Dmitry Spikhalskiy

Did you install the container from CA? Do you run the container with "Privileged: ON"?

You can put multiple comma-separated network ids.

@FreeMan I don't know to be honest, at least for me Zerotier by default assigns ZT clients the same IP addresses all the time, never happened that they changed. You need to do what you described just to manually assign the IP you want. But automatically assigned IP is also static, at least in my case.

@Max > okay i somehow fixed it, the only wierd thing that i noticed was that somehow on network that i created on myzerotier website had my local ips too under advanced - managed routes. It's the reason and that why I included this in the manual in the header: "if ZeroTier "Managed routes" intersect with your physical local IPs - better change Zerotier range to be different". I will edit the manual to make it more noticeable. Looks like it's connected now and if it has "Online" status at the Zerotier website UI - everything is done right on the unraid side. Your diagnostic output looks also good. Does the computer you try to access your unraid server from also has "Online" status in the Zerotier UI? Is it Authorized there also? Which IP address do you try to use for your connection? You should use IP in Zerotier network, not in the local network. Anything interesting in the tracert and ping output when you ping unRaid Zerotier IP from your client computer?

@Max I don't have this problem, if you can debug it by attaching a keyboard and a display to your server and investigate why it's unavailable - could be useful, maybe some Zerotier bug on your specific configuration. There is a bug report from one of the users that 1.4.6 misbehaves on MacOS for him: https://github.com/zerotier/ZeroTierOne/issues/1030 Also, if you use the default app config now - you use the latest Zerotier version 1.4.6. To use the old bugfixed one (1.2.12) you can specify 1.2.12 tag in your Zerotier app configuration like "Repository: spikhalskiy/zerotier:1.2.12". It could make sense to rollback this way and test if the old version has the same problem on your host.

1.4.6 is released for everybody, the CLI instructions in the topic header are updated for the new docker image layout.

@Pducharme I published spikhalskiy/zerotier:1.4.6 with the latest version. If you need the latest release - you can test this tag. I will release it to everybody when I test it for multiple days and check that it's stable.

@Pducharme Yeah, there is a reason for it: But I'm going to update to 1.4.6 some time soon.

@FreeMan It's really hard to tell, never had anything like that. You can get really a lot of useful information about the zerotier current state running these 3 commands: ./zerotier-cli info ./zerotier-cli listnetworks ./zerotier-cli listpeers But Zerotier client doesn't produce a lot of logs at all, so it's hard to get a history of states and reasons of their changes. There is a build flag that allows to build Zerotier in a "trace" mode, but it's PITA. Can you get an output of these commands when your servers are shown as off in Zerotier console? You obviously need to be in a local network for it. Also, are you sure that it's not legitimate network disruptions? Did you check this theory? You also can give it a try and check 1.4.2 tag that I published for testing: It works stably for me for a long time already.

In the head post of the thread there are examples of specific commands that are working in this docker after opening a CLI to it: ./zerotier-cli info ./zerotier-cli listnetworks ./zerotier-cli listpeers

@mikefallen Yeah, if it's really what you want to do - it should work. 1. "Pretty sure Ford is right i just need to add a static route on my lan router pointing back to the zerotier network." Adding a static route on your router will make Zerotier hosts available for your local hosts. 2. "setup ZeroTier on my openwrt router at home." This will bring your router to the ZT network and you will be able to add a static rule to your ZT network setup where to route your requests from ZT network for local network IP addresses, so it will expose your local network IPs to the ZT hosts. For what you describe "But i cannot ping anything else from awayPC to anything else on 192.168.2.0/24 only unRAID address (192.168.2.100)" you need to go by the second scenario, not the first one. But be mindful that if you do that, your Wi-Fi smart home lock for example will be exposed to any device added to your Zerotier network.

@mikefallen You likely got a wrong understanding how ZT works. It creates own "virtual" network. Devices that are part of this network are accessible to each other using ZT IP addresses and work like they are in it's own network. So, your awayPCzt is able to access unRAIDzt using ZT IP address (172.22.0.100) and reverse - that's what ZT gives you and looks like it's working. ZT installed on one host doesn't bring your whole home network to Zerotier virtual network and don't merge them into one network, it brings only this one device into it. ZT installed on one network host thankfully can't expose all devices in this network outside and can't reroute traffic from other local hosts outside. Imagine buying a smart bulb that after turning on just automatically tunnel all your traffic from all your devices in the network to some third party server? What you want could be achievable by changing settings of your router, but I definitely wouldn't recommend to do it. If you want to access some other devices in your network - use a browser (which will see your home network) installed on your ZT server that you access using ZT IP address or ssh / make an ssh port forwarding to you ZT server and from that server you can ssh / access other devices in your home network.

@tillkruegerI think the easiest thing to do is to open your my.zerotier.com network and take a look what internal Zerotier IP does your NAS have. After that try to ping this IP from your Mac. If ping looks ok - try to just connect to NAS Samba file server from MacOs Finder directly using the IP address. Like it's described here https://support.apple.com/en-us/HT204445 after words "To connect to a file server directly". If this works fine and you get an access to your server - maybe you don't need it inside the Network section? If you really do maybe try to look into settings of Avahi daemon on your Unraid box that is responsible for service discovery or at least try to run /etc/rc.d/rc.avahidaemon restart on your Unraid, which could help.

