Syncthing sees VPN (ZeroTier-One) as LAN

I’ve checked a couple of threads and tried their recommendations (notably here and here) but could not get things working as I’d hoped for.

Situation: I have 3 machines. Machine X (R/W) at my dad’s place and machines A (R/W) and B (R/O) at my place. Up-to a while ago I had machine X talk to machine A and it used NAT traversal to exchange data using a 50kBps limit. Machine B gets turned on only once in a while and then sees machine A on the LAN and quickly syncs up as there is no speed limit on the LAN. (This then serves as some kind of occasional backup)

I’ve started using ZeroTier-One since a couple of months and it connects all 3 machines seamlessly making it look as if they are on the same LAN which is great for remote administration but it means that Syncthing now thinks it should no longer apply the speed limits between the machines. I’ve tried to tell it which network it should consider as LAN and which not but so far without result.

My idea was to configure [Sync Protocol Listen Addresses] to tcp://, quic:// as to limit the program from even looking at the ZeroTier-One virtual adapters which are in the range. This did not stop Syncthing from connecting over the ZeroTier-One channel and transfer data at ‘full speed’.

Additionally I’ve configured machine A to put the public IP of my dad’s ISP in the AllowedNetworks option (like this: for Device X. This seems to work until it suddenly doesn’t anymore and it jumps to the ZeroTier-One adapter and goes full speed.

When browsing to https://Machine_A I get the following device info:


Is there anything else I can try?

From a practical point of view I could configure machine x to limit its speed for both LAN and WAN; that should take care of it right now but if I later on wanted to add a machine Y to do the same thing at my dad’s place as I do here (A>B) then I’m stuck again.

Somehow I don’t think what I’m trying to do is overly exotic… or is it?

Thanks for the help, Roby

Sorry, but I’m struggling to understand what your question is.

I would block Syncthing connection and discovery ports for the ZeroTier network. Syncthing should handle this by resorting to regular LAN or WAN connections.

The short version is: how do I tell SyncThing to NOT use the ZeroTier-One network adapters? AFAIK there is no way to bind the application to a given network adapter.

I’ve tried setting the [Sync Protocol Listen Addresses] configuration to the relevant IP address but that did not stop Syncthing from connecting over the ZeroTier-One adapters.

I then assumed that by changing the [Allowed Network] setting to something that can only be reached by the one network adapter this would result in the wanted behavior. However, as can be seen in the screenshot, Syncthing connects to while simultaneously showing that only is Allowed.

IMHO it looks like the ‘LAN-discovery’ completely ignores both settings?!

Correct, other than the listen addresses which can be bound to a specific address, but …

Indeed; what we listen on doesn’t really affect how we do outgoing connections. It would be difficult to couple the two. Once an address isn’t directly on a local interface we have no way to know or influence how we reach that address.

This seems like a bug. It should not allow connections from (or to) not-allowed networks when that option is set. I don’t know why it doesn’t work (quic vs tcp perhaps?) but it should be filed and fixed.

Right. This makes a lot of sense now you put it like that. I played around with the settings on this side only and yeah, it clearly says ‘Listen Address’ so obviously it needs to be set at both ends in a p2p situation. I’ll give that a try.

As for the LAN connection ignoring the [Allowed Network] setting: I started creating a ticket but when trying to write down the steps to do so Syncthing decided to play nice and effectively marked the connections in red “Network disallowed (timestamp)”. There might be more to this; might be an order of setting things or something!? I’ll try to come up with more information as I experiment a bit with it.

Perhaps it was already connected when you set the allowed networks? It’s only checked/enforced when a connection is established.

Well, I seem to be unable to reproduce it by stopping everything, changing the config and then waiting for it to do an ‘illegal’ connection. So indeed, probably it was already connected before I changed the setting. Thanks for the help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.