[Support] spikhalskiy - ZeroTier


Recommended Posts

Hi! Thank you for an easy to set-up app. 
Works a treat to connect my iOS devices to the unraid server shares with apps like Files and VLC.
 

I've encountered a problem though. When using a web browser on my iPhone and trying to open the unraid web UI with the ZeroTier ip adress I can't get past the login screen. It doesn't matter what user I try, It only comes back as invalid.

 

Any idea what's causing this? It would be nice to remote access the server UI as well as just the shares.

 

 

60EBC8B3-6902-4278-99FD-AA15D0806F98.png

Link to comment
35 minutes ago, kim_sv said:

OK, but root didn't work either?!

Can you log into the webui from a web browser locally with root, or ssh into the server ok? If not, you should maybe google how to reset your root password. Can't remember the specifics right now. 

Link to comment
18 hours ago, strike said:

Can you log into the webui from a web browser locally with root, or ssh into the server ok? If not, you should maybe google how to reset your root password. Can't remember the specifics right now. 

Yes, no problem logging in as root to webUI. Just realized that its not possible to login to the webUI with other user than root. But still couldn't login to webUI using root in iOS safari over ZeroTier.

Link to comment
  • 2 weeks later...

I am having issues with this container. Specifically, it refuses to start. I have gone through this support thread, but it doesn't look like anyone else is having this issue. According to the log, "FATAL: cannot start ZeroTier One in container: /dev/net/tun not present." is displayed whenever the Zerotier container is started.

Link to comment
1 hour ago, Asmithcveg said:

I am having issues with this container. Specifically, it refuses to start. I have gone through this support thread, but it doesn't look like anyone else is having this issue. According to the log, "FATAL: cannot start ZeroTier One in container: /dev/net/tun not present." is displayed whenever the Zerotier container is started.

Did you install the container from CA? Do you run the container with "Privileged: ON"?

Link to comment
19 minutes ago, Dmitry Spikhalskiy said:

Did you install the container from CA? Do you run the container with "Privileged: ON"?

Yup! Installed it straight from community apps, and it is set to run with privileges.

 

Edit: I should also point out that no files, data, etc. is present within the appdata folder for this container.

Edited by Asmithcveg
Link to comment
33 minutes ago, Asmithcveg said:

Yup! Installed it straight from community apps, and it is set to run with privileges.

 

Edit: I should also point out that no files, data, etc. is present within the appdata folder for this container.

> Edit: I should also point out that no files, data, etc. is present within the appdata folder for this container.

 

This is ok, Zerotier can't start to put anything there yet.

 

> Yup! Installed it straight from community apps, and it is set to run with privileges.

 

No idea in that case for now.

https://zerotier.atlassian.net/wiki/spaces/SD/pages/7536656/Running+ZeroTier+in+a+Docker+Container

Here is Zerotier explanation about /dev/net/tun and what should be done to have an access to it.

 

I pass required parameters "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" here in the configuration of the container published in CA: https://github.com/Spikhalskiy/docker-templates/blob/master/zerotier.xml#L40

And usage of these parameters is allowed by Privileged: ON.

 

You will have to debug your own configuration I afraid, because the problem is probably local to your setup and probably your kernel configuration.

What does

ls -la /dev/net/tun

say if you run it in the server terminal?

Edited by Dmitry Spikhalskiy
Link to comment

That's what I figured sadly. The terminal returns "ls: cannot access '/dev/net/tun': No such file or directory"

 

Edit: I noticed I was still on version 6.8.2. I have now updated to 6.8.3 and the terminal command now returns "crw-rw-rw- 1 root root 10, 200 Apr 27 12:06 /dev/net/tun". I will see if the container works properly now.

 

Edit 2: Everything is working fine now. Thanks for your prompt response to my inquiry!

Edited by Asmithcveg
Link to comment
21 minutes ago, Asmithcveg said:

That's what I figured sadly. The terminal returns "ls: cannot access '/dev/net/tun': No such file or directory"

So, you probably want to switch the discussion into Unraid main support threads, because it's a problem with your Unraid linux kernel configuration most likely. Unraid should have this device mounted by default.

Some reference that could help:

https://unix.stackexchange.com/questions/501403/tun-module-loaded-but-openvpn-dev-net-tun-no-such-file-or-directory

I would examine:

grep CONFIG_DEVTMPFS /usr/src/<whatever you have here>/.config

and ensure that it's

CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y

(DEVTMPFS should auto-mount devices like /dev/net/tun)

 

Also I would at least try to do

rmmod tun
modprobe tun

to try to reload the module.

