Jump to content
Dmitry Spikhalskiy

[Support] spikhalskiy - ZeroTier

117 posts in this topic Last Reply

Recommended Posts

5 hours ago, RSQtech said:

my background is in Emergency Medicine and i do the tech stuff as a relief from all the drama i deal with daily

 

My background is in tech stuff; maybe I should start dabbling in emergency medicine as stress relief from all the drama I deal with daily. 

 

How does one go about picking up emergency medicine as a hobby? ?

Edited by Hoopster

Share this post


Link to post
1 minute ago, Dmitry Spikhalskiy said:

Your not wrong lol... I work as an EMT for a high volume 911 system as well as in school to get my paramedic. There is only so  much blood one can deal with before they have to go and debug their server for peace of mind ?

Share this post


Link to post

So, yesterday I had the honor of speaking to Dmitry via hangouts to help me diagnose my feeble attempt at installing his docker... Now mind you that on the 10 scale of computer background I am currently at a 4.7 but Dmitry was able to push that to a 5.

 

So here is the questions I had and how I decrypted them into something a novice like me could understand.

 

I had issues with IP addresses ave how they relate with my home network.

 

Q: "should I change the routing manager to reflect my internal IP"

 

A: no, ZT creates a fake network internally for use of network. If your home IP range is 192.168.1.0/24 then the routing manager in ZT will create an IP range ( see top left of your network manager) and that will be what's signed to your off network device. So mine would be 172.xxx.xxx.0/24 and that range is I would use to access my drives and servers at home. 

 

Once I understood this, the dim lightbulb sparked back to life and everything else fell into place!

 

Thanks Dmitry for your time

 

Share this post


Link to post

Dmitry

 

I have two installations of FreePBX installed... can i use ZT on them. one is Debian based the other is scientific linux

Share this post


Link to post

@RSQtech Hi! Yeah, why not. You have two options:

1) You can install ZT directly on Linux, follow https://www.zerotier.com/download.shtml section "Linux (DEB and RPM distributions)". Likely the simplest way should work for you, that one with "curl -s https://install.zerotier.com/ | sudo bash". After that you will need to start ZT client and join the network, that's it. You should find the Linux ZT client in "/var/lib/zerotier-one" after installation, CLI is pretty straightforward. Could be helpful: https://www.zerotier.com/manual.shtml#4

2) You can utilize the same docker image I made for this unRaid template, which starts ZT. You should be able to do something like "docker run --device=/dev/net/tun --net=host --cap-add=NET_ADMIN --cap-add=SYS_ADMIN -d -e NETWORK_ID='<NETWORK_ID>' -v /var/lib/zerotier-one:/var/lib/zerotier-one -n zerotier spikhalskiy/zerotier". Of course, you need to have a docker on these machines.

Share this post


Link to post

First, thanks. I love ZeroTier. I appreciate your efforts to build and maintain this Docker image. In your CLI example

./zerotier-cli listnetwork

 should be 

./zerotier-cli listnetworks

per the help file 

Available commands:
  info                    - Display status info
  listpeers               - List all peers
  listnetworks            - List all networks
...

Second, any chance you can find some time to upgrade the version to 1.2.8?

 

Great work Dmitry.

Edited by argonaut

Share this post


Link to post

@argonaut Yeah, it's a typo, thanks for pointing out!

About 1.2.8 - currently my docker image uses as a parent an official dockerized ZeroTier image zerotier/zerotier-containerized. And it currently has version 1.2.4 inside.

My thoughts here:

1) I decided to keep things simple and transparent to the community and use the official image as a reference, so everybody could simply verify that my modifications don't do anything bad in docker run in "privileged" mode.

2) I reviewed changes that version 1.2.8 includes and 1.2.4 doesn't and I didn't find anything really important for Linux. But didn't do it very thoroughly.

So, if there is any significant reason to upgrade like anybody really needs anything from the new version - yeah, we can do that. If no - I would prefer to stay on the current version for the described reasons.

Edited by Dmitry Spikhalskiy

Share this post


Link to post

@Dmitry Spikhalskiy I don't have a specific fix in either 1.2.8 or 1.2.10 that I need. Everything is working fine. I was just hoping to maintain the same version across all my zerotier installs. If you are dependent upon an upstream source that's totally cool. Less work for you. Thanks for the quick reply.

Edited by argonaut

Share this post


Link to post

So, is there no way to get this to act as a normal vpn and run all traffic through the connection? only good for device-device connections and pools? enable default route on my phone changes nothing it appears.

