CoreELEC and ZeroTier: A good couple

General Guides & How-tos
1

CoreELEC and ZeroTier: A good couple

If we want to make CoreELEC accessible from the Internet, a serious security problem arises. We can make use of PPTP or OpenVPN servers but they need access codes and allow access not only to CoreELEC but to our entire home network, if we give our access credentials to a third person, even if it is trusted, we are compromising the security of all our data and devices. This is where ZeroTier comes into play. ZeroTier is a virtual network (it does not exist physically) free and secure, accessible even behind a CGNAT, where with the help of a web browser we are adding nodes (devices) and can establish among them routing and connection rules, very easily, and everything, passwords are not needed.

As it is difficult to explain I will do it with an example.

1.- We install ZeroTier in our first device (CoreELEC) that will be our server (suppose that your local IP address is 192.168.1.34), from the web browser we access our ZeroTier network, we allow access to that device and we assign it a virtual IP 10.10.10.1

2.- We install ZeroTier in the remaining device that will be the clients (the local IP address is indifferent), from the web browser we access our ZeroTier network, we allow access to those devices and we configure them to take an automatic virtual IP in the range 10.10.10.2 to 10.10.10.254.

3.- We establish in ZeroTier a local network in the range 10.10.10.0/24 that is from 10.10.10.1 to 10.10.10.255.

4.- We establish a routing in ZeroTier so that the address 192.168.1.34 always passes through 10.10.10.1 (192.168.1.34/32> 10.10.10.1).

And … voila! … we go to Singapore with our client devices (TV Box, SmartPhone, Tablet, PC) or we lend them to a friend and, without doing anything, Kodi works the same as if we were at home, and have access to our CoreELEC , your server tvheadend, samba, oscam, and as a consequence our television, our movies, our music, etc.

Note: Although the installation of ZeroTier in Android or Windows is very easy, the installation of ZeroTier in CoreELEC, and in Linux in general, is somewhat more complicated and you will have to search for information on the internet or use the installer proposed here

ZeroTier is at https://www.zerotier.com/

In the event that Kodi uses network directories, for ZeroTier to work perfectly, we will need to mount those directories on the network as local directories within CoreELEC. The command that I use is ‘curlftpfs’ and the place to do it is /storage/.config/samba.conf.

2 Likes
2

Steps to install and configure zerotier entware in CoreELEC:

  1. Think and configure a virtual network on zerotier.com. Take note of your_network_id (you’ll need it later)
  2. Install zerotier in CoreELEC: opkg install zerotier
  3. Copy the script https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee in /opt/etc/init.d/S90zerotier-one.sh, and allow its execution with chmod 755
  4. Restarts CoreELEC. Now zerotier is running.
  5. Run /opt/bin/zerotier-cli join your_network_id
  6. Go back to zerotier.com and allow CoreELEC access to your virtual network, and finish configuring it
2 Likes
4

good web openmecool

5

Thanks to your guide now I can share my Plex library over internet for my family.

1 Like
6

strangely zerotier-one did not autostart on reboot and I had to launch it manually to get through the process of registering an account and setting up two devices in the virtual network.

7

Check this:

3. Copy the script https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee in /opt/etc/init.d/S90zerotier-one.sh, and allow its execution with chmod 755
4. Restarts CoreELEC. Now zerotier is running.

8

I have check that it is executable … but maybe I should download it again to be sure I have a good file.
Can you see anything obvious here?

CoreELEC:~/.opt/etc/init.d # ls -la
total 55
drwxr-xr-x    2 root     root          1024 Sep 27 19:45 .
drwxr-xr-x    4 root     root          1024 Sep 27 19:43 ..
-rwxr-xr-x    1 root     root         49281 Sep 27 19:45 S90zerotier-one.sh
-rw-r--r--    1 root     root          2822 May 22 13:44 rc.func
-rwxr-xr-x    1 root     root           966 May 22 13:44 rc.unslung
CoreELEC:~/.opt/etc/init.d #
9

Check your file ‘S90zerotier-one.sh’, it is too long.

My list of entware servers is this:

CoreELEC:~/.opt/etc/init.d # ls -la
total 32
drwxr-xr-x    2 root     root          4096 Sep 25 21:01 .
drwxr-xr-x   10 root     root          4096 May 22 15:44 ..
-rwxr-xr-x    1 root     root           195 May 22 15:44 S01syslog-ng
-rwxr-xr-x    1 root     root           300 May 22 15:44 S77ntpd
-rwxr-xr-x    1 root     root           787 Sep  4 03:49 S90zerotier-one
-rwxr-xr-x    1 root     root           463 May 22 15:44 S92syncthing
-rw-r--r--    1 1023     1023          2822 May 22 15:44 rc.func
-rwxr-xr-x    1 1023     1023           966 May 22 15:44 rc.unslung

(Note: ‘S90zerotier-one.sh’ or ‘S90zerotier-one’ is the same)

1 Like
10

Thanks … yes indeed it was file corruption.
All good now on home netwrok.
I can access the tvheadend server via Kodi using the virtual network IP address.