 

I think that the output of these commands could be useful for the Unraid support thread anyway.

 

Edited by Dmitry Spikhalskiy
Link to comment
  • 4 weeks later...

@Dmitry SpikhalskiyI just installed the app and entered the network ID but its not showing up on the zerotier network.. I have setup some PCs and they are working fine. Running in preveliged mode and tried both host and bridge network.. Any ideas?

 

Edit.

Nevermind got it working by creating a new network- wierd!

Edited by Aussybob
Link to comment

Thanks for this fantastic Docker, Dmitry!

I do have some questions, though.

My unRAID server is hosted at a friend's web agency here in Berlin, and is behind their firewall, accessible only by means of a VPN account they set up for me. It all works well for managing the server via its webUI, but to fully integrate my server into my network to be able to copy files to and from it, it hasn't been ideal.

When I first installed and configured your zerotier Docker a few years ago, everything worked like a charm, and my heart skipped a beat from happiness when I saw my unRAID server pop up in my Finder's Network on macOS. Then, one day, I couldn't see my unRAID in my network anymore and after spending a few days trying to check all of the parameters, without finding the culprit, I gave up and disabled the Docker.

Now that I have to travel a lot again, I am trying to get back to that glorious point, and have managed to get all my relevant computers (my iMac5K, MBP-2018, and unRAID) recognized as ONLINE in my.zerotier.com, but I can *not* see unRAID in my Finder's Network.

Shouldn't it be visible there if everything is configured correctly?

Once I leave my home-studio and work elsewhere, should all the computers I have configured at my.zerotier.com still appear in my Finder's Network?

In order to log into my unRAID's webUI, should I be able to do so via zerotier alone, or will the company VPN still be necessary to do so?

I'd really like to get back to the point of seeing my unRAID server and the iMac at my studio in my Finder's Network, like they did for a short while back then. Wonder what happened, and how to fix it. Any thoughts/advice from you and/or the community would be greatly appreciated.

Thanks again for all that you do!

Edited by tillkrueger
syntax corrections
Link to comment
  • 3 weeks later...
On 8/10/2018 at 3:02 PM, Dmitry Spikhalskiy said:

Hmmm. //tower works in your local network not because of a central DNS server.

https://www.systutorials.com/docs/linux/man/8-avahi-daemon/

The same avahi-daemon should announce your unRaid name in Zerotier network too. At least, I can access unRaid in Zerotier network using the same name I use in my local network. Maybe try to add ".local" to your domain name. I use "<servername>.local" for both local and Zerotier network as a domain.

This docker is great!  I’m able to access my Unraid box at <servername>.local when I’m at home but not when on a different network.  Is there some setting I need to adjust in the Docker to make this work through ZT?

Link to comment
  • 1 month later...

This used to be working for me, but recently stopped. I now see it stuck forever in REQUESTING_CONFIGURATION. Obviously something has changed, but I cannot for the life of me determine WHAT, and I don't know where to go next to debug.

 

/ # zerotier-cli info
200 info ca96d2e10c 1.4.6 OFFLINE
/ # zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks 8056c2e21c000001  02:ca:96:ce:03:ce REQUESTING_CONFIGURATION PRIVATE ztmjfmfyq5 -
/ # zerotier-cli listpeers
200 listpeers <ztaddr> <path> <latency> <version> <role>
200 listpeers 34e0a5e174 - -1 - PLANET
200 listpeers 3a46f1bf30 - -1 - PLANET
200 listpeers 992fcf1db7 - -1 - PLANET
200 listpeers de8950a8b2 - -1 - PLANET

 

Link to comment
  • 1 month later...

Hello!

Just a noob 2 cents here.

after many hours spent trying to config openvpn and vpn from my netgear I can easily say this is the most user friendly solution.

thanks a lot for your work, I'll happily donate to your project.

thanks a lot, you made my life easy, keep up the excellent work

Link to comment

Has anyone had issues with using this with time machine on a mac? Time Machine is able to see the smb drive, and I'm able to select it to use it, but it's not able to sync. Well... after several retries and days, it was able to write 26 MB to it, out of 200 GB.

 

I was able to sync to Time Machine before without using zerotier if I was on the same network as unraid. I also connected an external hard drive to my computer and it Time Machine was able to use and fully backup within a few hours.

