@JaredBusch said in Zerotier installs but no conectivity on Fedora 38:

@syko24 said in Zerotier installs but no conectivity on Fedora 38:

@JaredBusch - I know their site says Windows, but maybe something related with the firewall rules getting messed up.

https://discuss.zerotier.com/t/attention-zerotier-on-windows-users-please-update-your-client-s-to-1-10-6-or-later/12706

I temporarily shutdown firewalld on both systems as well as disabled selinux.

While I doubt it's the issue - ZT has it's own firewall rules, any possible issue there?

For some reason, it would not downgrade like normal within chocolatey

So I did an uninstall, reinstall of version 1.4.6, then pinned version 1.4.6 so it will not upgrade when the daily task fires that uprgades all packages.

choco uninstall zerotier-one -y choco install zerotier-one --version=1.4.6 -y choco pin add -n=zerotier-one

Of course I did it all via ScreenConnect.

711f661b-2f41-4bd0-a83b-a297a2d09376-image.png
58f00374-e5c1-4d6f-8de9-f88b95a662d8-image.png

This is what a pin does:
2a64dc4a-d595-4f68-ac76-2faa3f55d77b-image.png

Sorted this out.
For some reason the install was setting Allow Global IP and Allow Default Route.
Once I unticked these and ticked All Managed IP it all began working.

@stacksofplates
basically you have to update the planet definition and also include the public identity into the fold. Then they find each other and are online. I will bow try to make it work as a cluster. Keep this post updated...

Sorry about dragging this old topic back but, it is probably the most relevant to what I'm looking for.

I have been trying to get the ZeroTier FlowRules to work but must be doing something wrong. My ruleset is very close to what @JaredBusch has but, the ZeroTier nodes don't work as expected.

When I leave the final accept statement, ZeroTier passes all traffic. When I comment out that last accept all traffic stops.

# Allow only IPv4, IPv4 ARP # drop not ethertype ipv4 and not ethertype arp # Drop IPv6 Ethernet frames. # and not ethertype ipv6 ; # # # Uncomment to drop non-ZeroTier issued and managed IP addresses. # # This prevents IP spoofing but also blocks manual IP management at the OS level and # bridging unless special rules to exempt certain hosts or traffic are added before # this rule. # #drop # not chr ipauth #; accept ipprotocol tcp and dport 80 ; # Accept anything else. This is required since default is 'drop'. accept;

Any help on what I'm doing wrong will be greatly appreciated.

@syko24 said in Zerotier on Windows firewall rule question ...:

@BraswellJay - check which firewall profile is selected for your ZeroTier interface. Is it set for public on your computer or the computer you are trying to access?

They are set to work networks on both:

250ac923-99eb-4d16-bfdb-64b7cdd93799-image.png

All of the firewall rules are set to apply to all profiles:

12dac406-c669-430f-9b4a-e0be3bd85650-image.png

@krisleslie said in Anyone figured out how to ZeroTier with AD?:

@Dashrender all ubnt

They have two models, the unifi USGs and the EdgeRouter series - which are you sporting?

Update: this is what I ended up with.
Route based VPN using this guide as a template.

Master site: 1x ER 12 + 1x ER 4
Sites A, B, C & D :1x ER4 each location
Colo: 1x ER4 & 1x pfSense (SM x10SDV-TLN4F+)

Conveniently, he can also do the same over the ZT network so that he has speed tests from the same tool on both networks.

@adam-ierymenko said in Zerotier failing to start after upgrade:

Do an update. We released new binary builds for Linux that should address this.

Sorry for resurrecting an old thread, but new installs are having the same selinux issue. Took some digging for me to figure out what was going on. Multiple attempts to install on Fedora 33.

@Pete-S said in ZeroTier vs VPN:

@Kelly said in ZeroTier vs VPN:

In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

@mukky said in ZeroTier Site-To-Site:

Bro @dafyre,
You make my life much easier...
Thank you !!

After soo much hassle to achieved opnsense site2site, i found this posting solve the problems with 2 essential modification as follows:

Two essential step:

Enable IP_Forward:
in free BSD we have to edit /etc/defaults/rc.conf
change from gateway_enable="NO" to gateway_enable="YES"

Set up the Site Routes at the Routers for Site A and Site B
it has configured and implemented in opnsense router section

@dafyre, since no body cover this on opnsense, I think it will wonderful, if you could made this video on youtube as well

Good Luck !!

I was struggeling for a month to figure it out, not much info on internet nor tutorial regarding zerotier for site2site. Eventually i succeed to make it work.

