Syncing Behind Firewall/gateway


Recommended Posts

So, I'm toying around with btsync as it seems to be a good solution for syncing multiple computers. But I have troubles syncing on my work desktop who is behind a gateway+firewall.


Here is my setting :

* home desktop: debian jessie (testing), behind my ISP box (via ethernet) serving as DHCP/router, probably using NAT. Probably no fix IP address. Usually off when I'm not at home.

* home laptop: debian jessie, wifi to the box, on my home LAN.

* work desktop: debian wheezy (stable), behind a gateway/firewall/router. Probably using NAT. The router certainly has a fix IP. Always on.


I have root power on all theses machines, but I do not have root access to the work gateway. I can ssh to it. I usually connect (from home to work) using ssh + nc on the gateway to automatically "rebound" to my machine.


I have installed tuxpoldo btsync-user packages (thanks) on each of these three machines. Even through it is not the same distro (jessie/wheezy), it is still the same package (v 1.13.0-1). So I assume version (in)compatibility problems are not an issue.


I have absolutely no problem syncing on my LAN. However, nothing goes to (or from) the work computer.


When I set up the secret on the work computer, the home ones were shut down, thus no sharing was possible, but I have since turned them on without any sync happening. From tests I've made on my LAN, that should not be a real issue. But since LAN discovery does not work the same way as internet does (through trackers), that may be a cause of problem.


Since I do not have root powers on the work gateway, I can not add any firewall/NAT/… exception to handle this. I can probably, however, set up an ssh tunnel to go through it. As far as I understand, that may require me to add some "known host" to my home computer to directly plug into the tunnel, but that's not a big deal. I have never set up ssh tunnels before, but that's definitely something I can do if needed…


From what I've gathered, it looks like the relay hosts should basically allow this scenario to work. I am using them (ie I have not removed them).


So any idea on why this does not work or how to make it work?

Link to post
Share on other sites

Some more test with a friend confirmed that the problem is indeed with my work computer. We had no problem syncinc between my home computer and his (similar configuration). So, I am able to establish a connexion out of my ISP.


I'll try to set up a tunnel and let you know if it works.

Link to post
Share on other sites

Yes! I finally get it working. I did not manage to do it with the usual tunnelling options of ssh (-L/-R) but it did work with the VPN setting (-w). I'll try to explain all the steps I had to do. I got help on setting up the ssh VPN at

1/ my settings.

home: my debian machine at home. I have root access on it.

work: my debian machine at work. I also have root access on it.

gateway: the gateway/firewall through which all connections at work must go. I do not have root access on it.

2/ root to root connection

Apparently, setting up the VPN tunnelling must be done as root. I guess it is possible to grant access to manipulating tun interfaces to regular users in order to avoid this. Any way, I need for root@home to be able to ssh to root@work, going through user@gateway since I must go through it and cannot do it as root… I did it via nc, it should be possible to use the -W option of ssh to do it, but I could not manage.


Host jobUser <work-user>Hostname <gateway>IdentityFile ~<home-user>/.ssh/id_rsaHost *.jobUser <work-user>ProxyCommand ssh job "nc `basename %h .job` %p"
and test it with ssh root@work.job (as root@home) to check it is working.

Note 1: you may need to enable root login in work:/etc/ssh/sshd_config (PermitRootLogin yes) (and reload the daemon).

Note 2: I'm reusing my RSA key to avoid giving password to the gateway. It should also be possible to give a RSA key to root to avoid giving password for root@work.

3/ ssh configuration

in work:/etc/ssh/sshd_config add, if needed, the line "PermitTunnel yes". Then reload the daemon (/etc/init.d/ssh reload)

4/ Setting up the tunnel.

home:$ sudo ssh -w5:5 root@work.job
Note: if you're using tun elsewhere, make sure the numbers are not used anywhere else. Check ifconfig tun5 to see whether the interface already exists (on both machine) and if yes, use other numbers for the -w option.

work: sudo ifconfig tun5 netmask sudo ifconfig tun5 netmask
Note: make sure the IP are not already used!

My local network at work is on 10.* My local network at home is at 192.168.0.*, with a DHCP handled by my ISP box. At first, I tried to set up my tunnel on, hoping it would thus be on the same local network (and autodetected by btsync), but it didn't work (as in ping was not working over the tunnel). So I guess you need to get fresh IP somehow.

Test the VPN with pinging the IP of the other machine.

5/ btsync

btsync was not able to autodetect the new host (with LAN detection). I guess it is linked with my netmask and having eth0 and tun5 in different subnets.

Anyway, adding a predefined host (on home) with IP (the IP of work) and the correct port did the trick and syncing is now working (in both directions).

Link to post
Share on other sites


This topic is now archived and is closed to further replies.