[Support] spikhalskiy - ZeroTier


Recommended Posts

On the server 10.10.10.10, those routes already exist

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         GEN8            0.0.0.0         UG    0      0        0 br0
10.10.10.0      0.0.0.0         255.255.255.128 U     0      0        0 shim-br0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
10.10.10.128    0.0.0.0         255.255.255.128 U     0      0        0 shim-br0
10.10.20.0      Tower-2.local   255.255.255.0   UG    0      0        0 ztmjfbsomh
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-853fe7d63fa3
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-312be3d41a1c
192.168.191.0   0.0.0.0         255.255.255.0   U     0      0        0 ztmjfbsomh

 

So we can see that the route to 10.10.20;x exist, and the route to 192.168.191.x. Flasg G for gateway on 10.10.20.x means to redirect ip packets to the interface of zerotier

 

on 10.10.20.10:

root@Tower:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         livebox.home    0.0.0.0         UG    0      0        0 br0
10.10.10.0      Tower.local     255.255.255.0   UG    0      0        0 ztmjfbsomh
10.10.20.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-83a6ea76a1ec
192.168.191.0   0.0.0.0         255.255.255.0   U     0      0        0 ztmjfbsomh

 

AFAIK, it looks good on that part.

I am not sure at about masquerading too. If I remind well my telco studies (and I am an telco engineer but never worked in telco :))...it should not be required.

 

Link to comment

What IP is "Tower-2.local", can you issue the route command with "-n" parameter, please?

Your default route is your local WAN router, "livebox.home". Is this device also handing out IP via DHCP for other clients in 10.10.10.0/255.255.255.128 and 10.10.10.128/255.255.255.128?

Even if routes exist on your unraid servers, in order to connect a complete network, each client needs to know the route to 10.10.20.x and 192.168.191.x ... as they do not, they use their default gw, which is livebox.home....is it not?

 

Network #1:

  • WAN Router, local IP 10.10.10.1 (possibly, "livebox.home")
  • Server #1, local IP 10.10.10.10
  • client #1, local 10.10.10.103 (via dhcp from WAN Router, possibly)
  • default gateway in this network; 10.10.10.1 
  • So each client will forward to livebox.home (their default gw) when trying to reach anything outside 10.10.10.x
  • therefore livebox.home need the routes to 192,168.191.x (which is 10.10.10.1) and 10.10.20.x (which is 192.168.191.x-on-tower-2)
Edited by Ford Prefect
Link to comment

You are totally right if I want to completely interconnect both LAN. And I will try to do it, you gave me a very interesting idea :)

 

But in my case, I just want to access from my laptop (with the zerotier cli) to devices on the remote LAN such as printers, NAS, routers etc...

For sure, if remote devices on 10.10.20.x want to connect to me (and they have no zerotier client running on), routes must be set properly to passthrough a peer with zerotier interco.

 

For example, Tower2 is 10.10.20.10 and has an openvpn server (docker).

If I connect with open vpn client from my laptop (on 10.10.10.xxx) to tower 2 (10.10.20.10)... I can access ALL devices on the LAN 10.10.20.x.

If I use ZeroTier, only the server is accessible.

 

Apparently many people get it to work properly, but me not... and I really wonder what I miss.

 

Link to comment
23 hours ago, tapodufeu said:

You are totally right if I want to completely interconnect both LAN. And I will try to do it, you gave me a very interesting idea :)

OK, my bad... I actually thought that this was your usecase ;-)

 

23 hours ago, tapodufeu said:

But in my case, I just want to access from my laptop (with the zerotier cli) to devices on the remote LAN such as printers, NAS, routers etc...

For sure, if remote devices on 10.10.20.x want to connect to me (and they have no zerotier client running on), routes must be set properly to passthrough a peer with zerotier interco.

  ...but this still is what they (printer, smart-bulb) "want" to do, once you open a connection to them...IP packets intended to be returning from them to you will need a path back into zt-central.

Your laptop with zt-interface up&running is connected to ZT-central.

ZT-central will/can provision the routes, you configured back to the zt-client on the laptop.

