Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] spikhalskiy - ZeroTier

Featured Replies

On the server 10.10.10.10, those routes already exist

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         GEN8            0.0.0.0         UG    0      0        0 br0
10.10.10.0      0.0.0.0         255.255.255.128 U     0      0        0 shim-br0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
10.10.10.128    0.0.0.0         255.255.255.128 U     0      0        0 shim-br0
10.10.20.0      Tower-2.local   255.255.255.0   UG    0      0        0 ztmjfbsomh
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-853fe7d63fa3
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-312be3d41a1c
192.168.191.0   0.0.0.0         255.255.255.0   U     0      0        0 ztmjfbsomh

 

So we can see that the route to 10.10.20;x exist, and the route to 192.168.191.x. Flasg G for gateway on 10.10.20.x means to redirect ip packets to the interface of zerotier

 

on 10.10.20.10:

root@Tower:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         livebox.home    0.0.0.0         UG    0      0        0 br0
10.10.10.0      Tower.local     255.255.255.0   UG    0      0        0 ztmjfbsomh
10.10.20.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-83a6ea76a1ec
192.168.191.0   0.0.0.0         255.255.255.0   U     0      0        0 ztmjfbsomh

 

AFAIK, it looks good on that part.

I am not sure at about masquerading too. If I remind well my telco studies (and I am an telco engineer but never worked in telco :))...it should not be required.

 

  • Replies 345
  • Views 112.6k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Dmitry Spikhalskiy
    Dmitry Spikhalskiy

    1.4.6 is released for everybody, the CLI instructions in the topic header are updated for the new docker image layout.

  • Dmitry Spikhalskiy
    Dmitry Spikhalskiy

    I'm going to - update to 1.8.x and - expose allowManaged, allowGlobal, allowDefault options in unRAID UI   But no specific timelines. When I get some free hands on a weekend.

  • For anyone looking for a solution, I was able to connect to my unraid 6.12.2 from a phone on zerotier 1.10.6.   Just go to settings -> Network Settings. In Routing Table section find your

Posted Images

What IP is "Tower-2.local", can you issue the route command with "-n" parameter, please?

Your default route is your local WAN router, "livebox.home". Is this device also handing out IP via DHCP for other clients in 10.10.10.0/255.255.255.128 and 10.10.10.128/255.255.255.128?

Even if routes exist on your unraid servers, in order to connect a complete network, each client needs to know the route to 10.10.20.x and 192.168.191.x ... as they do not, they use their default gw, which is livebox.home....is it not?

 

Network #1:

  • WAN Router, local IP 10.10.10.1 (possibly, "livebox.home")
  • Server #1, local IP 10.10.10.10
  • client #1, local 10.10.10.103 (via dhcp from WAN Router, possibly)
  • default gateway in this network; 10.10.10.1 
  • So each client will forward to livebox.home (their default gw) when trying to reach anything outside 10.10.10.x
  • therefore livebox.home need the routes to 192,168.191.x (which is 10.10.10.1) and 10.10.20.x (which is 192.168.191.x-on-tower-2)

Edited by Ford Prefect

You are totally right if I want to completely interconnect both LAN. And I will try to do it, you gave me a very interesting idea :)

 

But in my case, I just want to access from my laptop (with the zerotier cli) to devices on the remote LAN such as printers, NAS, routers etc...

For sure, if remote devices on 10.10.20.x want to connect to me (and they have no zerotier client running on), routes must be set properly to passthrough a peer with zerotier interco.

 

For example, Tower2 is 10.10.20.10 and has an openvpn server (docker).

If I connect with open vpn client from my laptop (on 10.10.10.xxx) to tower 2 (10.10.20.10)... I can access ALL devices on the LAN 10.10.20.x.

If I use ZeroTier, only the server is accessible.

 

Apparently many people get it to work properly, but me not... and I really wonder what I miss.

 

23 hours ago, tapodufeu said:

You are totally right if I want to completely interconnect both LAN. And I will try to do it, you gave me a very interesting idea :)

OK, my bad... I actually thought that this was your usecase ;-)

 

23 hours ago, tapodufeu said:

But in my case, I just want to access from my laptop (with the zerotier cli) to devices on the remote LAN such as printers, NAS, routers etc...

For sure, if remote devices on 10.10.20.x want to connect to me (and they have no zerotier client running on), routes must be set properly to passthrough a peer with zerotier interco.

  ...but this still is what they (printer, smart-bulb) "want" to do, once you open a connection to them...IP packets intended to be returning from them to you will need a path back into zt-central.

Your laptop with zt-interface up&running is connected to ZT-central.

ZT-central will/can provision the routes, you configured back to the zt-client on the laptop.

