Syncthing flagged by IT as Tor

I use Syncthing for all of my devices, including my work devices. Recently, my work IT complained that my device is connecting to tor nodes. I know this is a known issue where some syncthing nodes are tor nodes, and IT departments are afraid of tor. Clearly, the solution should be to disable relays on devices inside my work’s network. However, this post indicates that someone tried the same but still had an issue with traffic being flagged as tor:

I think the answer is to also disable global discovery, but I want to be sure. IT looked the other way this time, but if it happens again, I could be in trouble…

How do I ensure connections are ONLY direct connections to devices?

1 Like

Just relays, not global discovery: FAQ — Syncthing documentation


Thanks for the quick reply. I see that the FAQ entry you sent mostly agrees with your statement, though it says “most likely”. Also, the person in the thread I linked seemed pretty adamant that they never had relays enabled.

You say I only need to disable relays, but I think enabling global discovery would imply connecting to a global discovery server (i.e. not one of my devices). Even if those servers are not flagged as tor, I still want to eliminate syncthing traffic to anything other than my configured devices.

EDIT: when I say eliminate all the traffic, I mean usage reporting too. I would still keep my home instance as a full not-locked-down node. So I think I need to disable relays, global discovery, and usage reporting. I’ve read others mention STUN servers as well? Just want to make sure I understand

If you want to keep your Syncthing instance “quiet” to the outside world, read Limit Syncthing to only use local network: Review and suggestions appreciated - Support - Syncthing Community Forum

I think it covers most parts which may communicate to the outside world.

But your IT-department may want to re-think their monitoring approach if Syncthing gets flagged as TOR. Either their traffic analyser is wrong, or they use a terrible practise of relying on IP-reputation.


Thanks for the reply. I think tha thread is what I was looking for, though I left my config slightly more lax (left local announcements on and left dynamic in the address lists).

I can confirm that the are just using IP-reputation.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.