What are
/r/zerotier's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/zerotier:
![Intel SS4200E Storage System 8TB (4x2TB), 2GB Memory, w/ EMC [PN: SS4200E-8TB]](https://m.media-amazon.com/images/I/21gwQk7v3QL._SL500_.jpg)
The most popular Services mentioned in /r/zerotier:
ZeroTier
NoMachine
Chocolatey
OpenWrt
TightVNC
Fing
Cloudflare
Linode
ngrok
FreeDNS
Shadow
PaperCut Mobility Print
DigitalOcean
Veeam Backup
Pi-hole
The most popular Android Apps mentioned in /r/zerotier:
The most popular VPNs mentioned in /r/zerotier:
The most popular reviews in /r/zerotier:
https://www.zerotier.com/2021/09/21/incident-response-to-september-20th-2021/
UPDATE: Version 1.6.6 is now released and contains an additional mitigation against this issue. We recommend upgrading
Yes, yes ZeroTier is now on MikroTik! :)
Here is the official ZeroTier blog post ---> https://www.zerotier.com/2021/08/31/zerotier-on-mikrotik/
That recent blog about private cloud storage focuses on seafile, but is applicable
But if you're talking about literal transfer speeds, then do note that most VPNs are indeed slower than line speed because encryption and etc.
Source: https://www.zerotier.com/2017/04/20/benchmarking-zerotier-vs-openvpn-and-linux-ipsec/
You can read it in the manual at point 2.1.1…only for initial connection and after that it relays on hole punching or other means, because it’s a peer to peer network.
In rare circumstances it relays on relaying
„VL1 never gives up. If a direct path can’t be established, communication can continue through (slower) relaying. Direct connection attempts continue forever on a periodic basis. VL1 also has other features for establishing direct connectivity including LAN peer discovery, port prediction for traversal of symmetric IPv4 NATs, and explicit port mapping using uPnP and/or NAT-PMP if these are available on the local physical LAN.“
You can use Cloudflare Argo for that:
https://www.cloudflare.com/products/argo-tunnel/
for public web using Cloudflare. For rest you can use Zerotier.
Alternative is to get cheap $5 instance from Vultr or DigitalOcean and to route all web traffic via tunnel to the server.
Side note, I noticed you were installing using an MSI. If you want to go full command line without having to push the MSI to each machine ahead of time, you can use the chocolatey package manager to install the ZT cli:
It's possible that the game is using multicast for lan player identification. You'll need to configure your ZT interfaces to route this from the other network. I.E. when you host a game, theres maybe a 225.x.x.x multicast ip that contains info on your lobby, mac and IP. This would go out by default on your physical interface (wifi or eth). The stuff only makes it one hop to a switch or router that supports multicast and then has to be forwarded to other networks. It won't take the ZT route even if all traffic is forced. This out of the ZT manual. Might help:
"3.5.2. Locking Down UDP UDP is tougher to deal with in a stateless paradigm. It’s connectionless so there is no way to specifically select a new session vs. an existing session. The best way to lock down UDP on a network is to use tags to allow it to and from things like DNS servers that need to speak it.
tag udpserver id 1000 default 0 ;
accept ipprotocol udp and tor udpserver 1 or chr multicast ;
break ipprotocol udp; First we define a tag called udpserver with a default value of 0. We don’t set any enums or flags for this tag since it will be used as a boolean. For servers that need to respond to DNS queries, set the udpserver to 1.
Then we accept UDP traffic if the value of the udpserver tag is 1 when both sender and receiver tags are ORed together, or if UDP traffic is multicast. This allows multicast mDNS and Netbios announcements and allows UDP traffic to and from UDP servers, but prohibits other horizontal UDP traffic."
Have a look at this: https://www.zerotier.com/manual/#2_1_4
The section is called Trusted Paths for Fast Local SDN if your browser does not jump to it automatically. That does not tell you how to actually configure it so look at Local Configuration Options (https://www.zerotier.com/manual/#4_2) which shows an example local.conf including the trusted paths attribute.
