SYNCTHING-NETWORKING(7)            Syncthing           SYNCTHING-NETWORKING(7)



NNAAMMEE
       syncthing-networking - Firewall Setup

RROOUUTTEERR SSEETTUUPP
   PPoorrtt FFoorrwwaarrddss
       If  you have a NAT router which supports UPnP, the easiest way to get a
       working port forward is to make sure UPnP setting is  enabled  on  both
       Syncthing and the router â Syncthing will try to handle the rest. If it
       succeeds you will see a message in the console saying:

          Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.

       If this is not possible or desirable, you should set up a port forward‐
       ing  for ports 2222000000//TTCCPP and 2222000000//UUDDPP (or whichever port is set in the
       _S_y_n_c _P_r_o_t_o_c_o_l _L_i_s_t_e_n _A_d_d_r_e_s_s setting).  The  external  forwarded  ports
       and   the  internal  destination  ports  have  to  be  the  same  (e.g.
       22000/TCP).

       Communication in Syncthing works both ways. Therefore  if  you  set  up
       port  forwards for one device, other devices will be able to connect to
       it even when they are behind a NAT network or firewall.

       In the absence of port forwarding, relaying may work well enough to get
       devices  connected and synced, but will perform poorly in comparison to
       a direct connection.

   LLooccaall DDiissccoovveerryy
       The router needs to allow/forward broad-/multicasts for local discovery
       to  work.   Usually these are allowed by default in a single local sub‐
       net, but may be blocked between different subnets  or  even  between  a
       bridged Wi-Fi and LAN.

       If  you are unable to set up your router thus or your firewall as shown
       below, and your devices have static IP addresses, you can specify  them
       directly by changing the default ddyynnaammiicc setting for _A_d_d_r_e_s_s_e_s to some‐
       thing like: ttccpp::////119922..116688..11..xxxxxx::2222000000,, ddyynnaammiicc.

LLOOCCAALL FFIIRREEWWAALLLL
       If your PC has a local firewall, you will need to  open  the  following
       ports for incoming and outgoing traffic:

       · Port 2222000000//TTCCPP: TCP based sync protocol traffic

       · Port 2222000000//UUDDPP: QUIC based sync protocol traffic

       · Port  2211002277//UUDDPP:  for  discovery broadcasts on IPv4 and multicasts on
         IPv6

       If you configured a custom port in the  _S_y_n_c  _P_r_o_t_o_c_o_l  _L_i_s_t_e_n  _A_d_d_r_e_s_s
       setting, you have to adapt the firewall rules accordingly.

   UUnnccoommpplliiccaatteedd FFiirreewwaallll ((uuffww))
       If  youâre  using uuffww on Linux and have installed the _S_y_n_c_t_h_i_n_g _p_a_c_k_a_g_e
       <hhttttppss::////aapptt..ssyynncctthhiinngg..nneett//>, you can allow the necessary ports by run‐
       ning:

          sudo ufw allow syncthing

       If  you  also  want  to allow external access to the Syncthing web GUI,
       run:

          sudo ufw allow syncthing-gui

       Allowing external access is nnoott  necessary for a typical installation.

       You can then verify that the ports mentioned above are allowed:

          sudo ufw status verbose

       In  case  you  installed  Syncthing  manually  you   can   follow   the
       _i_n_s_t_r_u_c_t_i_o_n_s     _t_o     _m_a_n_u_a_l_l_y     _a_d_d     _t_h_e    _s_y_n_c_t_h_i_n_g    _p_r_e_s_e_t
       <hhttttppss::////ggiitthhuubb..ccoomm//ssyynncctthhiinngg//ssyynncctthhiinngg//ttrreeee//mmaaiinn//eettcc//ffiirreewwaallll--uuffww>  to
       ufw.

   FFiirreewwaalllldd
       If  you  are  using  _F_i_r_e_w_a_l_l_d <hhttttppss::////ffiirreewwaalllldd..oorrgg//> it has included
       support for syncthing (since version 0.5.0, January 2018), and you  can
       enable it with:

          sudo firewall-cmd --zone=public --add-service=syncthing --permanent
          sudo firewall-cmd --reload

       Similarly there is also a ssyynncctthhiinngg--gguuii service.

RREEMMOOTTEE WWEEBB GGUUII
       To  be  able  to  access  the web GUI from other computers, you need to
       change the _G_U_I _L_i_s_t_e_n _A_d_d_r_e_s_s setting from the  default  112277..00..00..11::88338844
       to  00..00..00..00::88338844. You also need to open the port in your local firewall
       if you have one.

   TTuunnnneelliinngg vviiaa SSSSHH
       If you have SSH access to  the  machine  running  Syncthing  but  would
       rather  not  open the web GUI port to the outside world, you can access
       it through a SSH tunnel instead. You can start a tunnel with a  command
       like the following:

          ssh -L 9999:localhost:8384 machine

       This will bind to your local port 9999 and forward all connections from
       there to port 8384 on the target machine.  This  still  works  even  if
       Syncthing is bound to listen on localhost only.

VVIIAA AA PPRROOXXYY
       Syncthing  can  use a SOCKS5 proxy for outbound connections. Please see
       proxying.

AAUUTTHHOORR
       The Syncthing Authors

CCOOPPYYRRIIGGHHTT
       2014-2019, The Syncthing Authors



v1.19.2                          Apr 05, 2022          SYNCTHING-NETWORKING(7)
