[Support] spikhalskiy - ZeroTier


Recommended Posts

18 minutes ago, MrDatum said:

I'm curious how people are using this? Can some folks chime in on what are some use cases for this?

ZeroTier you mean? I think I put some description in the header. Remote access. One if the reasons why people install VPN. Your unraid under nas, you don’t want to setup port forwarding for security reasons, you need to open a console or ui of some app.

Or plex is not accessible directly because of nat, indirect connection supports only 720p and you want to stream HD videos somewhere not at home - you get an effective peer to peer connection without port forwarding, so your client can connect directly to your Plex box.

Edited by Dmitry Spikhalskiy
Link to comment

I currently use it to for a remote backup unraid server on a network that I don't have access to modify the firewall. super simple to connect and not having to bother with network admins for vpn/ssh/etc connections. still troubleshooting a slower-than-i'd-like speed, but thats the least of my concerns right now.

Link to comment

Thank you so much for making this Docker! I'm new to ZeroTier and was so excited to find this!

I do have a question/issue, though...

normally I use Tunnelblick to connect to my unRAID server, which is hosted a a friend's web-agency here in Berlin, with an OpenVPN profile that his IT has created for me.
until I installed and configured your Docker, I had to connect to the network the IT set up for me with Tunnelblick (internal IP is 172.25.123.123 there) and mount my unRAID with the Mac Finder's "Connect to Server..." menu item...always worked well.

I notice that with ZeroTier running, the unRAID system appears both as an SMB and AFP share (the SMB share shows all user and disk shares, the AFP share only the unRAID user share) and also connects fine.

my question:

is it expected behaviour that I can only access my unRAID system when the Tunnelblick OpenVPN certificate  is *also* running? I had hoped that ZeroTier alone might be enough to connect, but I guess it makes sense that I will still need to penetrate their Firewall by means of the OpenVPN cert first, in order to *then* take advantage of ZeroTier's features...or might there be something that their IT can do in order to combine the two into one, so that ZeroTier alone would get me there?

I only ask because of the inconvenience of using Tunnelblick and losing many of my normal internet connections in the process, while being logged into their/my network there.
 

Link to comment
  • 2 weeks later...
On 8/18/2018 at 12:03 PM, Dmitry Spikhalskiy said:

ZeroTier you mean? I think I put some description in the header. Remote access. One if the reasons why people install VPN. Your unraid under nas, you don’t want to setup port forwarding for security reasons, you need to open a console or ui of some app.

Or plex is not accessible directly because of nat, indirect connection supports only 720p and you want to stream HD videos somewhere not at home - you get an effective peer to peer connection without port forwarding, so your client can connect directly to your Plex box.

 

Thank you for that explanation. One thing I am not clear on is if all Unraid shares are available on the remote ZeroTier client or can I limit it so only certain shares are available? I actually don't share my Plex library with family because I don't want to open ports on my firewall. Could I use Zerotier to share *only* my Plex library with family without also giving them access to the rest of my shares?

Edited by MrDatum
spelling
Link to comment
On 8/23/2018 at 5:43 AM, tillkrueger said:

is it expected behaviour that I can only access my unRAID system when the Tunnelblick OpenVPN certificate  is *also* running? I had hoped that ZeroTier alone might be enough to connect, but I guess it makes sense that I will still need to penetrate their Firewall by means of the OpenVPN cert first, in order to *then* take advantage of ZeroTier's features...or might there be something that their IT can do in order to combine the two into one, so that ZeroTier alone would get me there?

@tillkrueger

No, it's not an expected behaviour. So, the goal of Zerotier is to create a "local network" between the devices and USUALLY, just Zerotier should be enough. An expected behaviour that without any additional VPN connection you are able to access your server from another host with Zerotier connected to same virtual network on it. There are some limitations when Zerotier can't do the job, but it's rare as far as I know (https://www.zerotier.com/blog/state-of-nat-traversal.shtml).

Try to do some basic troubleshooting, like what Zerotier site tells you about a state of your Unraid server (Like a "Last Seen" column in devices list) if you don't use additional VPN, etc.