Share this post


Link to post

@1812 No, it creates a "local" network to communicate between your devices and it works effectively in peer to peer mode - if possible you devices will talk directly without an additional VPN server in the middle. But it's not a solution for encrypting or tunnelling traffic between you and any other host on the internet and it's not a VPN replacement for this goal. 

Share this post


Link to post

while I do have a use for it in p2p, it's so close to being super awesome..... it's just ok awesome as is.

Share this post


Link to post

Thank you for this.

 

i have a question. Being that account info is hosted by them; how secure is this? Will some admin at ZT be able to login my network?

 

h.

Share this post


Link to post

@hernandito You could set up your own "controller" and "moon nodes" and create your own full infrastructure basically. Nothing stops you, everything is open source - in that case, you will need to care about the security of your own controller, but it will remove other admins from the system. If you go with a default infrastructure - yeah, members of your network can be theoretically "authorized" by anybody who has an admin access to the public controller.

 

Edited by Dmitry Spikhalskiy

Share this post


Link to post

I think that it will seriously jeopardize their business if they try to access their customers networks without consent.

 

Any peer-to-peer communication runs directly without the ZeroTier host in the middle, they won't see your traffic.

 

Share this post


Link to post

I see that someone is attempting to build a zerotier controller module for PFsense..... that would be great for me. Currently very alpha though.

Share this post


Link to post
On 6/5/2018 at 2:48 AM, Dmitry Spikhalskiy said:

Application Name: ZeroTier

Application Site: https://www.zerotier.com/

Docker Hub: https://hub.docker.com/r/spikhalskiy/zerotier/

Github Docker: https://github.com/Spikhalskiy/zerotier-unraid-docker

Templates Repo: https://github.com/Spikhalskiy/docker-templates

 

Zerotier is an open source, cross-platform virtual LAN / VPN available on Android, iOS, Mac, Windows, Linux.

It allows remote access to devices as if they all reside in the same local network.

All traffic is encrypted end-to-end and takes the most direct path available for minimum latency and maximum performance, using VPN-like connections.

Up to 100 devices for free, no need for port forwarding, very simple setup.

 

Network and the docker image setup steps:

  1. Create a https://my.zerotier.com/ account and create a Network there.
  2. Get an ID of the created network (looks something like b4da7454b271902c).
  3. Install this docker image on your unRaid using a template or from Community Applications and put that ID as a NETWORK_ID parameter of the container.
  4. After a start of the docker go to https://my.zerotier.com/network/<NETWORK_ID> to “Members section” area. Check “Auth” checkbox for the new device. Assign a meaningful name to it, copy an IP from "Managed IPs" column - it will be a static IP of your NAS in your virtual network.
  5. Install a Zerotier client to your laptop/phone/other devices, join a network with the same id and repeat the previous step for them.

 

Now, when you connect Zerotier on any of your devices - a VPN connection will be set up and all connected devices will be available like they are in the same network. SMB shares/TimeMachine will be autodetected, UIs will be accessible on <ip from the step 4>:<usual port>.

 

Post an issue

If you post about an issue, it will be helpful if you open a console of the docker from webGui, run and include in your post an output of the following commands:


./zerotier-cli info

./zerotier-cli listnetworks

./zerotier-cli listpeers

 

Clean reinstall

If you want to make a clean installation and start setup from scratch - don't forget to cleanup config directory which is "/mnt/user/appdata/zerotier/zerotier-one" by default. It contains an identity of your Zerotier node and generated certificates.

 

FAQ

Q: Should I change "Managed routes" on https://my.zerotier.com/network/<NETWORK_ID> to reflect my unRaid internal IP and subnet in a real physical network?Managed_Routes_1.png.bf456d06a8b53d307d50dbe5c1c1f4af.png

 

A: No, ZeroTier creates a virtual network adapter to use in ZeroTier network. If your home IP range is 192.168.1.0/24 and ZeroTier by default selected "10.147.17.*" for example for you managed IPs - it's totally fine. Even opposite, if ZeroTier "Managed routes" intersect with your physical local IPs - better change Zerotier range to be different. unRaid virtual IP in Zerotier network that you can find on https://my.zerotier.com/network/<NETWORK_ID> page you use when you connected to the same Zerotier network from your other device located in another physical network and want to get an access to your unRaid and this IP is different from the physical local network IP of your unRaid server. 

 

OMG!! It took me sometime to figure out this but I really have to say a big thank you that you have saved me finally. Been struggling with openvpn for so long(10months literally) and finally. 