It’s not super well documented so let me know if you have any trouble
I cannot comment on security however I do use ZeroTier behind cgnat which means I do not have a usable public IP address. To counter this I’ve setup a server on digital ocean and setup a ZeroTier moon having all of my networks orbit the moon https://www.zerotier.com/manual.shtml#4_4
I also setup my own ZeroTier controller . You can find a simple ui for this here https://github.com/key-networks/ztncui don’t forget to export yourmvolumes to local storage so you can easily back up your networks.
These two things are not the same thing at all.
ZeroTier is a mesh point to point network virtualization layer. NordVPN and other "privacy VPN" services are single point tunnels that make your Internet traffic exit somewhere other than at your ISP.
This is a great write up, explains it well and walks you through the setup. True it is from Digital Ocean and a way to use a VPS for your exit, the principles are the same.
I just realized you may NOT need this. However I'll leave it here just in case, seems to be about the best explain I have seen for doing this on a server, RPi, etc.
Well, that's interesting. On both my Windows device and my Fedora Linux device, Mullvad and Zerotier works just fine alongside each other.
I'm not using the CLI settings though, so that's something to consider,
Kind of a late reply, but it is fully possible to use Mullvad and Zerotier. They work fine together.
Make sure Mullvad > Settings > Local Network Sharing is enabled - everything should just work enabling that.
Hi all,
I THINK my diagram shows what I'm trying to do. I did not include local / wifi router internal traffic or anything but basically as the title says.
I want to have my WEBDAV server (hosted at home) connectable via my WEBDAV clients, even when out of the house, via zerotier. Zerotier totally works, love it.
But, on Android I can only run ZeroTier OR NordVPN. I figure there must be a way to run both, but I have no idea. Networks are my weak point.
Any help would be lapped up. Thank you.
> have a computer on the Home LAN that is always on and connected via ZeroTier to send the WOL packet.
Apart from the main pc at home, another old pc at home remains on until I come home at night.
>This will be a little tricky though because the third computer will have to send it to the Home PC ip address that is from the Home LAN, and not the ZeroTier ip address.
I would be grateful to you if you can tell me (here) or provide a link that walks through the process/steps of WOL from 1 (old) pc to another (main) pc via ZeroTier.
> Honestly, I would recommend getting a raspberry pi, installing piVPN, and not even worrying about ZeroTier.
I'm thought about buying raspberry pi 4 for NAS, Pi-hole, piVPN & other home automation projects BUT, RPi 4 has heating issues & performance is automatically throttled down after going above 70 degrees. I live in a tropical country so it would be ideal for me to get an active (probably tower cooling) & passive cooling solution for RPi 4 which makes me think of added electricity cost for the long term.
The best thing you can do to change your NAT to open is to port forward whatever ports the game is using. If you have access to the settings of your router I can walk you through this.
Some people would say to use DMZ. That would also work, but it opens up way too much so it's not very secure.
If you don't have access to your router settings, your best option would be a VPN that supports port forwarding. I always recommend AirVPN since they support port forwarding, and they have a n easy to use DDNS for people who need that.
Referral link if you want to try it.
ZeroTier is mostly for virtual LAN usage. LAN networks don't have NAT, so they don't have to worry about that. If you are playing a game using WAN then ZeroTier won't help you.
If you have any questions I'll try to help you.
I realize this is a few days old now, but this is what I use and it works well. The key is to use the zerotier-cli batch file directly.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
$destination = "C:\Program Files (x86)\ZeroTier\One\zerotier-cli.bat";
Start-Process -FilePath $destination -ArgumentList "join xxx" -Wait
$exitCode = $LASTEXITCODE
Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
Exit 0
}
Exit $exitCode
Think you are referring to my comment.
https://old.reddit.com/r/zerotier/comments/g47464/full_tunnel_on_windows/
This question is better asked in r/cybersecurity or r/privacy
>may be intercepted if your mail app or other app tries to connect automatically
If you connection is https data will NOT be intercepted or leaked.
But the cafe's router will know that you are trying to connect to mail.google.com or whatever and then show you the login portal.
> cafe or airport your privacy is 0.
I wrote on the previous thread:
If wifi is flaky in public then full tunnel fails -> you will be automatically (fallback) connected direct to internet -> When full tunnel fails it does not stop internet - your normal access continues - lost privacy.