There is also a connection troubleshooting article from Zerotier: https://support.zerotier.com/knowledgebase.php?entry=show&search-for=&article=ZGFmNzQyYjgzOTJhNWZhYWFkODk0Zjg3MTAxY2JkZWE_

Edited by Dmitry Spikhalskiy
Link to comment
On 9/2/2018 at 11:51 AM, MrDatum said:

 

Thank you for that explanation. One thing I am not clear on is if all Unraid shares are available on the remote ZeroTier client or can I limit it so only certain shares are available? I actually don't share my Plex library with family because I don't want to open ports on my firewall. Could I use Zerotier to share *only* my Plex library with family without also giving them access to the rest of my shares?

@MrDatum I think you should be able to open only ports that Plex requires in your Zerotier network using "Flow Rules". Or just forbid samba/afp ports there.

There is a manual for rules engine here: https://www.zerotier.com/manual.shtml#3

You can specify the rules in a network setup screen (https://my.zerotier.com/network/<network_id>) on Zerotier website in "Flow rules" section. 

 

Link to comment

Thanks for clarifying, Dmitry.

Interesting...I *wish* ZeroTier could do the job all on its own, but I do have to use OpenVPN (or Viscosity, as of late) to create a connection to my server *first* in order to be able to access my shares.

When I have a little more time than I do right now, I shall follow your links and see whether the troubleshooting tips get me a step closer to figuring out why, in my setup, this isn't happening. It would be too cool if I could access all my unRAID resources locally by using *only* ZeroTier.

Since the IT at the web-agency where my unRAID server is located had to create a custom openVPN certificate for me, is there a way to read such a cert into ZeroTier, and make it work that way, maybe?

Link to comment

beginning to read through the first link you posted, it deals at length with the principle of NAT...since I have been assigned a static IP address by the web-agency where my unRAID system is hosted, the questions beckons: is there an inherent issue with using ZeroTier on machines that don't use NAT but a static IP address, maybe?

is there something specific the IT guy at the web-agency needs to do in order to allow ZeroTier to do the job all on its own?

guess I'll keep on reading, in the meantime.

Link to comment
1 hour ago, tillkrueger said:

is there an inherent issue with using ZeroTier on machines that don't use NAT but a static IP address, maybe?

 

If by static here you mean public static (because IP can be static under NAT too) and you don't have any layer of NAT - no, no way. So, the article is saying about how Zerotier deals with NAT because the NAT is usually an issue why you can't just access your server using a static IP address and why people even start to do all this port forwarding or VPN connection things. If a server has a public static IP - it's just not a problem in this setup to overcome NAT.

If your server has a static IP and you verified on your virtual network management page doesn't see your server connected, likely your issue is somewhere in company firewall settings and you maybe should start something around this part of manual:

Quote
  • Ensure that your firewall (or AWS/Azure/Google Cloud rules) allows UDP traffic to/from port 9993 at a minimum. Allowing outbound UDP to all ports or to all ports above 9000 is also recommended.
  • Check local firewall and security software, especially third party software like McAfee or Little Snitch.
  • Check to ensure that a local firewall is not blocking traffic to/from your ZeroTier network(s). Networks you join appear on your computer as additional network devices and local firewalls may apply policies to them. Sometimes the default policy is "untrusted" or "public" which may prohibit most traffic. This is a frequent cause of "I can't ping" problems.

 

Link to comment

By static I meant an IP from one of the blocks they lease from their bandwidth provider.

I forwarded some of your links to their IT to ask for help...there is only so much I can say or do without knowing what he did on their firewall end. I doubt that he'll open up specific ports for me, but who knows, maybe he will.

In any case, I hope that I can get to the point of using ZeroTier as the only means of accessing all of my unRAID assets from the outside, in hope of then also being able to run the Let's Encrypt docker and serve one of my websites from my unRAID, pending the proper security measures that will need to be implemented. The Let's Encrypt docker support thread here on the unRAID forum appears to hold a ton of information and discourse about that topic, so it seems to be possible to safely serve a site from an unRAID system.

Link to comment

No word back yet from the IT at the agency where my unRAID system sits, and without his help I'm a bit at a loss of how much I can do to get this working properly.

Another question:

When it *does* work as designed, meaning without an additional OpenVPN connection running concurrently, is it possible then to reach my iMac5K, which is my main workstation, from the outside world, so that I can remote control it (I use the "Screens" app) to sync large amounts of data from my home-office network to my unRAID system?