  1. I think you will have to enable the propagation of routes in the zt-client or in zt-central...somewhere.
  2. I believe, this will only work, if your Laptop is connected to a third network, like guest WLAN with internet access in a hotel, outside of site#1.

Another service on the remote site#2 will receive a connect from an IP out of your zt-pool. This service, if not "inside" your unraid server#2 will need a route to zt-central network....if this service is a physical printer, for example, is outside of unraid-server#2 and will only know the route to the default-gw on network at site#2, not unraid#2 as gw to zt-central network.

 

This usecase I use a lot myseklf when abroad...works like a charm...but I have configured my router (livebox.home) to forward traffic to my own zt-central-network via my unraid-zt-interface. I also choose to allocate a separate VLAN for the ZT-network inside my premise, which makes it more easy inside my setup but this is not a must.

 

Sorry if this is confusing...english is not my native tongue. I still think you do not have a route in your local LAN to your zt-central-network and that is why this only works for services on your unraid-box, where the zt-interface resides. unraid will simply forweard between local interfaces anyway,

Link to comment
23 hours ago, tapodufeu said:

For example, Tower2 is 10.10.20.10 and has an openvpn server (docker).

If I connect with open vpn client from my laptop (on 10.10.10.xxx) to tower 2 (10.10.20.10)... I can access ALL devices on the LAN 10.10.20.x.

If I use ZeroTier, only the server is accessible.

...this is because maybe openVPN interface on unraid is using nat to the inside LAN? For devices in the LAN, packets appear to be originated from your unraid box, not from the transfer-network. Or is even handing out IPs of your original LAN.

Zerotier is a real LAN and you need proper routing, using zt-central-network as "transfer net".

Link to comment

Thanks for your feedback. I understand my issue now. You are totally right, this is the NAT feature of openvpn. I tried disabling it then It is exactly like zerotier.

 

So when I am at home, with just the fiber modem router from my ISP, (no advanced routing inside), openvpn is my only option, with NAT included in the openvpn server I can do what I want.

 

It would be a great option to add a "kind of admin" access with zerotier with NAT included... I would have completely remove openvpn and just use zerotier only.

This is exactly the kind of option that devops or infra manager need. For example, since march, with covid,  not everyday hopefully, I have connect and change VPNs maybe 30 times per day !!

 

 

 

 

 

Link to comment

...you can add your own router as a VM on your unRaid box.

There are pfsense/opnsense, openwrt or mikrotik CHR (free version only 100mbps) available to do just that.

All do support virtio-NICs or you could passthrough a set of physical adapters, like a Quad-NIC and attach all to a managed switch, that supports VLANs.

You could enable GRE/EoIP tunnels accross your sites....or ZT-Central based network interfaces.

 

No VPN, but real LAN-to-LAN scenarios are possible that way.

No need to tinker with your ISP modem/router.box.

Edited by Ford Prefect
Link to comment
  • 2 weeks later...

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 

zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

Edited by technorati
Link to comment
4 hours ago, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

"no version information available" messages are fine, you can ignore them, it's not what causes the issue.

Link to comment
Quote

 

Application Name: ZeroTier

Application Site: https://www.zerotier.com/

Docker Hub: https://hub.docker.com/r/spikhalskiy/zerotier/

Github Docker: https://github.com/Spikhalskiy/zerotier-unraid-docker

Templates Repo: https://github.com/Spikhalskiy/docker-templates

 

 

This works very well on my Optus wireless broadband which is double NAT, if anyone else is interested :)

Edited by Wozzagonebush
Inserted quote
Link to comment

Hi, thank you for this container. ZT looks very promising. 

 

I've been able to connect to RDP using the ZT on my home pc to a remote pc. I have Apache Guacamole which is an RDP client that runs as a webserver on my unraid server running in bridged mode, however, i cannot connect via Apache Guac to ZT PC clients on the same LAN or Remote networks for some reason. Would it be correct to assume that ZT needs to be installed in the individual apache guacamole container for me to be able to connect to the ZT network? PC -> PC RDP through ZT works fine, its just when i use apache guac i begin to run into connection problems. Appreciate the help.