Read about dns leak in this faq: https://nordvpn.com/faq/
You don‘t need a fixed IP address if you use Dynamic IP services like https://freedns.afraid.org . Then you have a DNS record that always points to your home IP address. This is also useful for other services, like having access to a home FTP server etc.
u/alexforencich you could set up a r/openwrt router joined to ZeroTier for certain locations; that'll reduce your overall node count. And if hosting your own controller like what was being suggested, https://www.linode.com/ or something on a lower-tier option should be more than sufficient ("moons" are getting replaced in 2.0, but this was a good option for those too).
ARP responses are stored in simple table with MAC=IP pairs (and static\dynamic type). That's called ARP Cache.
Just read what is Zerotier VL2 before asking questions about ZT+ARP:
https://www.zerotier.com/manual/#2\_2
Welcome u/colossus1975!
To answer your question about security: We've had our methods audited by a third party and the results can be found here
> Is it as simple as what I am reading/seeing?
In most cases, yes.
> Would this be a suitable idea to access my home network for home-lab training?
Absolutely
Take a look at the Rule Definition Language (section 3.4) at this link: https://www.zerotier.com/manual/#3
I'm using the following to restrict traffic to a single server, but you should be able to switch the accept statements to the desired port instead. You'll probably still need to do some trial and error. Most guides for the rules seem to work around the idea of explicitly dropping and accepting certain patterns, then accepting everything else. I wanted my network to be setup to drop anything that is not the specific traffic I'm allowing. (Disclaimer: This is just what I came up with, not sure if it's the "correct" way to do things.)
accept ethertype arp;
drop not ethertype ipv4 and not ethertype ipv6 ;
accept ztdest [zt_server_address]; accept ztsrc [zt_server_address];
drop;
2.0 may be on the roadmap but there's v little to show when it may be released - an article on their own site from Nov 2019 says it is 'relatively close' so wonder what that translates to, and another reply by a ZT dev on a ycombinator post from 4 months back doesn't commit to any timeline either, which I can understand.
Yeah I think the gateway option is probably the way to go, but I also still have a lot to learn on it, proving slow going!
The controller has record of this information based on the last request made by the node, not unlike a web server logging a requester’s IP address and time stamp.
See ZT manual for more details.
AFAIK it uses mostly its own protocols, as described in the manual. Have a look at for example Node.cpp, it's rather simple and well commented.
https://www.zerotier.com/download/
Check the downloads page. theres a small section on the synology NAS's
NAS DEVICES Synology ZeroTier One for Synology NAS is designed for DSM 6+ and can be installed on any ARM, x86, or x64 based Synology NAS device. Once installed you can join virtual networks from the ZeroTier One web UI. Currently setup via QuickConnect is not supported. Check the ZeroTierNAS repository for more information.
Planets and controllers work at a different level, VL1 and VL2. Controllers are in charge of network specific configuration, like authorized nodes, their local addresses, routes, rules, etc. Planets and moons work at the VL1 level, facilitating a connection between two nodes independently of what network they are part of. You can read the manual for more information on the architecture.
This distinction is important because if the controller were to be compromised you network can automatically be considered not secure, instead if a planet or moon were to be compromised, you would only need to worry in the case that you're introducing new nodes to the network and an attacker managed to forge that node id and MITM it. I came to the conclusion after reading the documentation that the damage a rogue planet or moon could cause would be negligible compared to the convenience factor.
This is of course my interpretation of the docs and source code, if any of this is inaccurate or not up to date please correct these statements.
But do you ping him on his active ZT IP4 address(from another ZT connected device on same ZT network)(should work) or his local ip4(does not work)?
On my current fiber ISP connection I had to insist on LAN connection instead of their default router setup, to allow using my own router below and not get double NAT. I believe ZT still will work, but slower due to a relay connection instead of direct peer-to-peer.
By the way, I once also had trouble using ZT on a mobile carrier that blocked UDP port 9993.
https://zerotier.atlassian.net/wiki/spaces/SD/pages/6815768/Router+Configuration+Tips
https://www.zerotier.com/2014/08/25/the-state-of-nat-traversal/
What are you trying to do actually? The win10 system is running Zerotier as well or not?
You cannot connect to a zerotier ip address unless tou are running zerotier in such a device as well and have allowed this device in that zerotier network.