The issue right now is that I can only mount the unRAID shares on my iMac5K when I also have the OpenVPN connection running, but when the OpenVPN connection is running, I don't think that I can see my iMac5K from the outside world anymore...and since only one concurrent OpenVPN connection to my unRAID server is allowed, I can't also connect my rMBP to it, which I use to remote control my iMac5K to sync data with my unRAID system.

Was that too confusing?

Link to comment
  • 1 month later...

Hi there, and thank you for this docker! I am really thrilled with the possibilities zero tier brings along and was searching for an option like this last year. The docker is running and I joined my private network without problems.

 

In the networks section I see the IPs and that my tower is online but I somehow cannot get a connection from other places outside of home. I see the connected devices as ZT-leafs even from my tower via CLI-listpeers but when trying to go to the webadmin via the browser I don't get through. I also cannot mount SMB-share over ZT. Pinging works.

 

I am guessing there could be something not set right at my tower? Do I need to allow any forwarding (via the docker?) on the tower so that traffic received by ZT in the docker then routes to the webgui or samba?

Link to comment
  • 4 weeks later...
On 6/5/2018 at 2:48 AM, Dmitry Spikhalskiy said:

Application Name: ZeroTier

Application Site: https://www.zerotier.com/

Docker Hub: https://hub.docker.com/r/spikhalskiy/zerotier/

Github Docker: https://github.com/Spikhalskiy/zerotier-unraid-docker

Templates Repo: https://github.com/Spikhalskiy/docker-templates

 

Zerotier is an open source, cross-platform virtual LAN / VPN available on Android, iOS, Mac, Windows, Linux.

It allows remote access to devices as if they all reside in the same local network.

All traffic is encrypted end-to-end and takes the most direct path available for minimum latency and maximum performance, using VPN-like connections.

Up to 100 devices for free, no need for port forwarding, very simple setup.

 

Network and the docker image setup steps:

  1. Create a https://my.zerotier.com/ account and create a Network there.
  2. Get an ID of the created network (looks something like b4da7454b271902c).
  3. Install this docker image on your unRaid using a template or from Community Applications and put that ID as a NETWORK_ID parameter of the container.
  4. After a start of the docker go to https://my.zerotier.com/network/<NETWORK_ID> to “Members section” area. Check “Auth” checkbox for the new device. Assign a meaningful name to it, copy an IP from "Managed IPs" column - it will be a static IP of your NAS in your virtual network.
  5. Install a Zerotier client to your laptop/phone/other devices, join a network with the same id and repeat the previous step for them.

 

Now, when you connect Zerotier on any of your devices - a VPN connection will be set up and all connected devices will be available like they are in the same network. SMB shares/TimeMachine will be autodetected, UIs will be accessible on <ip from the step 4>:<usual port>.

 

Post an issue

If you post about an issue, it will be helpful if you open a console of the docker from webGui, run and include in your post an output of the following commands:


./zerotier-cli info

./zerotier-cli listnetworks

./zerotier-cli listpeers

 

Clean reinstall

If you want to make a clean installation and start setup from scratch - don't forget to cleanup config directory which is "/mnt/user/appdata/zerotier/zerotier-one" by default. It contains an identity of your Zerotier node and generated certificates.

 

FAQ

Q: Should I change "Managed routes" on https://my.zerotier.com/network/<NETWORK_ID> to reflect my unRaid internal IP and subnet in a real physical network?Managed_Routes_1.png.bf456d06a8b53d307d50dbe5c1c1f4af.png

 

A: No, ZeroTier creates a virtual network adapter to use in ZeroTier network. If your home IP range is 192.168.1.0/24 and ZeroTier by default selected "10.147.17.*" for example for you managed IPs - it's totally fine. Even opposite, if ZeroTier "Managed routes" intersect with your physical local IPs - better change Zerotier range to be different. unRaid virtual IP in Zerotier network that you can find on https://my.zerotier.com/network/<NETWORK_ID> page you use when you connected to the same Zerotier network from your other device located in another physical network and want to get an access to your unRaid and this IP is different from the physical local network IP of your unRaid server. 

 

It was working before but its not now. I tried to connect my tower to a remote pc today and i cannot access my tower. Not sure what am i missing here. Assistance please. 

Capture 1.PNG

Capture.PNG

command.PNG

Edited by ThePhotraveller
Adding extra console info.
Link to comment
  • 3 weeks later...

