[Support] spikhalskiy - ZeroTier


Recommended Posts

...I have zerotier docker assigned to a separate VLAN. This way, all my other local services/dockers and hosts are in different networks and my local router will take care of that.
In brief: In zerotier central, configure the zerotier interface as gateway to your local zerotier VLAN and route all your other local networks to the zerotier VLAN interface of the local router. In your router, configure the zerotier VLAN interface of the docker as gateway to your zerotier network choosen from zerotier central config.

Gesendet von meinem SM-G930F mit Tapatalk

Link to comment
  • 1 month later...
On 4/4/2019 at 7:03 PM, Fraih said:

Hey opticon, thanks you for your answer. So if I understood correctly, connecting to my router is not possible through the docker of this thread, and all those variables and routes you posted are for the docker you are working on, right?

 

Another thing I didn't get is, when you talk about my firewall, do you mean the firewall configuration of my ISP router? Is my router able to see the docker subnet 172.16.0.0/16?

 

Thanks again!

You could try and install a debian minimal VM, then install ZeroTier on that. For me that works, I can remotely access router, and all that resides in the same LAN, from the zerotier instance on that VM, as long as I have it allow access to and from ZeroTier on the VM's firewall..

Link to comment
On 6/19/2019 at 5:14 AM, fluisterben said:

You could try and install a debian minimal VM, then install ZeroTier on that. For me that works, I can remotely access router, and all that resides in the same LAN, from the zerotier instance on that VM, as long as I have it allow access to and from ZeroTier on the VM's firewall..

Okay, so it is not possible to do that with the docker from this post, right? I might try what you say.

Link to comment
On 6/21/2019 at 4:38 AM, Fraih said:

Okay, so it is not possible to do that with the docker from this post, right? I might try what you say.

Not the right person to ask. I'm very much biased towards VM over docker instances. I have to work a lot with docker containers with devs and dev-ops stuff for work that I make money with. But I assure you; VM is easier to maintain in the long run.

I always let out a sigh of relief when there's some issue with a VM, and not a docker container, containers are a PITA to fix problems for. Half the containers out there have missing access to parts of them. Half of those who are using containers don't know which parts that are mapped outside of the container will or will not be erased when an update of the container occurs. People that prefer dockers are usually making a spaghetti-code setup of dependencies, and forget to take notes, up to the level where they don't remember which container is the 'live' one. So many points of failure. So many ways to not being able to change config. Dockers are good for those who run software while developing what is on that docker, not for production level services, or set-it-and-forget-it apps like here with unraid.

Link to comment
  • 4 weeks later...

Stumped about what happened, but when I first set up ZeroTier, I was able to see my unRAID in the MacOS Finder's Network section. At some point, I don't know when and why, it disappeared from Network again.

 

Now, many months later, I am trying to see what can be done to connect to unRAID again from within Finder, but even after re-tracing all configuration steps, I fail to succeed.

 

The ZeroTier app on my Mac shows Status as OK after I solved a PORT_ERROR message, and I double-checked all network id settings and such in the ZeroTier settings on unRAID, restarted it numerous times, made sure it shows as "Online" in my.zerotier.com account, but nothing seems to bring my unRAID sytem back into my Network.

 

Where to go from here?

Link to comment
  • 3 weeks later...
On 6/12/2018 at 6:39 PM, Dmitry Spikhalskiy said:

@argonaut Yeah, it's a typo, thanks for pointing out!

About 1.2.8 - currently my docker image uses as a parent an official dockerized ZeroTier image zerotier/zerotier-containerized. And it currently has version 1.2.4 inside.

 My thoughts here:

1) I decided to keep things simple and transparent to the community and use the official image as a reference, so everybody could simply verify that my modifications don't do anything bad in docker run in "privileged" mode.

2) I reviewed changes that version 1.2.8 includes and 1.2.4 doesn't and I didn't find anything really important for Linux. But didn't do it very thoroughly.

 So, if there is any significant reason to upgrade like anybody really needs anything from the new version - yeah, we can do that. If no - I would prefer to stay on the current version for the described reasons.

I am certainly not a developer, just noticed some linux fixes on this page - https://github.com/zerotier/ZeroTierOne/blob/master/RELEASE-NOTES.md

 

Would it be possible to update the docker? Seems like 1.2.4 to 1.4.0 might be worth it. 

 

Really nice docker, thanks so much for making it. 

