CoreELEC and ZeroTier: A good couple

CoreELEC and ZeroTier: A good couple

If we want to make CoreELEC accessible from the Internet, a serious security problem arises. We can make use of PPTP or OpenVPN servers but they need access codes and allow access not only to CoreELEC but to our entire home network, if we give our access credentials to a third person, even if it is trusted, we are compromising the security of all our data and devices. This is where ZeroTier comes into play. ZeroTier is a virtual network (it does not exist physically) free and secure, accessible even behind a CGNAT, where with the help of a web browser we are adding nodes (devices) and can establish among them routing and connection rules, very easily, and everything, passwords are not needed.

As it is difficult to explain I will do it with an example.

1.- We install ZeroTier in our first device (CoreELEC) that will be our server (suppose that your local IP address is 192.168.1.34), from the web browser we access our ZeroTier network, we allow access to that device and we assign it a virtual IP 10.10.10.1

2.- We install ZeroTier in the remaining device that will be the clients (the local IP address is indifferent), from the web browser we access our ZeroTier network, we allow access to those devices and we configure them to take an automatic virtual IP in the range 10.10.10.2 to 10.10.10.254.

3.- We establish in ZeroTier a local network in the range 10.10.10.0/24 that is from 10.10.10.1 to 10.10.10.255.

4.- We establish a routing in ZeroTier so that the address 192.168.1.34 always passes through 10.10.10.1 (192.168.1.34/32> 10.10.10.1).

And … voila! … we go to Singapore with our client devices (TV Box, SmartPhone, Tablet, PC) or we lend them to a friend and, without doing anything, Kodi works the same as if we were at home, and have access to our CoreELEC , your server tvheadend, samba, oscam, and as a consequence our television, our movies, our music, etc.

Note: Although the installation of ZeroTier in Android or Windows is very easy, the installation of ZeroTier in CoreELEC, and in Linux in general, is somewhat more complicated and you will have to search for information on the internet or use the installer proposed here

ZeroTier is at https://www.zerotier.com/

In the event that Kodi uses network directories, for ZeroTier to work perfectly, we will need to mount those directories on the network as local directories within CoreELEC. The command that I use is ‘curlftpfs’ and the place to do it is /storage/.config/samba.conf.

Steps to install and configure zerotier entware in CoreELEC:

  1. Think and configure a virtual network on zerotier.com. Take note of your_network_id (you’ll need it later)
  2. Install zerotier in CoreELEC: opkg install zerotier
  3. Copy the script https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee in /opt/etc/init.d/S90zerotier-one.sh, and allow its execution with chmod 755
  4. Restarts CoreELEC. Now zerotier is running.
  5. Run /opt/bin/zerotier-cli join your_network_id
  6. Go back to zerotier.com and allow CoreELEC access to your virtual network, and finish configuring it
1 Like

good web openmecool

Thanks to your guide now I can share my Plex library over internet for my family.

1 Like

strangely zerotier-one did not autostart on reboot and I had to launch it manually to get through the process of registering an account and setting up two devices in the virtual network.

Check this:

3. Copy the script https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee in /opt/etc/init.d/S90zerotier-one.sh, and allow its execution with chmod 755
4. Restarts CoreELEC. Now zerotier is running.

I have check that it is executable … but maybe I should download it again to be sure I have a good file.
Can you see anything obvious here?

CoreELEC:~/.opt/etc/init.d # ls -la
total 55
drwxr-xr-x    2 root     root          1024 Sep 27 19:45 .
drwxr-xr-x    4 root     root          1024 Sep 27 19:43 ..
-rwxr-xr-x    1 root     root         49281 Sep 27 19:45 S90zerotier-one.sh
-rw-r--r--    1 root     root          2822 May 22 13:44 rc.func
-rwxr-xr-x    1 root     root           966 May 22 13:44 rc.unslung
CoreELEC:~/.opt/etc/init.d #

Check your file ‘S90zerotier-one.sh’, it is too long.