@argonaut @ice pube Hey, I released a separate tag for you with some dirty hacks, but looks like it's working. You can use the tag spikhalskiy/zerotier:1.4.2 and it will give you the latest Zerotier version. Give it a try if you are in the mood for some experiments It's an experimental tag and the docker image for this build contains hacks that are not in the Zerotier upstream, so I don't recommend to switch on it until you understand that it could not work for you. I made a ticket for Zerotier team: https://github.com/zerotier/ZeroTierOne/issues/1013. When it's resolved in the upstream in a reasonable manner I will update the main docker with Zerotier 1.4.2 or newer for everybody.

@argonaut It looks like Zerotier removed all prepackaged docker images from their dockerhub repo, so I will need to do some job to build it from scratch or find their sources for it. I will try to make a fresh build when I have time, yeah. UPDATE I built an image and released an update for this docker to include Zerotier version 1.2.12 I wasn't able to use current Zerotier containerized docker build code to launch 1.4.2 for now. I will try to investigate in a spare time and submit a build fix to the Zerotier upstream repo first. I will release an update for this image when it's resolved.

@Chris Reilly I don't know your unraid.net subdomain setup, it's not a part of Zerotier setup likely and should not work thru it. You should try two things: 1) Just use the server name that you see in UI in the top right corner and add a ".local" to it. See an attached screenshot, I use http://spikhalskiy-nas.local/Main to access UI. 2) Obtain an IP address of your Unraid in Zerotier control panel of your virtual network and call it directly. See an attached screenshot, I use http://10.147.17.49/Main to access UI.

If by static here you mean public static (because IP can be static under NAT too) and you don't have any layer of NAT - no, no way. So, the article is saying about how Zerotier deals with NAT because the NAT is usually an issue why you can't just access your server using a static IP address and why people even start to do all this port forwarding or VPN connection things. If a server has a public static IP - it's just not a problem in this setup to overcome NAT. If your server has a static IP and you verified on your virtual network management page doesn't see your server connected, likely your issue is somewhere in company firewall settings and you maybe should start something around this part of manual:

@MrDatum I think you should be able to open only ports that Plex requires in your Zerotier network using "Flow Rules". Or just forbid samba/afp ports there. There is a manual for rules engine here: https://www.zerotier.com/manual.shtml#3 You can specify the rules in a network setup screen (https://my.zerotier.com/network/<network_id>) on Zerotier website in "Flow rules" section.

@tillkrueger No, it's not an expected behaviour. So, the goal of Zerotier is to create a "local network" between the devices and USUALLY, just Zerotier should be enough. An expected behaviour that without any additional VPN connection you are able to access your server from another host with Zerotier connected to same virtual network on it. There are some limitations when Zerotier can't do the job, but it's rare as far as I know (https://www.zerotier.com/blog/state-of-nat-traversal.shtml). Try to do some basic troubleshooting, like what Zerotier site tells you about a state of your Unraid server (Like a "Last Seen" column in devices list) if you don't use additional VPN, etc. There is also a connection troubleshooting article from Zerotier: https://support.zerotier.com/knowledgebase.php?entry=show&amp;search-for=&amp;article=ZGFmNzQyYjgzOTJhNWZhYWFkODk0Zjg3MTAxY2JkZWE_

ZeroTier you mean? I think I put some description in the header. Remote access. One if the reasons why people install VPN. Your unraid under nas, you don’t want to setup port forwarding for security reasons, you need to open a console or ui of some app. Or plex is not accessible directly because of nat, indirect connection supports only 720p and you want to stream HD videos somewhere not at home - you get an effective peer to peer connection without port forwarding, so your client can connect directly to your Plex box.

I will take a look at it and add this feature if possible. I'm not sure, but I don't think it's possible. You want to tunnel a traffic and use a Zerotier host as a VPN server, I don't know if Zerotier is designed for it. Hmmm. //tower works in your local network not because of a central DNS server. https://www.systutorials.com/docs/linux/man/8-avahi-daemon/ The same avahi-daemon should announce your unRaid name in Zerotier network too. At least, I can access unRaid in Zerotier network using the same name I use in my local network. Maybe try to add ".local" to your domain name. I use "<servername>.local" for both local and Zerotier network as a domain.

Yeah, Zerotier is basically giving you same as fair VPN with - minus, that not all your traffic will be tunnelled, just a traffic between your devices. + but plus, traffic between your devices goes peer to peer without a single tunnelling service in the middle + much easier to setup

@hernandito You could set up your own "controller" and "moon nodes" and create your own full infrastructure basically. Nothing stops you, everything is open source - in that case, you will need to care about the security of your own controller, but it will remove other admins from the system. If you go with a default infrastructure - yeah, members of your network can be theoretically "authorized" by anybody who has an admin access to the public controller.

@1812 No, it creates a "local" network to communicate between your devices and it works effectively in peer to peer mode - if possible you devices will talk directly without an additional VPN server in the middle. But it's not a solution for encrypting or tunnelling traffic between you and any other host on the internet and it's not a VPN replacement for this goal.

@argonaut Yeah, it's a typo, thanks for pointing out! About 1.2.8 - currently my docker image uses as a parent an official dockerized ZeroTier image zerotier/zerotier-containerized. And it currently has version 1.2.4 inside. My thoughts here: 1) I decided to keep things simple and transparent to the community and use the official image as a reference, so everybody could simply verify that my modifications don't do anything bad in docker run in "privileged" mode. 2) I reviewed changes that version 1.2.8 includes and 1.2.4 doesn't and I didn't find anything really important for Linux. But didn't do it very thoroughly. So, if there is any significant reason to upgrade like anybody really needs anything from the new version - yeah, we can do that. If no - I would prefer to stay on the current version for the described reasons.