Link to comment
11 hours ago, vitaprimo said:

Does this join the ZeroTier network as a client, bridge or controller? (leaving the default config of the container)

By default it will join as a client. This image contains ZeroTierOne https://github.com/zerotier/ZeroTierOne

ZeroTier controllers   (the same thing as my.zerotier.com) a lot more configuration. You will also need additional firewall ports opened for the controller to work.  See https://github.com/zerotier/ZeroTierOne/tree/master/controller for more information. You can view the template for this image here: https://raw.githubusercontent.com/Spikhalskiy/docker-templates/master/zerotier.xml

  • Like 1
Link to comment
27 minutes ago, argonaut said:

By default it will join as a client. This image contains ZeroTierOne https://github.com/zerotier/ZeroTierOne

ZeroTier controllers   (the same thing as my.zerotier.com) a lot more configuration. You will also need additional firewall ports opened for the controller to work.  See https://github.com/zerotier/ZeroTierOne/tree/master/controller for more information. You can view the template for this image here: https://raw.githubusercontent.com/Spikhalskiy/docker-templates/master/zerotier.xml

Yeah, I know... I had set up a controller before and because I forgot all about the moons thing json config I just deleted it because I wouldn't know what do to with it anyway. I'm gonna start over to retrain myself, I'm trying to set up a bridge first but I'm forgetting something that I can't get DHCP to pass through--I know it's advised against but gives me a guarantee that the bridge is working correctly. :)

 

unRAID's been killing it these past couple of weeks with 1-click solutions for things that were in their own VMs before, I thought this might be one of them. Thanks for clearing it up, though!

Link to comment

@argonaut  It looks like Zerotier removed all prepackaged docker images from their dockerhub repo, so I will need to do some job to build it from scratch or find their sources for it. I will try to make a fresh build when I have time, yeah.

 

UPDATE

I built an image and released an update for this docker to include Zerotier version 1.2.12

I wasn't able to use current Zerotier containerized docker build code to launch 1.4.2 for now. I will try to investigate in a spare time and submit a build fix to the Zerotier upstream repo first. I will release an update for this image when it's resolved.

Edited by Dmitry Spikhalskiy
  • Like 2
Link to comment

@argonaut @ice pube Hey, I released a separate tag for you with some dirty hacks, but looks like it's working. You can use the tag spikhalskiy/zerotier:1.4.2 and it will give you the latest Zerotier version. Give it a try if you are in the mood for some experiments :)

It's an experimental tag and the docker image for this build contains hacks that are not in the Zerotier upstream, so I don't recommend to switch on it until you understand that it could not work for you.

I made a ticket for Zerotier team: https://github.com/zerotier/ZeroTierOne/issues/1013. When it's resolved in the upstream in a reasonable manner I will update the main docker with Zerotier 1.4.2 or newer for everybody. 

 

Screenshot 2019-08-18 20.26.49.png

Edited by Dmitry Spikhalskiy
  • Like 2
  • Upvote 1
Link to comment
4 hours ago, Dmitry Spikhalskiy said:

@argonaut Hey, I released a separate tag for you with some dirty hacks, but looks like it's working. You can use the tag spikhalskiy/zerotier:1.4.2 and it will give you the latest Zerotier version. Give it a try if you are in the mood for some experiments :)

It's an experimental tag and the docker image for this build contains hacks that are not in the Zerotier upstream, so I don't recommend to switch on it until you understand that it could not work for you.

I made a ticket for Zerotier team: https://github.com/zerotier/ZeroTierOne/issues/1013. When it's resolved in the upstream in a reasonable manner I will update the main docker with Zerotier 1.4.2 or newer for everybody. 

 

Screenshot 2019-08-18 20.26.49.png

Geez, I feel kind of special. I should have time in the next couple of days to test. I'll report back.

Link to comment
On 7/19/2019 at 3:22 AM, tillkrueger said:

Stumped about what happened, but when I first set up ZeroTier, I was able to see my unRAID in the MacOS Finder's Network section. At some point, I don't know when and why, it disappeared from Network again.

 

Now, many months later, I am trying to see what can be done to connect to unRAID again from within Finder, but even after re-tracing all configuration steps, I fail to succeed.

 

The ZeroTier app on my Mac shows Status as OK after I solved a PORT_ERROR message, and I double-checked all network id settings and such in the ZeroTier settings on unRAID, restarted it numerous times, made sure it shows as "Online" in my.zerotier.com account, but nothing seems to bring my unRAID sytem back into my Network.