How can I create a bridge from zeroTier to my LAN? I see people doing this allot, but not one single tutorial has worked for me.

 

I would like to install this ZeroTier docker on my UnRaid box, and set it up as a bridge, so that I can connect to my zerotier network from my phone, or other computers and access my entire LAN. I know this is doable, I just cant figure out how to do it.

Link to comment
  • 1 month later...
  • 5 weeks later...

I was able to get ZeroTier working via this Docker image relatively painlessly and am able to connect up with my phone and laptop to my array's SMB shares. However, I'm not able to access the web interface. It redirects to my unraid.net subdomain, but cannot connect to it. Is there a way I can access that remotely? I read through the thread but didn't notice any definitive steps. 

 

PS. I'm very thankful for this work. My father is terminally ill and I wanted to be at his side, but still needed access to some important resources on my array from my laptop. Being able to get this work on short notice made a huge difference for us. 

  • Like 1
Link to comment

@Chris Reilly I don't know your unraid.net subdomain setup, it's not a part of Zerotier setup likely and should not work thru it.

You should try two things:

1) Just use the server name that you see in UI in the top right corner and add a ".local" to it. See an attached screenshot, I use http://spikhalskiy-nas.local/Main to access UI.

2) Obtain an IP address of your Unraid in Zerotier control panel of your virtual network and call it directly. See an attached screenshot, I use http://10.147.17.49/Main to access UI.

Screenshot 2019-02-28 08.59.57.png

Screenshot 2019-02-28 09.02.29.png

Link to comment
  • 1 month later...

Hello, I spent a bunch of hours trying to figure out something. I installed the ZeroTier docker, configured it and I can access my unraid server and its dockers perfectly, but I can't access my router. My configuration is as follows:

 

Physical LAN net is 192.168.1.0/24 (being my router: 192.168.1.1 and my unraid server: 192.168.1.2).

 

The ZeroTier net is 192.168.2.0/24 (being my unraid server: 192.168.2.2 and my outside-LAN laptop [Windows 10 client]: 192.168.2.55)

 

I have the following managed routes in ZeroTier and I can access to the unraid server from my outside-LAN laptop with through IP's: 192.168.1.2 and 192.168.2.2, so that seems fine:

 

192.168.1.0/24    via   192.168.2.2

192.168.2.0/24           (LAN)

 

The problem is that from my laptop I am unable to reach my router (192.168.1.1). I can ping the router from the docker terminal, but I cannot connect to it from the ZeroTier client side. Am I missing something during the configuration process? I believe that this ZeroTier docker should allow me to connect remotely to my router, am I wrong?

 

Thanks!!!

 

 

Edited by Fraih
typo
Link to comment
3 hours ago, Fraih said:

Hello, I spent a bunch of hours trying to figure out something. I installed the ZeroTier docker, configured it and I can access my unraid server and its dockers perfectly, but I can't access my router. My configuration is as follows:

 

Physical LAN net is 192.168.1.0/24 (being my router: 192.168.1.1 and my unraid server: 192.168.1.2).

 

The ZeroTier net is 192.168.2.0/24 (being my unraid server: 192.168.2.2 and my outside-LAN laptop [Windows 10 client]: 192.168.2.55)

 

I have the following managed routes in ZeroTier and I can access to the unraid server from my outside-LAN laptop with through IP's: 192.168.1.2 and 192.168.2.2, so that seems fine:

 

192.168.1.0/24    via   192.168.2.2

192.168.2.0/24           (LAN)

 

The problem is that from my laptop I am unable to reach my router (192.168.1.1). I can ping the router from the docker terminal, but I cannot connect to it from the ZeroTier client side. Am I missing something during the configuration process? I believe that this ZeroTier docker should allow me to connect remotely to my router, am I wrong?

 

Thanks!!!

 

 

I'm currently working on a ZT docker that will allow you to route to internal networks, I'm testing it in bridge mode (container with it's own IP). It's a fork of someone else's which I'll write a config for UnRAID. It's a best effort thing only right now and I'll try to finish it asap.