 

Edit: 

 

After doing some testing, I managed to get this to work with some modifications. In the docker container that you wish to connect to your zerotier network, you can use the docker install script they show on their website and join the network within the container. You can also tunnel a second docker container through this zt docker container by using the extra parameters setting with "--net=container:zerotier" under advance settings. You also have to set the network option to none on the tunneled container. On a side note, apache guac will not connect to a RDP computer without a password, even though the windows RDP client can. 

Edited by akeid
Link to comment
  • 1 month later...
On 12/10/2020 at 6:48 PM, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

Hello , I have the something wrong like this. The different is that it display online ,but it's offine in ZeroTier central.

Link to comment
  • 3 weeks later...

Hello, I've been trying to use this to run a VLAN for a Valheim gaming server using ich777's docker container. I'd like to apologize in advance for being generally uneducated about networking. Please correct me if I'm wrong but folks should be able to join the server after connecting to my ZeroTier using my local address for my Unraid server? I've been having trouble getting people to connect.

Link to comment
On 12/10/2020 at 3:48 AM, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

I'm getting these error messages too, except mine does connect. Although yesterday, the internet went out for a few hours, when it came back I had to restart the container for it to connect so I checked the logs.

Link to comment

Hey thanks for this great write up and template. Im having some issues that im not sure the root of the problem. Ive got the container started and add to my zt network and authorized. However i am unable to ping via the ZT IP address? im able to ping other devices on my zt network but not my unraid server when trying from my mac remotely but connected to ZT network. i do have some devices on different subnets so im wondering if my routing is the issue. On the unraid side do i need any static routes set to work or just on the zerotier center side? I currently have a managed network for each LAN subnet via a ZT device that is located on the same internal subnet. is that the right methodology? 

 

ex:

unraid LAN IP: 192.168.1.6

ZT IP: 10.244.27.6

 

route: 192.168.1.0/24>10.244.27.6

 

etc for other subnets

 

Edit: Got it figured out. Went into unraid shell and found that the ZT network adapter hadnt pickup the ipv4 IP address.. i restarted the container and it picked up the IP i picked. Then i set the static route accordingly

 

route: 10.244.0.0/24>zt adapter

 

then i was able to access unraid server

Edited by IxsharpxI
typos
Link to comment

So mine says joined and does not error out - but it never shows up in the zerotier interface to approve

Anyway to pull the name of this one so i can whitelist it manually in the zerotier interface?

 

EDIT: When i change to bridge it changes to online but still doesn't work 

Under host it says 
200 info xxxxxxxxx  1.6.2 OFFLINE

 

Edited by mcrommert
Link to comment
  • 3 weeks later...

So I'm rereading this topic the 7th time in 7days with no end in sight. My main goal is to open Plex for friends with granular control.

 

A handful of good friends are parents now too and as they discovered my Kids Video Collection (damn those VHS rips) they'd love to be able to give their kids those programs too instead of the utter BS that's running on TV nowadays.

 

I have pfsense/baremetal running 12vlans and a 100/60 connection.

 

VLAN 3 (10.1.30.0/24) is the Vlan where my Plex Servers reside (10.1.30.1 & 10.1.30.2). On the same Vlan there are 2 Steam Machines (10.1.30.40 & 10.1.30.41) I'd also like to 'share'.

 

My ZT resides in above Vlan3 (10.1.30.249), and with this Docker I'd just want to share Plex/Steam.

 

To my understanding it would be possible to use ZT for multiple Vlans, but for simplicity I'd rather start with one Vlan properly set-up 😅

 

As said above I read the entire thread couple of times, especially the posts of @Ford Prefect

about adding routes, but: I intend to only add certain hosts from the Vlan, not the entire network.

 

Where do the routes have to go? Only ZT-Central? Or do I need to tweak pfsense/vlan-rules too?

 

I'm at a loss and every help is much appreciated! Especially how the routes should look like as I had a HARD time setting pfsense up.. 🤣

 

Kind regards,

Hank

Edited by Hank Moody
Tipo
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.