 

Where to go from here?

 

@tillkruegerI think the easiest thing to do is to open your my.zerotier.com network and take a look what internal Zerotier IP does your NAS have. After that try to ping this IP from your Mac. If ping looks ok - try to just connect to NAS Samba file server from MacOs Finder directly using the IP address. Like it's described here https://support.apple.com/en-us/HT204445 after words "To connect to a file server directly". If this works fine and you get an access to your server - maybe you don't need it inside the Network section? If you really do maybe try to look into settings of Avahi daemon on your Unraid box that is responsible for service discovery or at least try to run

/etc/rc.d/rc.avahidaemon restart

on your Unraid, which could help.

Edited by Dmitry Spikhalskiy
Link to comment

I have updated the latest stable 1.2.12 and it has been working for a few hours without issue. Thanks. I need more time and bravery to try going to version 1.4.2. (I suppose it's easy to undo being docker, but I'm in the middle of a parity rebuild so I don't want to risk interrupting that until it is done.) I'm hoping the dockerfile gets updated soon so you can do a build like you were doing previously. Thanks.

Link to comment

Got this working although very slowly.

I only have 2 clients on my Zero Tier network.  I have this Unraid Docker container, and my cell phone.

Browsing files via Total Commander did not work at all (some access denied error).

Browsing via CX File Explorer worked but basically unusable due to slowness.

Also tried SSH via Juice SSH.  Again, basically unusable.

 

It's not my mobile connection because I have a jump host on my network and connecting over internet to Unraid via my jumphost works fine and is fast/responsive.

 

My phone is a Pixel 2.  It should bet powerful enough right?

Link to comment

Just discovered this tonight. Got my account created. Installed the docker on my main machine & got it authorized. Installed a client on my Android phone & got it authorized. Installed the docker on my backup server & got it authorized. I can connect to the WebGUI of my main server from my phone with WiFi turned off no problem! I do have to use the ZT IP address to access it, but I often have issues accessing my server internally via name instead of IP, so I'm not too concerned about that.

 

I cannot browse the server with Astro (an Android file manager app) like I used to, but I don't think that's ZeroTier's fault - I haven't been able to do that for months. (Must find new file manager app.) Also, I cannot access the servier via ControlR or get nzb360 to connect even though both will work just fine via openVPN.

 

I have a test Duplicati backup running to my backup server via an Unassigned Devices share. Now I just need to get the server off-site and test it out that way! Probably took me 30 minutes including playing around with Astro and submitting an issue to them about the network browsing not working. All-in-all a successful evening

 

I'm probably going to come up with a different backup solution than Duplicati, but otherwise, I'm feeling 100% with what I've got right now. Thanks for making this available, @Dmitry Spikhalskiy!

  • Like 1
Link to comment
  • 2 weeks later...

Quick question regarding an issue i have run into and wondering if anyone has a similar setup that is working. I'm trying to access my Home network LAN from other computers in the ZT network. From what i have read online i just create a managed route  in zero tier for 192.168.2.0/24 via 172.22.0.100 which i have done and make sure sysctl ip_forwarding is enabled on unRaid which it is.

 

Home Network    = 192.168.2.0/24

Away Network    = 192.168.0.0/24

awayPC              = 192.168.0.150

awayPCzt           = 172.22.0.150

unRAID               = 192.168.2.100

unRAIDzt            = 172.22.0.100

 

 

 on my awayPC i can see this route in "Route Print" for 192.168.2.0/24 via 172.22.0.100

 

i can ping from awayPC ----> to both unRAID (192.168.2.100) and unRAIDZT  (172.22.0.100)

 

But i cannot ping anything else from awayPC to anything else on 192.168.2.0/24 only unRAID address (192.168.2.100)

 

 

 

Any ideas?

Edited by mikefallen
Link to comment

your ZT clients are not part of your home network. So creating routes in ZT-central is just hafl the thing...you must also tell your home router that the gateway to your ZT network is the IP of the ZT docker in your unRAID box.

 

Edit: ...and that the ZT gateway applies to routes to your away network(s) as well.

Edited by Ford Prefect
Link to comment

@mikefallen You likely got a wrong understanding how ZT works. It creates own "virtual" network. Devices that are part of this network are accessible to each other using ZT IP addresses and work like they are in it's own network. So, your awayPCzt is able to access unRAIDzt using ZT IP address (172.22.0.100) and reverse - that's what ZT gives you and looks like it's working.

