SSH Relay server


I run syncthing on about 10 devices across a few countries and networks. Love it. Love it a lot.

One thing I have been thinking is whether you could use your relay servers to connect SSH sessions without opening ports.

eg. NAS1 wants to connect to NAS2 - NAS1 announces wants to connect to NAS2. NAS2 checks if anyone wants to connect every couple of minutes, and when it sees someone wants to connect, the relay joins the two and they connect. Then run a script on NAS1 or whatever.

Obviously this is a high level idea, and I am sure there are great technical ways to achieve this securely etc.

I think this would be a killer feature.



I’m sure this could be useful, but it requires writing an SSH client and server to support it. Syncthing is not that.

It would also require some sort of consent from the relay operators, I think.

I think what @scottf007 is aiming for he only opens up port 22 where e.g OpenSSH is running on. Then create a SSH tunnel from syncthing and connect to the NAS behind SSH. Building a syncthing relay over SSH is a bit weird in my opinion.

Yes, I totally wish I could have this firewall-punching SSH feature as well (which Syncthing already has, i.e. doing away with the need for port forwarding on the firewall, or UPnP on the Syncthing server behind the firewall, or DynDNS to ensure a hostname leading to the SSH server running on a Syncthing server behind a firewall).

I absolutely love how Syncthing has basically done away with the need for such port-forwarding, UPnP, or DynDNS (for Syncthing nodes to find each other).

I agree that it’s not Syncthing’s job to improve the SSH servers of the world, but none the less, my burning use case for Syncthing (that has my SSH server jealous of Syncthing) goes like this:

Say I have a Syncthing server behind a firewall, and it’s in a remote location I don’t go to physically, and I don’t have a capable person at that remote site to remotely administer Syncthing for me. This remote Syncthing server is running the common and obvious OpenSSH server as well (for linux), but port forwarding on the firewall, and DynDNS are not set up (and OpenSSH doesn’t do UPnP).

I remotely try to “Add Device” for that firewalled Syncthing Server, since I know the correct Device ID. But now someone needs to press the “Accept” button on the Web GUI on that remote Syncthing server behind the firewall! And I can’t reach that “Accept” button remotely, without creating a working SSH tunnel into that remote Syncthing server. Aargh.

So in summary, I wish OpenSSH would notice the awesome firewall-punching abilities which Syncthing has, and likewise do the same, thereby doing away with the need for port-forwarding, UPnP, and DynDNS for SSH, just as Syncthing has done away with it.

Maybe there should be a forked, or spin-off project of Syncthing, called something like “PortPunch”, whose job is not to sync files, but rather just provide the firewall-punching goodness that my above use case wishes it could have, for any arbitrary one-TCP-port-using server protocol like SSH. It would have the same concepts like “Add Device”, “Device ID”, etc. This would remove the need for port-forwading, UPnP, and DynDNS for protocols such as SSH.

There’s already a bunch of software out there that does this (and more), e.g P2P-VPN’s like ZeroTier or similar software with firewall/NAT traversal.


Thanks for that recommendation, @Nummer378. :grin:

I see there is a snap package for zerotier-one. I’ll see about giving it a go in the next few weeks…

Yay, Zerotier worked, and it was straightforward. My burning use case has been quenched! I can reach the Syncthing Web GUI behind a firewall, which has no port forwarding set up for SSH. The SSH tunnelling I successfully did (to punch through this scalliwag of a firewall) went through a Zerotier tunnel.

You dah man, @Nummer378!! :smile:


A possible Open Source alternative to Zerotier has appeared (to satisfy my Syncthing use case above), called “Nebula”, please see this blog post.

I also posted my feelings about using Zerotier, comparing it to what Nebula is offering here.

1 Like

I’ve read nebula’s code and it’s just a pile stuff that shells out to command line utilities to setup tunelling and requires admin priveledges to do it’s thing.

It’s not a sensible thing to integrate in to syncthing.

1 Like