Finally things fell into place with zerotier. Am so much relieved. 
My only concern is how much safe is this? My main work platform is this NAS if this goes down or the files go 'bye bye" that's the end of my business era. Just concerned of the security in this, except that am all in heavens now.

Share this post


Link to post

I have to say this is pretty awesome. Set up this afternoon and is working perfectly between my unraid server, my hosted VM on said server (I remote into) and my laptop I'm on in a different country! 

I do have a few queries however, 

Is it possible for the unraid server to be connected to two different ZeroTier networks and how would you enter 2 network ID's? (One for me and my devices and another for other users).

How do I configure the unraid server to be able to act as a default/remote gateway. I've added the ability in my Zerotier network by adding the 0.0.0.0/0 route to the assigned IP of the unraid server on the Zerotier network, but I need to do routing at the server I believe? It would be nice if that was an easy configurable in the docker application.

Lastly and not really applicable to the docker, but how would I configure DNS for this network. as in I have to use the IP of the unraid server on the Zerotier network to access it and not able to use //tower in the web browser. 

 

Cheers anyways!

Share this post


Link to post
5 hours ago, Defylimits said:

Is it possible for the unraid server to be connected to two different ZeroTier networks and how would you enter 2 network ID's? (One for me and my devices and another for other users).

 

I will take a look at it and add this feature if possible.

 

5 hours ago, Defylimits said:

How do I configure the unraid server to be able to act as a default/remote gateway. I've added the ability in my Zerotier network by adding the 0.0.0.0/0 route to the assigned IP of the unraid server on the Zerotier network, but I need to do routing at the server I believe? It would be nice if that was an easy configurable in the docker application.

 

I'm not sure, but I don't think it's possible. You want to tunnel a traffic and use a Zerotier host as a VPN server, I don't know if Zerotier is designed for it.

 

5 hours ago, Defylimits said:

Lastly and not really applicable to the docker, but how would I configure DNS for this network. as in I have to use the IP of the unraid server on the Zerotier network to access it and not able to use //tower in the web browser. 

 

Hmmm. //tower works in your local network not because of a central DNS server.

https://www.systutorials.com/docs/linux/man/8-avahi-daemon/

The same avahi-daemon should announce your unRaid name in Zerotier network too. At least, I can access unRaid in Zerotier network using the same name I use in my local network. Maybe try to add ".local" to your domain name. I use "<servername>.local" for both local and Zerotier network as a domain.

Edited by Dmitry Spikhalskiy

Share this post


Link to post

Thanks for the reply,

 

10 hours ago, Dmitry Spikhalskiy said:

I will take a look at it and add this feature if possible.

 

Cheers, it would be good if you could just enter the network_ID's separated by a comma in the edit docker options

 

10 hours ago, Dmitry Spikhalskiy said:

I'm not sure, but I don't think it's possible. You want to tunnel a traffic and use a Zerotier host as a VPN server, I don't know if Zerotier is designed for it.

 

Yes pretty much, I believe it is possible - https://support.zerotier.com/knowledgebase.php?entry=show&amp;search-for=&amp;article=ZWFhNWMyMTZjODY1ODcwNmFhZmJjYmRhN2I5MjRhOGQ_

 

Step 2 and 3 are easy to do. Its step 1 that requires some messing around with the IP tables within unraid/docker which would allow for the server to act as a NAT and forward traffic. (sorry not really a networking person!) Then you should be able to select on the client side whether you just want to connect to the zerotier network or use that network as a default gateway for all traffic.
 

10 hours ago, Dmitry Spikhalskiy said:

Hmmm. //tower works in your local network not because of a central DNS server.

https://www.systutorials.com/docs/linux/man/8-avahi-daemon/

The same avahi-daemon should announce your unRaid name in Zerotier network too. At least, I can access unRaid in Zerotier network using the same name I use in my local network. Maybe try to add ".local" to your domain name. I use "<servername>.local" for both local and Zerotier network as a domain.

 

Unfortunately I've tried tower.local and it didn't work. Although I've had issues before with this on the local network it is on, so will have to look into the problem a little more. Thanks for pointing me towards the avahi daemon.  

Share this post


Link to post

Dmitry... 

 

I am experimenting with Home Assistant on UnRaid. I am not using the Docker version but am using the HassOS as a kvm.... how can i get ZT installed on it... i am not ll that familiar with HA and its backend. I did find a ZT plug for it but it is in Chinese and has very little documentation. 

Share this post


Link to post

...tell us how this works out...planning on running one on my unraid box and another one on a small vserver (figuring you need two in order to get availability somewhat right)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.