:slight_smile:

1 Like
11

I remind you that if you establish a zerotier routing

192.168.xxx.xxx/32 >>>>> 10.10.10.1

being 192.168.xxx.xxx the CoreELEC IP address in your home network, and 10.10.10.1 the CoreELEC virtual IP address in zerotier, you no longer need to use the 10.10.10.1 virtual IP address at any Kodi device, you just need to remember the IP address of your home network, since zerotier will handle the routing, and Kodi devices will work the same inside the house without zerotier as well as outside the house with zerotier.

To avoid conflicts with IP addresses of other home networks (friends, family, hotels, etc.) I suggest that you use rare ranges in your home network, for example, 192.168.111.0/24.

1 Like
12

My normal LAN is in the range 192.168.1.xxx and I chose for Zerotier 192.168.192.xxx.
It has worked fine on the two devices I tested on.
Tvheadend reports the client’s Zerotier IP when Kodi accesses via Zerotier and reports the client’s normal LAN IP when used without Zerotier.

The only conflict I could imagine that could occur would be if someone from outside the LAN had their range the same as my Zerotier … which I think unlikely considering the range I have chosen.

1 Like
13

I seem to have lost both CE devices when the WAN IP address changed.
Another (Linux) PC connected with the new IP showing in the Zerotier account.

Any idea what might cause this?

Thanks.

14

It does not happen to me, every day the router restarts and changes the home network WAN IP, CoreELEC included, and I have no problem accessing CoreELEC from outside the home. In the ZeroTier network, the changes take a few seconds.

zerotier-one.log is in /opt/var/log

1 Like
15

It might have been caused by the new router and ISP settings, somehow.

I have gone back to using DynDNS and specifying the user/password/permissions in Tvheadend, to allow access from the internet side.

16

The only reason why ZeroTier does not work is that the zerotier root servers are banned by the firewall of your router or your ISP.

In my router I have a lot of security installed and I have, in addition to the Skynet firewall with daily update, thousands of IP addresses banned from DigitalOcean AS14061, EGIHosting AS18779, and Sharktech AS46844, all Americans that are the most dangerous. In addition, my router has additional protection with TrendMicro and I use AdGuard DNS. My surveillance system is CoreELEC through Syslog-ng entware server. Of course, all this is useless, without a device access control to Google, Microsoft, Facebook, etc. accounts, also using unique complex passwords for each service and two-pass verification.

With all this I have gone from multiple serious daily attacks, even changing my WAN IP every day, to none that requires my attention.

I have not seen any problems using ZeroTier.

1 Like
17

I will likely get around to trying it again when this new set up is settled in and I am more knowledgable about it and its capabilities.

For the moment the DynDNS setting in the router works for me.

18

Okay! but never open any ports on the router, with the exception of the OpenVPN port, and don’t forget to use OpenVPN. Anything else is very dangerous. Even my DynDNS has a complex name that neither my router nor any application knows, only OpenVPN client. The bad guys stalk! I know this from experience.

1 Like
19

How to join two home networks with CoreELEC and zerotier (or CoreELEC as router)

Imagine that we want to join two home networks (for example, one in Germany and one in the Canary Islands) so that devices connected to a single zerotier network can access any device (including devices that are not connected to the zerotier network) of both networks.

We will need at least one CoreELEC device connected to the zerotier network in each of the home networks.

Scenario example:

Network zerotier:
Domain: 10.10.10.0/24
CoreELEC IP (A): 10.10.10.12
CoreELEC IP (B): 10.10.10.24

Home network A:
Domain: 192.168.8.0/24
CoreELEC IP (A): any (for example 192.168.8.34)

Home network B:
Domain: 192.168.4.0/24
CoreELEC IP (B): any (for example 192.168.4.25)

How to:

Zerotier Network routing rules:
10.10.10.0/24 -----> (LAN)
192.168.8.0/24 -----> 10.10.10.12
192.168.4.0/24 -----> 10.10.10.24

Routing rules in Home network A:
Add the following to /storage/.config/autostart.sh in CoreELEC (A):

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Routing rules in Home network B:
Add the following to /storage/.config/autostart.sh in CoreELEC (B):

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Last step:

Forget about the zerotier network, the domain 10.10.10.0/24 and the devices 10.10.10.12 and 10.10.10.24. You don’t need it at all and everything works transparently.

In this way any device attached to your zerotier network has access to any device that belongs to domains 192.168.8.0/24 and 192.168.4.0/24. It works even behind a CGNAT or mobile network.

Be careful if you allow access to your zerotier network to a device controlled by untrusted people.

Note:

  • Replace eth0 with wlan0 if you are using a WiFi connection instead of ethernet

Applicable Uses:

  • Multimedia
  • Remote security cameras
  • Access to servers that cannot connect to the zerotier network

(updated 14/07/2021)

2 Likes
20

Moved this to Guides, thanks for the contribution @cubimol.

21

Hi Edemol I am trying to install Zerotier in an Asus Router with Merlin WRT in Entware, do you know if its possible or what modifications should be done to the script?
Many thanks!