Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:zerotier [2023/03/21 20:05] – ↷ Page moved and renamed from docs:guide-user:services:vpn:zerotier:start to docs:guide-user:services:vpn:zerotier tmomas | docs:guide-user:services:vpn:zerotier [2024/10/18 14:51] – [Basic Configuration] andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Zerotier ====== | ====== Zerotier ====== | ||
| - | Zerotier creates a virtual network between hosts. | + | Zerotier creates a virtual network between hosts. You may refer to [[https:// |
| ===== Installation ===== | ===== Installation ===== | ||
| Line 10: | Line 10: | ||
| ===== Basic Configuration ===== | ===== Basic Configuration ===== | ||
| - | * Create | + | * Create virtual network on [[https:// |
| - | * Add the virtual network to the Openwrt | + | * Add virtual network to the OpenWrt |
| + | |||
| + | For ZeroTier version 1.14.0 or older: | ||
| < | < | ||
| - | uci add zerotier | + | uci delete zerotier.sample_config |
| - | uci add_list zerotier.@my_new_network[-1].join=<network_id_from_zerotier_central> | + | uci add zerotier |
| - | uci set zerotier.@my_new_network[-1].enabled=' | + | uci add_list zerotier.my_zt_net.join=<network_id> |
| + | uci set zerotier.my_zt_net.enabled=' | ||
| uci commit zerotier | uci commit zerotier | ||
| - | / | + | service |
| </ | </ | ||
| - | | + | |
| - | * Typical communication with Zerotier peers will happen on UDP port 9993, and no additional configuration is needed for an out-of-the-box router configuration. | + | For ZeroTier version 1.14.1 or newer: |
| + | < | ||
| + | uci set zerotier.global.enabled=' | ||
| + | uci delete zerotier.earth | ||
| + | uci set zerotier.my_zt_net=network | ||
| + | uci set zerotier.my_zt_net.id=< | ||
| + | uci commit zerotier | ||
| + | service zerotier restart | ||
| + | </ | ||
| + | |||
| + | | ||
| + | * Typical communication with Zerotier peers will happen on port 9993/udp, and no additional configuration is needed for an out-of-the-box router configuration. | ||
| * To use the virtual network, the device must be authorized on Zerotier Central by clicking the " | * To use the virtual network, the device must be authorized on Zerotier Central by clicking the " | ||
| - | * Device connectivity can be seen by using the "status" command | + | * Device connectivity |
| < | < | ||
| - | zerotier-cli | + | root@OpenWrt# |
| + | 200 info xxxxxxxxxx 1.14.0 ONLINE | ||
| </ | </ | ||
| * Some services (eg dropbear, luci) may need to be reconfigured to allow access from the new Zerotier virtual interface. The easy way is to un-restrict them from specific networks/ | * Some services (eg dropbear, luci) may need to be reconfigured to allow access from the new Zerotier virtual interface. The easy way is to un-restrict them from specific networks/ | ||
| * For dropbear (allow access from anywhere, potentially unsafe): | * For dropbear (allow access from anywhere, potentially unsafe): | ||
| < | < | ||
| - | cat / | + | root@OpenWrt# |
| config dropbear | config dropbear | ||
| Line 35: | Line 50: | ||
| option Port ' | option Port ' | ||
| </ | </ | ||
| + | |||
| + | :!: You must reboot OpenWrt router at this point otherwise '' | ||
| + | |||
| + | After reboot get the device name using your 16-digit Network ID: | ||
| + | < | ||
| + | root@OpenWrt# | ||
| + | ztXXXXXXXX | ||
| + | </ | ||
| + | |||
| + | Alternatively run '' | ||
| <code bash> | <code bash> | ||
| - | # Configure firewall | + | # Create interface |
| - | uci -q delete | + | uci -q delete |
| - | uci set firewall.vpn="zone" | + | uci set network.ZeroTier=interface |
| - | uci set firewall.vpn.name="vpn" | + | uci set network.ZeroTier.proto=' |
| - | uci set firewall.vpn.input=" | + | uci set network.ZeroTier.device=' |
| - | uci set firewall.vpn.output="ACCEPT" | + | |
| - | uci set firewall.vpn.forward=" | + | # Configure firewall zone |
| - | uci set firewall.vpn.masq="1" | + | uci add firewall |
| - | uci set firewall.vpn.mtu_fix=" | + | uci set firewall.@zone[-1].name='vpn' |
| - | uci add_list firewall.vpn.device=" | + | uci set firewall.@zone[-1].input=' |
| - | uci -q delete | + | uci set firewall.@zone[-1].output='ACCEPT' |
| - | uci set firewall.ssh=" | + | uci set firewall.@zone[-1].forward=' |
| - | uci set firewall.ssh.name=" | + | uci set firewall.@zone[-1].masq='1' |
| - | uci set firewall.ssh.src="vpn" | + | uci add_list |
| - | uci set firewall.ssh.dest_port=" | + | uci add firewall |
| - | uci set firewall.ssh.proto=" | + | uci set firewall.@forwarding[-1].src=' |
| - | uci set firewall.ssh.target=" | + | uci set firewall.@forwarding[-1].dest=' |
| - | uci commit | + | uci add firewall forwarding |
| - | / | + | uci set firewall.@forwarding[-1].src='vpn' |
| + | uci set firewall.@forwarding[-1].dest=' | ||
| + | uci add firewall forwarding | ||
| + | uci set firewall.@forwarding[-1].src=' | ||
| + | uci set firewall.@forwarding[-1].dest=' | ||
| + | |||
| + | # Commit changes | ||
| + | uci commit | ||
| + | |||
| + | # Reboot | ||
| + | reboot | ||
| </ | </ | ||
| ===== Advanced Configuration ===== | ===== Advanced Configuration ===== | ||
| + | |||
| + | The [[https:// | ||
| While basic uci configuration of ZeroTier as shown above is supported, almost no advanced configuration support via uci has yet been added. The ZeroTier documentation requires manipulation of the configuration files for many advanced features. However, ZeroTier configurations are stored by default under /var/lib in Linux-based systems, which is a temporary filesystem in OpenWrt, where changes are not persistent. Instead, ordinarily OpenWrt writes a new configuration folder in that location based on the uci configuration above each time the service is started. These configuration files are lost on reboot or service restart, and rewritten each time the service starts again. For a basic configuration which will suit most users, this is not an issue. | While basic uci configuration of ZeroTier as shown above is supported, almost no advanced configuration support via uci has yet been added. The ZeroTier documentation requires manipulation of the configuration files for many advanced features. However, ZeroTier configurations are stored by default under /var/lib in Linux-based systems, which is a temporary filesystem in OpenWrt, where changes are not persistent. Instead, ordinarily OpenWrt writes a new configuration folder in that location based on the uci configuration above each time the service is started. These configuration files are lost on reboot or service restart, and rewritten each time the service starts again. For a basic configuration which will suit most users, this is not an issue. | ||
| Line 75: | Line 112: | ||
| uci set zerotier.deadbeef00.copy_config_path=' | uci set zerotier.deadbeef00.copy_config_path=' | ||
| uci commit zerotier | uci commit zerotier | ||
| - | / | + | service |
| </ | </ | ||
| The router will now refer to the configuration in / | The router will now refer to the configuration in / | ||