The zerotier IP addresses used are not public internet reachable ip addresses, more like the 192.168.x.x many of us have at home. The zerotier protocol connects the various nodes in the same network through zerotier's root servers and its peer to peer network and the unique 40bits zerotier address each zerotier node you create.
But I'm a bit second guessing here what might your issue...
It zerotier-one generates the identity files the first time it's started, if they don't exist. They are random, not based on a NIC or MAC. low level details
You can have your image with an empty zerotier home (/var/lib/zerotier-one) and get a new random ID on the first boot, or shove an ID into the vm through env vars or whatever config management tool.
$ zerotier-idtool generate
781f279a20:0:cafa29585ec8398eaf68e1d929df70bab97909153168e034098fc1bc19fd0b693f37de4825d6b4430ec828a8ddec0c77d6f619e8f5344866aff107018b92457d:36e89fb0a1d3d719dc49b77899bd2575b28a6b232f32694333eb1922cbee3ef
what port and protocol is zabbix again? we could probably figure out some rules in here.
Just this might be sufficient,
tag zabbix id 2 enum 0 No enum 1 Yes default No;
# if both members are not servers, break break not tor zabbix 1;
# This is required because the default action is 'drop'. accept;
you could layer in some stuff about ports, but involving ports in a stateless firewall like the rules engine can be tricky. https://www.zerotier.com/manual/#3_5_2
ZT Engineer here,
The reason for this is that there have not yet been any notable security incidents. We have a section in our manual detailing the cryptographic methods we employ: https://www.zerotier.com/manual/#2_1_3
That being said, no system is invulnerable and for that reason we are making our upcoming 2.x releases even easier to run your own infrastructure if you so desire. Additionally, ZeroTier 2.x will be professionally audited, including design, cryptography and code.
Also, look up the concept of a Warrant Canary. We have one.
Moons and controllers serve a different purpose, both are needed for zerotier to be useful. Moons facilitate connections between peers (VL1) and controllers provide network configurations like local IP addresses and what nodes are allowed to form part of them (VL2). Read the manual for more info https://www.zerotier.com/manual/ .
I don't really understand the question, but I can tell you zerotier's "earth" severs are defined with up address on the code, no DNS names iirc. If you want to reach other computers on an isolated network you can setup a "moon" or add IP address hints to the local.conf file.
Those are the ZeroTier root servers. They're how nodes find each other.
https://www.zerotier.com/manual/#2_1_1
Try:
zerotier-cli listpeers in your terminal and look for the PLANETS
it is likely trying to establish a connection with the roots, I advise reading the documentation at https://www.zerotier.com/manual/ to get a better understanding of what zerotier is, how it works and what exactly it does.
I am interested in this but seems the link is now dead. Could you post any hints how to do that.
Dead link: https://www.zerotier.com/community/topic/77/how-to-define-trusted-paths-for-internal-sdn-use-1-1-12
Thanks for your help!
> ZT network IPs on my.zerotier.com
Is this referring to the "Managed IP" number starting with 10.147.etc. on the Network page? or the 10 digit alpha-numeric "Address" I am seeing?
>which you'd use to access each of your devices
Am I supposed to use the standard ssh commands for this, but instead providing the ZT network IP you mentioned? Section 5.1.3 Communicating with peers in the manual doesn't seem to have a lot of detail. Is there a command/ series of commands to use with the zerotier-cli terminal interface that will allow me to work on the other machines on the network?
These are the docs I'm referencing: https://www.zerotier.com/manual.shtml
Thanks again!
Interesting...
There's a rule you can use drop not chr ipauth
https://www.zerotier.com/manual.shtml#3_4_1
> In addition the not chr ipauth condition drops traffic between IP addresses that have not been assigned by ZeroTier to their respective sources or destinations, blocking all IP spoofing.
So I dont know offhand the cmds to check the connections to see if you are going through their proxy instead of direct connection. Something like $zerotier-one listpeers. You should see connections to their servers + a direct between the two devices.
I think the port zt uses by default is udp/9993. Try forwarding that to one of the devices and see if that helps.
If you can't get either to connect still I would look into making your own moon on a cheap vps server where you can control the firewall.
hey, it can be tricky with TCP connections, because traffic flows in both directions. I think there are other ports involved with RDP too.
