123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 |
- .\" Man page generated from reStructuredText.
- .
- .
- .nr rst2man-indent-level 0
- .
- .de1 rstReportMargin
- \\$1 \\n[an-margin]
- level \\n[rst2man-indent-level]
- level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
- -
- \\n[rst2man-indent0]
- \\n[rst2man-indent1]
- \\n[rst2man-indent2]
- ..
- .de1 INDENT
- .\" .rstReportMargin pre:
- . RS \\$1
- . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
- . nr rst2man-indent-level +1
- .\" .rstReportMargin post:
- ..
- .de UNINDENT
- . RE
- .\" indent \\n[an-margin]
- .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .nr rst2man-indent-level -1
- .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
- ..
- .TH "SYNCTHING-NETWORKING" "7" "Sep 14, 2022" "v1.21.0" "Syncthing"
- .SH NAME
- syncthing-networking \- Firewall Setup
- .SH ROUTER SETUP
- .SS Port Forwards
- .sp
- If you have a NAT router which supports UPnP, the easiest way to get a working
- port forward is to make sure UPnP setting is enabled on both Syncthing and the
- router – Syncthing will try to handle the rest. If it succeeds you will see a
- message in the console saying:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- Created UPnP port mapping for external port XXXXX on UPnP device YYYYY.
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- If this is not possible or desirable, you should set up a port forwarding for ports
- \fB22000/TCP\fP and \fB22000/UDP\fP (or whichever port is set in the \fISync Protocol Listen Address\fP setting).
- The external forwarded ports and the internal destination ports have to be the same
- (e.g. 22000/TCP).
- .sp
- Communication in Syncthing works both ways. Therefore if you set up port
- forwards for one device, other devices will be able to connect to it even when
- they are behind a NAT network or firewall.
- .sp
- In the absence of port forwarding, relaying may work well enough to get
- devices connected and synced, but will perform poorly in comparison to a
- direct connection.
- .SS Local Discovery
- .sp
- The router needs to allow/forward broad\-/multicasts for local discovery to work.
- Usually these are allowed by default in a single local subnet, but may be
- blocked between different subnets or even between a bridged Wi\-Fi and LAN.
- .sp
- If you are unable to set up your router thus or your firewall as shown below,
- and your devices have static IP addresses, you can specify them directly by
- changing the default \fBdynamic\fP setting for \fIAddresses\fP to something like:
- \fBtcp://192.168.1.xxx:22000, dynamic\fP\&.
- .SH LOCAL FIREWALL
- .sp
- If your PC has a local firewall, you will need to open the following ports for
- incoming and outgoing traffic:
- .INDENT 0.0
- .IP \(bu 2
- Port \fB22000/TCP\fP: TCP based sync protocol traffic
- .IP \(bu 2
- Port \fB22000/UDP\fP: QUIC based sync protocol traffic
- .IP \(bu 2
- Port \fB21027/UDP\fP: for discovery broadcasts on IPv4 and multicasts on IPv6
- .UNINDENT
- .sp
- If you configured a custom port in the \fISync Protocol Listen Address\fP setting,
- you have to adapt the firewall rules accordingly.
- .SS Uncomplicated Firewall (ufw)
- .sp
- If you’re using \fBufw\fP on Linux and have installed the \fI\%Syncthing package\fP <\fBhttps://apt.syncthing.net/\fP>, you can allow the necessary ports by running:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- sudo ufw allow syncthing
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- If you also want to allow external access to the Syncthing web GUI, run:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- sudo ufw allow syncthing\-gui
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- Allowing external access is \fBnot\fP necessary for a typical installation.
- .sp
- You can then verify that the ports mentioned above are allowed:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- sudo ufw status verbose
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- In case you installed Syncthing manually you can follow the \fI\%instructions to manually add the syncthing preset\fP <\fBhttps://github.com/syncthing/syncthing/tree/main/etc/firewall-ufw\fP> to ufw.
- .SS Firewalld
- .sp
- If you are using \fI\%Firewalld\fP <\fBhttps://firewalld.org/\fP> it has included
- support for syncthing (since version 0.5.0, January 2018), and you can enable
- it with:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- sudo firewall\-cmd \-\-zone=public \-\-add\-service=syncthing \-\-permanent
- sudo firewall\-cmd \-\-reload
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- Similarly there is also a \fBsyncthing\-gui\fP service.
- .SH REMOTE WEB GUI
- .sp
- To be able to access the web GUI from other computers, you need to change the
- \fIGUI Listen Address\fP setting from the default \fB127.0.0.1:8384\fP to
- \fB0.0.0.0:8384\fP\&. You also need to open the port in your local firewall if you
- have one.
- .SS Tunneling via SSH
- .sp
- If you have SSH access to the machine running Syncthing but would rather not
- open the web GUI port to the outside world, you can access it through a SSH
- tunnel instead. You can start a tunnel with a command like the following:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- ssh \-L 9999:localhost:8384 machine
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- This will bind to your local port 9999 and forward all connections from there to
- port 8384 on the target machine. This still works even if Syncthing is bound to
- listen on localhost only.
- .SH VIA A PROXY
- .sp
- Syncthing can use a SOCKS5 proxy for outbound connections. Please see proxying\&.
- .SH AUTHOR
- The Syncthing Authors
- .SH COPYRIGHT
- 2014-2019, The Syncthing Authors
- .\" Generated by docutils manpage writer.
- .
|