Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
docs:guide-user:services:vpn:zerotier:start [2022/11/04 05:51] – Configure firewall vgaeteradocs:guide-user:services:vpn:zerotier [2024/10/18 14:55] – [Basic Configuration] andrewz
Line 1: Line 1:
 ====== Zerotier ====== ====== Zerotier ======
  
-Zerotier creates a virtual network between hosts.+Zerotier creates a virtual network between hosts. You may refer to [[https://github.com/mwarning/zerotier-openwrt/wiki|zerotier-openwrt's official Wiki]] for the latest instructions.
  
-==== Installation ====+===== Installation =====
 <code> <code>
 opkg update opkg update
Line 9: Line 9:
 </code> </code>
  
-==== Basic Configuration ==== +===== Basic Configuration ===== 
-  * Create the virtual network on [[https://my.zerotier.com|Zerotier Central]]. Note the //Network ID//. +  * Create virtual network on [[https://my.zerotier.com|Zerotier Central]]. Note the 16-digit //Network ID//. 
-  * Add the virtual network to the Openwrt zerotier config+  * Add virtual network to the OpenWrt zerotier config (the section name ''my_zt_net'' is arbitrary, you can consistently replace it with whatever label you want) 
 + 
 +For ZeroTier version 1.14.0 or older:
 <code> <code>
-uci add zerotier my_new_network +uci delete zerotier.sample_config 
-uci add_list zerotier.@my_new_network[-1].join=<network_id_from_zerotier_central+uci add zerotier my_zt_net 
-uci set zerotier.@my_new_network[-1].enabled='1'+uci add_list zerotier.my_zt_net.join=<network_id
 +uci set zerotier.my_zt_net.enabled='1'
 uci commit zerotier uci commit zerotier
-/etc/init.d/zerotier restart+service zerotier restart
 </code> </code>
-  * When a new virtual network is joined, a secret will be generated, which may take a while. When it's finished, the secret will be saved in /etc/config/zerotier, and the device will join the virtual network. + 
-    * Typical communication with Zerotier peers will happen on UDP port 9993, and no additional configuration is needed for an out-of-the-box router configuration.+For ZeroTier version 1.14.1 or newer:  
 +<code> 
 +uci set zerotier.global.enabled='1' 
 +uci delete zerotier.earth 
 +uci set zerotier.my_zt_net=network 
 +uci set zerotier.my_zt_net.id=<network_id> 
 +uci commit zerotier 
 +service zerotier restart 
 +</code> 
 + 
 +  * When a new virtual network is joined, a //secret// will be generated, which may take a while. When it's finished, the //secret// will be saved in ''/etc/config/zerotier'', and the device will join the virtual network. 
 +  * Typical communication with Zerotier peers will happen on port 9993/udp, and no additional configuration is needed for an out-of-the-box router configuration.
   * To use the virtual network, the device must be authorized on Zerotier Central by clicking the "Auth?" box next to the device under Members   * To use the virtual network, the device must be authorized on Zerotier Central by clicking the "Auth?" box next to the device under Members
-  * Device connectivity can be seen by using the "status" command+  * Device connectivity (or ONLINE status) can be seen by using the "info" command:
 <code> <code>
-zerotier-cli status+root@OpenWrt# zerotier-cli info 
 +200 info xxxxxxxxxx 1.14.0 ONLINE
 </code> </code>
   * Some services (eg dropbear, luci) may need to be reconfigured to allow access from the new Zerotier virtual interface. The easy way is to un-restrict them from specific networks/interfaces.   * Some services (eg dropbear, luci) may need to be reconfigured to allow access from the new Zerotier virtual interface. The easy way is to un-restrict them from specific networks/interfaces.
     * For dropbear (allow access from anywhere, potentially unsafe):     * For dropbear (allow access from anywhere, potentially unsafe):
 <code> <code>
-cat /etc/config/dropbear +root@OpenWrt# cat /etc/config/dropbear
  
 config dropbear config dropbear
Line 35: Line 50:
  option Port '22'  option Port '22'
 </code> </code>
 +
 +:!: You must reboot OpenWrt router at this point otherwise ''ztXXXXXXXX'' network device won't be created.
 +
 +After reboot get the device name using your 16-digit Network ID:
 +<code>
 +root@OpenWrt# zerotier-cli get {network_id} portDeviceName
 +ztXXXXXXXX
 +</code>
 +
 +Alternatively run ''zerotier-cli listnetworks'', that will give you the same name plus more details.
  