My list of entware servers is this:

CoreELEC:~/.opt/etc/init.d # ls -la
total 32
drwxr-xr-x    2 root     root          4096 Sep 25 21:01 .
drwxr-xr-x   10 root     root          4096 May 22 15:44 ..
-rwxr-xr-x    1 root     root           195 May 22 15:44 S01syslog-ng
-rwxr-xr-x    1 root     root           300 May 22 15:44 S77ntpd
-rwxr-xr-x    1 root     root           787 Sep  4 03:49 S90zerotier-one
-rwxr-xr-x    1 root     root           463 May 22 15:44 S92syncthing
-rw-r--r--    1 1023     1023          2822 May 22 15:44 rc.func
-rwxr-xr-x    1 1023     1023           966 May 22 15:44 rc.unslung

(Note: ‘S90zerotier-one.sh’ or ‘S90zerotier-one’ is the same)

1 Like

Thanks … yes indeed it was file corruption.
All good now on home netwrok.
I can access the tvheadend server via Kodi using the virtual network IP address.

:slight_smile:

1 Like

I remind you that if you establish a zerotier routing

192.168.xxx.xxx/32 >>>>> 10.10.10.1

being 192.168.xxx.xxx the CoreELEC IP address in your home network, and 10.10.10.1 the CoreELEC virtual IP address in zerotier, you no longer need to use the 10.10.10.1 virtual IP address at any Kodi device, you just need to remember the IP address of your home network, since zerotier will handle the routing, and Kodi devices will work the same inside the house without zerotier as well as outside the house with zerotier.

To avoid conflicts with IP addresses of other home networks (friends, family, hotels, etc.) I suggest that you use rare ranges in your home network, for example, 192.168.111.0/24.

1 Like

My normal LAN is in the range 192.168.1.xxx and I chose for Zerotier 192.168.192.xxx.
It has worked fine on the two devices I tested on.
Tvheadend reports the client’s Zerotier IP when Kodi accesses via Zerotier and reports the client’s normal LAN IP when used without Zerotier.

The only conflict I could imagine that could occur would be if someone from outside the LAN had their range the same as my Zerotier … which I think unlikely considering the range I have chosen.

1 Like

I seem to have lost both CE devices when the WAN IP address changed.
Another (Linux) PC connected with the new IP showing in the Zerotier account.

Any idea what might cause this?

Thanks.

It does not happen to me, every day the router restarts and changes the home network WAN IP, CoreELEC included, and I have no problem accessing CoreELEC from outside the home. In the ZeroTier network, the changes take a few seconds.

zerotier-one.log is in /opt/var/log

1 Like

It might have been caused by the new router and ISP settings, somehow.

I have gone back to using DynDNS and specifying the user/password/permissions in Tvheadend, to allow access from the internet side.

The only reason why ZeroTier does not work is that the zerotier root servers are banned by the firewall of your router or your ISP.

In my router I have a lot of security installed and I have, in addition to the Skynet firewall with daily update, thousands of IP addresses banned from DigitalOcean AS14061, EGIHosting AS18779, and Sharktech AS46844, all Americans that are the most dangerous. In addition, my router has additional protection with TrendMicro and I use AdGuard DNS. My surveillance system is CoreELEC through Syslog-ng entware server. Of course, all this is useless, without a device access control to Google, Microsoft, Facebook, etc. accounts, also using unique complex passwords for each service and two-pass verification.

With all this I have gone from multiple serious daily attacks, even changing my WAN IP every day, to none that requires my attention.

I have not seen any problems using ZeroTier.

1 Like

I will likely get around to trying it again when this new set up is settled in and I am more knowledgable about it and its capabilities.

For the moment the DynDNS setting in the router works for me.

Okay! but never open any ports on the router, with the exception of the OpenVPN port, and don’t forget to use OpenVPN. Anything else is very dangerous. Even my DynDNS has a complex name that neither my router nor any application knows, only OpenVPN client. The bad guys stalk! I know this from experience.

1 Like