Steal from this section
https://www.zerotier.com/manual.shtml#3_4_1
(maybe invert the rules so you _accept_ RDP and drop the rest)
Unfortunately I don't have an example for this one. Post your results!
hi, You can tell it blacklist interfaces with the local.conf file: https://www.zerotier.com/manual.shtml#4_2
You can manually start zerotier in different home directories. See help at:
/var/lib/zerotier-one/zerotier-one -h
Not sure exactly how it's going to act though. Depending on what you're doing you could put one instance in some virtual thing like a docker, vm, linux network namespace... enjoy
Built in multipath features coming soon ™️
victorhooi, you actually can setup your own "local relay". In Zerotier parlance, you can create a moon. This allows you to create your own root definition, which will append your local root to the global roots. Clients will choose whatever is available and most performant.
If you want a completely disconnected Zerotier, you can actually do that too, but it's a little more complicated, as it's not an official feature yet. It's on the roadmap for 1.4.
The scenario that would relay traffic through their root servers is exceedingly rare... Only in situations where NAT cannot reliably be traversed.
I am having issues with that myself, but I'll admit it is due to uncommon complexities in my environment.
I highly recommend reading their blog article on NAT Traversal. https://www.zerotier.com/blog/state-of-nat-traversal.shtml
We now offer a way to segment your network into departments using our traffic rules engine.
I would like to refer you to the Manual first.
But the relevant sections are: Rules Engine
For instance, you could use the following to allow communication only between computers in the same department (even if they all inhabit the same ZeroTier network):
tag department id 1000 enum 100 sales enum 200 marketing enum 300 accounting enum 400 engineering ;
accept tdiff department 0 ;
You'd then apply a department tag to each device you want to limit.
I see Veeam as an industry-leading backup solution. You can try backup VMs with Veeam for free. Its Community Edition is free for 10 VMs. https://www.veeam.com/virtual-machine-backup-solution-free.html
Please note, I do work for PaperCut. We have a free solution called Mobility Print that will allow you to print remotely: https://www.papercut.com/products/free-software/mobility-print/
If you have a computer that has local access to your printer, then install Mobility Print on it. You can then create an invite for the client laptop to print remotely. Mobility Print will then create an encrypted peer-to-peer connection to send your print jobs.
(Edit) Printing is native from any application, you don't have to rely on emails.
I'll try your suggestions and report back.
To answer your NAS question. It's one of these: https://amazon.com/gp/product/B0012J0MYW/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1
Theory is sound with a UK IP address you won't get blocked. When I lived in Spain I used a RPi4 running PiVPN one single command line to install post install of PI OS, you can have multiple users, I used a Firestick with a sideloaded OpenVPN for Android client in Spain
This is the right answer. ZeroTier can work in that way but you need to route all connections on the client via a node that can then route to the Internet.
I currently run ZeroTier on my home router and no other devices on my LAN.
It acts as a gateway to: - the other devices on the LAN using their regular IP addresses, acting like a VPN server into the LAN; and - if the client has Enable Default Route selected, to the Internet, acting like a WAN gateway. In this mode all my Internet connections exit via the public IP that my home ISP gives me, making it look to the outside world like I’m still at there.
This allows me to SSH into my lan, watch stuff on Plex, etc without changing any settings or IPs. It also allows me to transparently use my local PiHole for DNS wherever I am, and eventually I plan to run a Bitwarden server in that same way.
Finally, if I wish to do so, I can access content that’s geo-fenced to where I live regardless of where I am.
It can also act as a layer of protection if I’m on public WiFi or another untrusted network, which is one of the use cases of commercial VPNs (Mullvad, PrivateInternetAccess, etc) without paying extra and without having to trust the VPN provider, assuming I’m happy to trust my ISP instead.
I have never used ZeroTier as a full tunnel VPN.
I use it to access my lab from various networks and it works for full VPN I use Mullvad, which I'd recommend instead.
It's definitely doable though, if you really want to.
I don't see why that would be a problem unless you are trying to do "full tunnel" with ZeroTier via an exit gateway on the ZeroTier network. In that case they're going to play rock-paper-scissors in your routing table.
You'll have to look into what NordVPN is doing. Posting some outputs from ip route and ip -6 route may help. Also make sure NordVPN is not shoving anything weird into iptables/ip6tables etc.