 <code bash> <code bash>
-Configure firewall +Create interface 
-uci -q delete firewall.vpn +uci -q delete network.ZeroTier 
-uci set firewall.vpn="zone" +uci set network.ZeroTier=interface 
-uci set firewall.vpn.name="vpn" +uci set network.ZeroTier.proto='none' 
-uci set firewall.vpn.input="REJECT" +uci set network.ZeroTier.device='ztXXXXXXXX' # Replace ztXXXXXXXX with your own ZeroTier device name 
-uci set firewall.vpn.output="ACCEPT" + 
-uci set firewall.vpn.forward="REJECT" +# Configure firewall zone 
-uci set firewall.vpn.masq="1" +uci add firewall zone 
-uci set firewall.vpn.mtu_fix="1+uci set firewall.@zone[-1].name='vpn' 
-uci add_list firewall.vpn.device="zt+" +uci set firewall.@zone[-1].input='ACCEPT' 
-uci -q delete firewall.ssh +uci set firewall.@zone[-1].output='ACCEPT' 
-uci set firewall.ssh="rule" +uci set firewall.@zone[-1].forward='ACCEPT' 
-uci set firewall.ssh.name="Allow-SSH" +uci set firewall.@zone[-1].masq='1' 
-uci set firewall.ssh.src="vpn" +uci add_list firewall.@zone[-1].network='ZeroTier' 
-uci set firewall.ssh.dest_port="22" +uci add firewall forwarding 
-uci set firewall.ssh.proto="tcp" +uci set firewall.@forwarding[-1].src='vpn' 
-uci set firewall.ssh.target="ACCEPT" +uci set firewall.@forwarding[-1].dest='lan' 
-uci commit firewall +uci add firewall forwarding 
-/etc/init.d/firewall restart+uci set firewall.@forwarding[-1].src='vpn' 
 +uci set firewall.@forwarding[-1].dest='wan' 
 +uci add firewall forwarding 
 +uci set firewall.@forwarding[-1].src='lan' 
 +uci set firewall.@forwarding[-1].dest='vpn' 
 + 
 +# Commit changes 
 +uci commit 
 + 
 +# Reboot 
 +reboot
 </code> </code>
 +
 +===== Advanced Configuration =====
 +
 +The [[https://github.com/openwrt/packages/blob/master/net/zerotier/files/etc/config/zerotier|sample configuration]] is helpful to see which uci options are available for configuring the ZeroTier client.
 +
 +While basic uci configuration of ZeroTier as shown above is supported, almost no advanced configuration support via uci has yet been added. The ZeroTier documentation requires manipulation of the configuration files for many advanced features. However, ZeroTier configurations are stored by default under /var/lib in Linux-based systems, which is a temporary filesystem in OpenWrt, where changes are not persistent. Instead, ordinarily OpenWrt writes a new configuration folder in that location based on the uci configuration above each time the service is started. These configuration files are lost on reboot or service restart, and rewritten each time the service starts again. For a basic configuration which will suit most users, this is not an issue.
 +
 +In order to configure advanced features, two uci directives may be used to configure OpenWrt to load a copy of a persistent configuration folder from another location when starting the service, such as /etc/zerotier, which the user must first create and populate based on the simple copy made upon first joining a network. Once this persistent location is configured, the user may make persistent changes according to the ZeroTier documentation, with support for all current features otherwise enabled.
 +
 +  * Complete the basic configuration steps above to joint a working network, which will create a temporary copy of the configuration folder with which to start.
 +  * Create the persistent folder in any permanent location (/etc/zerotier will be used for this example), and copy the contents of the temporary folder to the permanent location:
 +<code bash>
 +mkdir /etc/zerotier
 +cp -r /var/lib/zerotier-one/* /etc/zerotier/
 +</code>
 +  * Add the directives to use the new persistent folder. The network name //deadbeef00// will be used, similar to most ZeroTier documentation examples:
 +<code bash>
 +uci set zerotier.deadbeef00.config_path='/etc/zerotier'
 +uci set zerotier.deadbeef00.copy_config_path='1'
 +uci commit zerotier
 +service zerotier restart
 +</code>
 +
 +The router will now refer to the configuration in /etc/zerotier for persistent advanced changes. Restarting the service after any configuration changes using the last line above will reset and apply any changes made. Do not attempt to edit the configuration in the /var/lib/zerotier-one location, as this temporary location will still be overwritten on restart by the configuration in the new persistent directory.
  • Last modified: 2024/10/18 14:58
  • by andrewz