 

Any ideas?

Link to comment

I have 2 unRAID servers and I installed ZeroTier Dockers on both of them.  One of them, I can reach via LAN IP and ZT IP, one of them, I can only reach via ZT IP.

 

I'm kinda confused...lol  Anyone else have any experience with ZT?  I checked the networks settings and it all looks the same between the two.  Not sure what's going on...

Link to comment

Couldn't get into my one server so I shut down its ZT Docker.  Boom, can get back in via LAN IP.  No problem.

But I noticed that, once I did that, the one that I COULD get into via both only let me in through the ZT IP.  Had to kill the ZT docker on that one, too.  I think this is a ZT config issue...and I think I know what it is.

 

I had the managed routes setup as "LAN.IP/24 via ZT.IP" for all my ZT hosts.  I was thinking that I'd have to go in and do "LAN.IP via ZT.IP" but it won't let me do that.  So now I'm kinda back to square one...

Edited by rmp5s
Link to comment
  • 4 weeks later...

@Dmitry Spikhalskiy

Do you know why /mnt/user/appdata/zerotier/zerotier-one/networks.d/*.conf is updated every minute? This totally hinders disk spindown / sleep states.

 

I compared the recent file version with one that is 3 minutes old and the content is different. But what is so important that it needs to be updated every minute?

135325547_2020-10-0910_56_19.png.4f276d225427f6272f058f44ae213733.png

 

Or this is an issue which I should post at ZeroTier's GitHub Page?

Link to comment
  • 1 month later...

I am trying to setup a lan to lan access. But it constantly fails and I am running out of solution.

 

I have 2 unraid servers with docker zerotier installed. Zerotier is working correctly. All peers can connect to other peers. In this network, I have 3 peers, 2 servers and my laptop with zerotier installed. Then I have dozen of computers, routers, NAS and printers on each LAN.

 

Each server is in a private LAN. 10.10.20.x and 10.10.10.x

10.10.20.10 is the server running docker in the LAN 10.10.20.x

10.10.10.10 is the server running docker in the LAN 10.10.10.x

My laptop is also in 10.10.10.x (the weekend) or 10.10.20.x (during the week). And sometimes during the week connected on external network (cell phone or private wifi).

 

My problem is that I can only connect to servers, and not to peers in LAN.

On both servers I have enable ip forwarding and update iptables as following:

 

PHY_IFACE=eth0; ZT_IFACE=ztmjfbsomh
iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
 

the ZT_IFACE is the name of my net adaptator.  and it is the same name on the 2 servers. 

 

for example, when I try to ping my WAN router of the LAN 10.10.20.1 :

failed from 10.10.10.10

failed from 10.10.10.160

works from 10.10.20.10 (of course, in the same LAN, no zerotier)

 

when I ping the zeroteir server of the LAN 10.10.20.1:

works from 10.10.10.10

works from 10.10.10.160

 

so both servers are inter connected succesfully on zerotier network. And from my laptop I can access succesfully unraid http interfaces.

only LAN access is not working. ZeroTier works well to interconnect peers having zeortier running on.

 

What do I miss ? 

Zerotier dockers are running on host network.

 

please help.

 

zerotier1.png

zerotier2.png

Link to comment

Not sure why you enabled NAT on eth0 of your server, when there is already an WAN Gateway (that should do that).

 

...for site-2-site routing, you need to add corresponding routes to either side, not just enabling/unblocking the firewall between interface.

For all LAN-clients to do use this, this setup configuration should be done on the main gateway of each LAN, aka the WAN router.

Each client will use their default gateway to address traffic outside their own network, which is the WAN router (or whatever is configured via DHCP anyway).

 

So, like you did in zerotier-central configuration, add a corresponding route on each side.

You'll need two routes.

  1. enable the route to your network in zerotier central (192.168.191.0/24 with gw 10.10.10.10 (and 10.10.20.10 on the other LAN)
  2. enable the route from 10.10.20.0/24 to 10.10.10.0/24:  add route to 10.10.10.0/24 with gw 192.168.192.x  where x is the IP of your zt interface on 10.10.20.10)...do likewise on the other side/server.

...and allowing to pass traffic for "inside-LANs" though the WAN-routers Firewall (no nat), like you did on the unraid servers (there, you do not need/want this ).

But since you enabled NAT on eth0 of your servers, maybe they are the WAN interfaces in your network?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.