 

One thing I discovered while testing my docker, as your internal network clients usually get an DHCP IP Address from your router. Your router actually has no idea about the ZT network. So you'll need to log onto your firewall and create a route to send all ZT network traffic to the IP Address of your docker container. i.e

 

# Variables

Internal Network: 192.168.1.0/24

Internal router: 192.168.1.1

Container IP: 192.168.1.11

ZeroTier Network: 172.16.0.0/16

ZeroTier Container IP: 172.16.12.50

 

# ZeroTier Managed Route

Destination: 192.168.0.0/24     (ZT's network)

Via: 172.16.12.50     (ZT container IP)

Now click on the Spanner icon for your device in the ZT Web console and click 'Allow Ethernet Bridging'

 

# Firewall Router rule

Subnet: 172.16.0.0/16     (ZT Network range)

Gateway: 192.168.1.11     (ZT Container IP Address)

 

Edited by opticon
Link to comment
5 hours ago, opticon said:

I'm currently working on a ZT docker that will allow you to route to internal networks, I'm testing it in bridge mode (container with it's own IP). It's a fork of someone else's which I'll write a config for UnRAID. It's a best effort thing only right now and I'll try to finish it asap.

 

One thing I discovered while testing my docker, as your internal network clients usually get an DHCP IP Address from your router. Your router actually has no idea about the ZT network. So you'll need to log onto your firewall and create a route to send all ZT network traffic to the IP Address of your docker container. i.e

 

# Variables

Internal Network: 192.168.1.0/24

Internal router: 192.168.1.1

Container IP: 192.168.1.11

ZeroTier Network: 172.16.0.0/16

ZeroTier Container IP: 172.16.12.50

 

# ZeroTier Managed Route

Destination: 192.168.0.0/24     (ZT's network)

Via: 172.16.12.50     (ZT container IP)

Now click on the Spanner icon for your device in the ZT Web console and click 'Allow Ethernet Bridging'

 

# Firewall Router rule

Subnet: 172.16.0.0/16     (ZT Network range)

Gateway: 192.168.1.11     (ZT Container IP Address)

 

Hey opticon, thanks you for your answer. So if I understood correctly, connecting to my router is not possible through the docker of this thread, and all those variables and routes you posted are for the docker you are working on, right?

 

Another thing I didn't get is, when you talk about my firewall, do you mean the firewall configuration of my ISP router? Is my router able to see the docker subnet 172.16.0.0/16?

 

Thanks again!

Link to comment
On 4/4/2019 at 10:03 AM, Fraih said:

Hey opticon, thanks you for your answer. So if I understood correctly, connecting to my router is not possible through the docker of this thread, and all those variables and routes you posted are for the docker you are working on, right?

 

Another thing I didn't get is, when you talk about my firewall, do you mean the firewall configuration of my ISP router? Is my router able to see the docker subnet 172.16.0.0/16?

 

Thanks again!

 

I still haven't figured out my problem despite changing a bunch of stuff in my router. But yesterday I found out another problem, I can't access the webUI of the docker qBittorrent from Binhex when I am connected to ZeroTier from outside my LAN. I can access any other docker's webUI just fine, but it doesn't work for qBittorrent (same unRaid ip, and port 8080). Could it be because the qBittorrent docker is running with the Privoxy instance activated? Although most of my other dockers are pointing to Privoxy via proxy config (Sonarr, Radarr...) and I don't have any problem accessing them.

 

Any idea of how could I fix this? Thanks!

Link to comment

I tried to install this on my server so that I could remotely access various dockers. However when I activated ZT the main IP address of my management interface disappeared. The only way I could access the server's management interface and all of the various devices on it was only by using ZeroTier even within my own network. 

 

Is it supposed to do this? I would like to be able to connect to the server within my own network as well as be able to remotely access it with say an Android Phone.

 

Link to comment
On 4/24/2019 at 8:20 AM, BCinBC said:

I tried to install this on my server so that I could remotely access various dockers. However when I activated ZT the main IP address of my management interface disappeared. The only way I could access the server's management interface and all of the various devices on it was only by using ZeroTier even within my own network. 

 

Is it supposed to do this? I would like to be able to connect to the server within my own network as well as be able to remotely access it with say an Android Phone.

 

I have the same problem. I recently changed to an ISP that uses CGNAT, so I can no longer port forward or reverse proxy. Zerotier's interface looks like it could work for me, however after starting the docker, I can not access my unraid webui locally (on 192.168.1.4). I can remotely via Zerotier but nothing locally.

Anyone have a solution?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.