, syncthing would succeed too, if that doesn’t succeed, your port forwarding is setup incorrectly.

OK, so you are suggesting that the VPN port forwarding is not functioning correctly…

There is not a lot I can do to change how my VPN service provider forwards ports. I presume the company knows what they are doing! They are professionals after all. The Port is forwarded using their service

I have asked at their forum as well… explaining that syncthing needed the port forwarded, and that I forwarded the required Port on their website, tested this port using their software, recieved a confirmation that the port is reachable, but I still have problems with this port; they have not responded yet…

@kreischweide Adrian Rudnik Have you tried the port forwarding solution as well? that your VPN provides? it would be great if one of us at least got this working!

Indeed, I see. Yes it tries and fails, as it’s over IPSec which does not support broadcasts/multicasts (which includes UPnP) i guess, so the multicast/broadcast/upnp gets dropped. This would require at least a manual port forwarding. This would also explain why Syncthing does not find the other instance in the same subnet. Maybe even try a GRE compatible VPN like PPTP.

No longer at work, can try tomorrow

–I left the Global Discovery Servers at default –I gave each machine a unique Port number under the Sync Protocol Listen Address –I forwarded both of those Ports using the VPN Client Area… I ran the VPN tcp test, and it said the Ports are reachable… –I added the Ports to my IPtables list (on the Linux machine) (I turned the Firewall off on the Windows machine & on the router, so nothing would interfere with my testing…) –I manually forwarded the ports on my router… & restarted,

I turned on the VPN, at first I thought it was not working… But, I was not waiting long enough for it! (…because when the VPN was turned off; both machines would connect pretty much straight away!) DOH! both machines seem to connect now, but first, after a small delay of under 5 minutes!

–Thanks for all the Help and Advice