Synology firewall is alerting "Attempted User Privilege Gain"

Hello experts,

I have successfully installed Twingate on Docker on Synology NAS. However, since then, I get the following tons of alerts from firewall like the one below:

The following suspicious network event was dropped:

Event Type: Attempted User Privilege Gain
Signature: ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
Severity: high
Source IP: <SOURCE IP>
Destination IP: <NAS IP>
Time: 2023-01-29 11:03:50 (GMT+01:00)

I’ve done some research and it seems that this alert is coming due to the fact that Twingate is constantly checking the NAT IP address:

Session Traversal Utilities for NAT STUN Binding Response

Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT.

Do we have to open some ports on firewall ?

Thank you,

Hi @mardaff,

thank you for the details here! The information reported by your Synology module is correct (in the sense that the Connectors use NAT traversal and the STUN protocol to make it work) but it is a false positive (this is the expected behavior of Connectors).

There is no port open needed on your router! Definitely do not do that in response to the flag.

Now for the technical reason your Connectors are contacting Twingate’s STUN servers is to make sure P2P communication can be established between your Connectors and your Twingate Clients. STUN makes NAT traversal possible and NAT traversal is actually what makes P2P communication possible even from behind Firewalls.

take a look at the official documentation on this for more details on how it works.

1 Like