ZT installed on one host doesn't bring your whole home network to Zerotier virtual network and don't merge them into one network, it brings only this one device into it. ZT installed on one network host thankfully can't expose all devices in this network outside and can't reroute traffic from other local hosts outside. Imagine buying a smart bulb that after turning on just automatically tunnel all your traffic from all your devices in the network to some third party server?

What you want could be achievable by changing settings of your router, but I definitely wouldn't recommend to do it. If you want to access some other devices in your network - use a browser (which will see your home network) installed on your ZT server that you access using ZT IP address or ssh / make an ssh port forwarding to you ZT server and from that server you can ssh / access other devices in your home network.  

Edited by Dmitry Spikhalskiy
Link to comment
10 minutes ago, Dmitry Spikhalskiy said:

@mikefallen I'm not sure if you got how ZT works. It creates own "virtual" network. Devices that are part of this network are accessible to each other using ZT IP addresses. So, your awayPCzt is able to access unRAIDzt using ZT IP address (172.22.0.100) and opposite - that's what ZT gives you and looks like it's working.

ZT installed on one machine doesn't bring your whole home network to Zerotier virtual network, it brings only this one device into it. ZT installed on one network host thankfully can't expose all devices in this network outside and can't reroute traffic from other local hosts outside. Imagine buying a smart bulb that after turning on just automatically tunnel all your traffic from all your devices in the network to some third party server?

What you want could be achievable by changing settings of your router, but I definitely wouldn't recommend to do it. If you want to access some other devices in your network - use a browser (which will see your home network) installed on your ZT server that you access using ZT IP address or ssh / make an ssh port forwarding to you ZT server and from that server you can ssh / access other devices in your home network.  

Pretty sure Ford is right i just need to add a static route on my lan router pointing back to the zerotier network.

 

This github issue might give you a better idea https://github.com/zerotier/ZeroTierOne/issues/805

Link to comment

@mikefallen Yeah, if it's really what you want to do - it should work.

1. "Pretty sure Ford is right i just need to add a static route on my lan router pointing back to the zerotier network." Adding a static route on your router will make Zerotier hosts available for your local hosts.

2. "setup ZeroTier on my openwrt router at home." This will bring your router to the ZT network and you will be able to add a static rule to your ZT network setup where to route your requests from ZT network for local network IP addresses, so it will expose your local network IPs to the ZT hosts.

 

For what you describe "But i cannot ping anything else from awayPC to anything else on 192.168.2.0/24 only unRAID address (192.168.2.100)" you need to go by the second scenario, not the first one. But be mindful that if you do that, your Wi-Fi smart home lock for example will be exposed to any device added to your Zerotier network.

Link to comment
7 minutes ago, Dmitry Spikhalskiy said:

@mikefallen Yeah, if it's really what you want to do - it should work.

1. "Pretty sure Ford is right i just need to add a static route on my lan router pointing back to the zerotier network." Adding a static route on your router will make Zerotier hosts available for your local hosts.

2. "setup ZeroTier on my openwrt router at home." This will bring your router to the ZT network and you will be able to add a static rule to your ZT network setup where to route your requests from ZT network for local network IP addresses, so it will expose your local network IPs to the ZT hosts.

 

For what you describe "But i cannot ping anything else from awayPC to anything else on 192.168.2.0/24 only unRAID address (192.168.2.100)" you need to go by the second scenario, not the first one. But be mindful that if you do that, your Wi-Fi smart home lock for example will be exposed to any device added to your Zerotier network.

Yeah thats what i'm trying to do basically right now i use openVPN, i like this solution better because it does not use a central server and peers can connect directly to each other.

Link to comment
18 hours ago, mikefallen said:

Pretty sure Ford is right i just need to add a static route on my lan router pointing back to the zerotier network.

 

...plus you need to add a route to your Away-Network with your local ZT-IP as gateway.

 

So in short:

- in zt central make IPs of unRAIDzt and AwayPCzt static

- in ZT central add a route to your Home-Network, with gateway = unRaidzt

- in ZT cenztral add a route to your Away-Network, with gateway = AwayPCzt (note in order to completely access all clients on your Away-Network, this should be a router, not a PC)

- in router of your Home-Network add route to ZT-network, gateway =unRAID (note: not unRAIDzt !!)

- in router of your Home-Network add route to Away-Network, gateway = unRAIDzt 

Edited by Ford Prefect
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.