The key point to setting on opnsense are:

you have to install zerotier plugin

you have to make your own network on your zerotier account

you have to enable zerotier on your opnsense and adding zerotier connection in it to join your own network.

you have to assign network for zerotier - dont forget to "check" Enable Interface and Prevent interface removal. Also you have to put static ip with is the same ip address as shown on your zerotier joined network.

you have to put firewall rule for zerotier to accept any incoming traffic

you have to put firewall rule for WAN/ISP to accept any incoming traffic from specific source "Ztier.net"

in some cases it requires booting/restart your opnsense to take effect.

setting above will allow any incoming connection from any remote device via zerotier towards your opnsense ip address. (Ref: opnsense ip address = ip address of WAN/ISP). In result, you can remote access your opnsense via laptop from another city / ISP (laptop must have zerotier connection and joint the same network too). On your laptop you will be able to access your opnsense by its ip address assigned by zerotier.

in the case, for example, there is a NAS behind the opnsense that you want to access remotely,....... then you only have to open your zerotier account and put a route rule there

assumed:

your NAS local ip address: 192.168.5.10

NAS local Network on opnsense: LAN-1

your opnsense ip address assigned by Zerotier: 10.188.22.10

then you have to put firewall rule for LAN-1 to accept any incoming traffic from specific source "Ztier.net"

then you have to add "route" on your zerotier account dashboard:

192.168.5.10/32 via 10.188.22.10

in result from remote laptop you can remote access:

a. opnsense by pointing to 10.188.22.10

b. NAS by pointing to 192.168.5.10

(laptop must have zerotier connection and joint the same network too)

Thats it, good luck !

OK peoples. I got this working both ways: LAN > ZT and ZT > LAN. The trick was to configure a source NAT, which you can only do via the command line. Along with destination NAT, a bidirectional NAT is setup. BOOM! Here's my config:

firewall { all-ping enable broadcast-ping disable group { network-group LAN { description "Switch LAN" network 192.168.50.0/24 } network-group Upstream { description "Upstream Network" network 10.1.1.0/24 } network-group ZeroTier { description "ZeroTier Network" network 10.147.20.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 10.1.1.10/24 description "Local Upstream" duplex auto speed auto } ethernet eth1 { description Local duplex auto speed auto } ethernet eth2 { description Local duplex auto speed auto } ethernet eth3 { description Local duplex auto speed auto } ethernet eth4 { description Local duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.50.1/24 description Local mtu 1500 switch-port { interface eth1 { } interface eth2 { } interface eth3 { } vlan-aware disable } } zerotier ztklh3kllj { description ZeroTier } } protocols { static { route 0.0.0.0/0 { next-hop 10.1.1.1 { description "Default Gateway" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN2 { authoritative enable subnet 192.168.50.0/24 { default-router 192.168.50.1 dns-server 192.168.50.1 lease 86400 start 192.168.50.38 { stop 192.168.50.243 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on switch0 name-server 10.1.1.1 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 1 { description "ZeroTier DNAT" destination { group { network-group ZeroTier } } inbound-interface ztklh3kllj inside-address { address 10.1.1.10 } log disable protocol all type destination } rule 5000 { description "ZeroTier SNAT" log disable outbound-interface ztklh3kllj outside-address { address 10.147.20.1 } protocol all source { group { network-group Upstream } } type source } } ssh { port 22 protocol-version v2 } unms { disable } }

@Reid-Cooper said in Zerotier issues this morning?:

@wrx7m said in Zerotier issues this morning?:

My understanding is that once connected, ZT's service doesn't have any impact on the connection. It only brokers(?) the connection.

That's my understanding. But if the brokering goes down, I imagine that problems crop up pretty quickly.

Yes because it has to check in fairly often. Otherwise you could have terminated users still with access.

Finally. Very nice.

@JaredBusch Thanks, Did you get your October bill?

Now it may be that they had money to flaunt that they could burn in the past, burnt it all, and are now living with the consequences of throwing that money away. But that's a little different. They still felt that throwing money away was worth it at the time. Today, sure, maybe they've run out of money, or many they just say that to justify decisions, but at the last time that they were making IT spending decisions....

@wls-itguy said in Zerotier Upgrade to 1.2.4:

Anyone had any issues upgrading from 1.1.14 or 1.2.2 to 1.2.4? I just tried upgrading a machine that was offline for a long time from 1.2.2 to 1.2.4 and it said it was already installed but when I looked in Add/remove programs it still showed 1.2.2.

Do I need to uninstall 1.2.2 and then install 1.2.4?

I've had oddball problems here and there, but generally, no.