  1. I think you will have to enable the propagation of routes in the zt-client or in zt-central...somewhere.
  2. I believe, this will only work, if your Laptop is connected to a third network, like guest WLAN with internet access in a hotel, outside of site#1.

Another service on the remote site#2 will receive a connect from an IP out of your zt-pool. This service, if not "inside" your unraid server#2 will need a route to zt-central network....if this service is a physical printer, for example, is outside of unraid-server#2 and will only know the route to the default-gw on network at site#2, not unraid#2 as gw to zt-central network.

 

This usecase I use a lot myseklf when abroad...works like a charm...but I have configured my router (livebox.home) to forward traffic to my own zt-central-network via my unraid-zt-interface. I also choose to allocate a separate VLAN for the ZT-network inside my premise, which makes it more easy inside my setup but this is not a must.

 

Sorry if this is confusing...english is not my native tongue. I still think you do not have a route in your local LAN to your zt-central-network and that is why this only works for services on your unraid-box, where the zt-interface resides. unraid will simply forweard between local interfaces anyway,

23 hours ago, tapodufeu said:

For example, Tower2 is 10.10.20.10 and has an openvpn server (docker).

If I connect with open vpn client from my laptop (on 10.10.10.xxx) to tower 2 (10.10.20.10)... I can access ALL devices on the LAN 10.10.20.x.

If I use ZeroTier, only the server is accessible.

...this is because maybe openVPN interface on unraid is using nat to the inside LAN? For devices in the LAN, packets appear to be originated from your unraid box, not from the transfer-network. Or is even handing out IPs of your original LAN.

Zerotier is a real LAN and you need proper routing, using zt-central-network as "transfer net".

Thanks for your feedback. I understand my issue now. You are totally right, this is the NAT feature of openvpn. I tried disabling it then It is exactly like zerotier.

 

So when I am at home, with just the fiber modem router from my ISP, (no advanced routing inside), openvpn is my only option, with NAT included in the openvpn server I can do what I want.

 

It would be a great option to add a "kind of admin" access with zerotier with NAT included... I would have completely remove openvpn and just use zerotier only.

This is exactly the kind of option that devops or infra manager need. For example, since march, with covid,  not everyday hopefully, I have connect and change VPNs maybe 30 times per day !!

 

 

 

 

 

...you can add your own router as a VM on your unRaid box.

There are pfsense/opnsense, openwrt or mikrotik CHR (free version only 100mbps) available to do just that.

All do support virtio-NICs or you could passthrough a set of physical adapters, like a Quad-NIC and attach all to a managed switch, that supports VLANs.

You could enable GRE/EoIP tunnels accross your sites....or ZT-Central based network interfaces.

 

No VPN, but real LAN-to-LAN scenarios are possible that way.

No need to tinker with your ISP modem/router.box.

Edited by Ford Prefect

  • 2 weeks later...

Finally a VPN solution for Unraid that does not involve pulling out ones hair, easy fast and simple.

Oh. Yea. So. Update. Dunno if I mentioned or not, but I ended up deleting everything I did and starting over and *poof*...everything works perfect.

 

ZeroTier is AWESOME!!

  • Author

The image was updated to use the latest 1.6.2 Zerotier version.

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 

zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

Edited by technorati

I see the same messages in the logs, but my ZT-Container joins ZT-central just fine.

  • Author
4 hours ago, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

"no version information available" messages are fine, you can ignore them, it's not what causes the issue.

Apologies - you'd think that by my age I'd be aware that correlation does not imply causation, but  ¯\_(ツ)_/¯

Looks like enabling "Host access to custom networks" in Network settings causes ZeroTier to go offline. Does anyone know what needs to be done to allow ZeroTier to connect when this setting is enabled?

Edited by rami22

Quote

 

Application Name: ZeroTier

Application Site: https://www.zerotier.com/

Docker Hub: https://hub.docker.com/r/spikhalskiy/zerotier/

Github Docker: https://github.com/Spikhalskiy/zerotier-unraid-docker

Templates Repo: https://github.com/Spikhalskiy/docker-templates

 

 

This works very well on my Optus wireless broadband which is double NAT, if anyone else is interested :)

Edited by Wozzagonebush
Inserted quote

Hi, thank you for this container. ZT looks very promising. 

 

I've been able to connect to RDP using the ZT on my home pc to a remote pc. I have Apache Guacamole which is an RDP client that runs as a webserver on my unraid server running in bridged mode, however, i cannot connect via Apache Guac to ZT PC clients on the same LAN or Remote networks for some reason. Would it be correct to assume that ZT needs to be installed in the individual apache guacamole container for me to be able to connect to the ZT network? PC -> PC RDP through ZT works fine, its just when i use apache guac i begin to run into connection problems. Appreciate the help.

 

Edit: 

 

After doing some testing, I managed to get this to work with some modifications. In the docker container that you wish to connect to your zerotier network, you can use the docker install script they show on their website and join the network within the container. You can also tunnel a second docker container through this zt docker container by using the extra parameters setting with "--net=container:zerotier" under advance settings. You also have to set the network option to none on the tunneled container. On a side note, apache guac will not connect to a RDP computer without a password, even though the windows RDP client can. 

Edited by akeid

  • 1 month later...
On 12/10/2020 at 6:48 PM, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

Hello , I have the something wrong like this. The different is that it display online ,but it's offine in ZeroTier central.

Hello ,

I have find why it could not work in someone's unraid.

it should be in China , have gfw block something.

 

the offical client could work well on pc in China. 

 

 

  • 3 weeks later...

Hello, I've been trying to use this to run a VLAN for a Valheim gaming server using ich777's docker container. I'd like to apologize in advance for being generally uneducated about networking. Please correct me if I'm wrong but folks should be able to join the server after connecting to my ZeroTier using my local address for my Unraid server? I've been having trouble getting people to connect.

On 12/10/2020 at 3:48 AM, technorati said:

Ever since the update to 1.6.2, my unRAID machine no longer joins my ZT network, and when I try to debug inside the container, I get errors from the zerotier-cli tool:

 


zerotier-cli info
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
zerotier-cli: /usr/lib/libstdc++.so.6: no version information available (required by zerotier-cli)
200 info XXXXXXXXXXX 1.6.2 OFFLINE

I have tried deleting the container and reinstalling from CA, but it comes back with the same issue.

 

Rolling back to spikhalskiy/zerotier:1.4.6 has fixed the issue for now.

I'm getting these error messages too, except mine does connect. Although yesterday, the internet went out for a few hours, when it came back I had to restart the container for it to connect so I checked the logs.

Hi,

 

I really like your app!! it works really well. Thank you!

 

Any plan to update it to 1.6.4 any soon?

Hey thanks for this great write up and template. Im having some issues that im not sure the root of the problem. Ive got the container started and add to my zt network and authorized. However i am unable to ping via the ZT IP address? im able to ping other devices on my zt network but not my unraid server when trying from my mac remotely but connected to ZT network. i do have some devices on different subnets so im wondering if my routing is the issue. On the unraid side do i need any static routes set to work or just on the zerotier center side? I currently have a managed network for each LAN subnet via a ZT device that is located on the same internal subnet. is that the right methodology? 

 

ex:

unraid LAN IP: 192.168.1.6

ZT IP: 10.244.27.6

 

route: 192.168.1.0/24>10.244.27.6

 

etc for other subnets

 

Edit: Got it figured out. Went into unraid shell and found that the ZT network adapter hadnt pickup the ipv4 IP address.. i restarted the container and it picked up the IP i picked. Then i set the static route accordingly

 

route: 10.244.0.0/24>zt adapter

 

then i was able to access unraid server

Edited by IxsharpxI
typos

So mine says joined and does not error out - but it never shows up in the zerotier interface to approve

Anyway to pull the name of this one so i can whitelist it manually in the zerotier interface?

 

EDIT: When i change to bridge it changes to online but still doesn't work 

Under host it says 
200 info xxxxxxxxx  1.6.2 OFFLINE

 

Edited by mcrommert

  • 3 weeks later...

So I'm rereading this topic the 7th time in 7days with no end in sight. My main goal is to open Plex for friends with granular control.

 

A handful of good friends are parents now too and as they discovered my Kids Video Collection (damn those VHS rips) they'd love to be able to give their kids those programs too instead of the utter BS that's running on TV nowadays.

 

I have pfsense/baremetal running 12vlans and a 100/60 connection.

 

VLAN 3 (10.1.30.0/24) is the Vlan where my Plex Servers reside (10.1.30.1 & 10.1.30.2). On the same Vlan there are 2 Steam Machines (10.1.30.40 & 10.1.30.41) I'd also like to 'share'.

 

My ZT resides in above Vlan3 (10.1.30.249), and with this Docker I'd just want to share Plex/Steam.

 

To my understanding it would be possible to use ZT for multiple Vlans, but for simplicity I'd rather start with one Vlan properly set-up 😅

 

As said above I read the entire thread couple of times, especially the posts of @Ford Prefect

about adding routes, but: I intend to only add certain hosts from the Vlan, not the entire network.

 

Where do the routes have to go? Only ZT-Central? Or do I need to tweak pfsense/vlan-rules too?

 

I'm at a loss and every help is much appreciated! Especially how the routes should look like as I had a HARD time setting pfsense up.. 🤣

 

Kind regards,

Hank

Edited by Hank Moody
Tipo

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.