It does not happen to me, every day the router restarts and changes the home network WAN IP, CoreELEC included, and I have no problem accessing CoreELEC from outside the home. In the ZeroTier network, the changes take a few seconds.
zerotier-one.log is in /opt/var/log
It might have been caused by the new router and ISP settings, somehow.
I have gone back to using DynDNS and specifying the user/password/permissions in Tvheadend, to allow access from the internet side.
The only reason why ZeroTier does not work is that the zerotier root servers are banned by the firewall of your router or your ISP.
In my router I have a lot of security installed and I have, in addition to the Skynet firewall with daily update, thousands of IP addresses banned from DigitalOcean AS14061, EGIHosting AS18779, and Sharktech AS46844, all Americans that are the most dangerous. In addition, my router has additional protection with TrendMicro and I use AdGuard DNS. My surveillance system is CoreELEC through Syslog-ng entware server. Of course, all this is useless, without a device access control to Google, Microsoft, Facebook, etc. accounts, also using unique complex passwords for each service and two-pass verification.
With all this I have gone from multiple serious daily attacks, even changing my WAN IP every day, to none that requires my attention.
I have not seen any problems using ZeroTier.
I will likely get around to trying it again when this new set up is settled in and I am more knowledgable about it and its capabilities.
For the moment the DynDNS setting in the router works for me.
Okay! but never open any ports on the router, with the exception of the OpenVPN port, and don’t forget to use OpenVPN. Anything else is very dangerous. Even my DynDNS has a complex name that neither my router nor any application knows, only OpenVPN client. The bad guys stalk! I know this from experience.
How to join two home networks with CoreELEC and zerotier (or CoreELEC as router)
Imagine that we want to join two home networks (for example, one in Germany and one in the Canary Islands) so that devices connected to a single zerotier network can access any device (including devices that are not connected to the zerotier network) of both networks.
We will need at least one CoreELEC device connected to the zerotier network in each of the home networks.
Scenario example:
Network zerotier:
Domain: 10.10.10.0/24
CoreELEC IP (A): 10.10.10.12
CoreELEC IP (B): 10.10.10.24
Home network A:
Domain: 192.168.8.0/24
CoreELEC IP (A): any (for example 192.168.8.34)
Home network B:
Domain: 192.168.4.0/24
CoreELEC IP (B): any (for example 192.168.4.25)
How to:
Zerotier Network routing rules:
10.10.10.0/24 -----> (LAN)
192.168.8.0/24 -----> 10.10.10.12
192.168.4.0/24 -----> 10.10.10.24
Routing rules in Home network A:
Add the following to /storage/.config/autostart.sh in CoreELEC (A):
…
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
…
Routing rules in Home network B:
Add the following to /storage/.config/autostart.sh in CoreELEC (B):
…
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
…
Last step:
Forget about the zerotier network, the domain 10.10.10.0/24 and the devices 10.10.10.12 and 10.10.10.24. You don’t need it at all and everything works transparently.
In this way any device attached to your zerotier network has access to any device that belongs to domains 192.168.8.0/24 and 192.168.4.0/24. It works even behind a CGNAT or mobile network.
Be careful if you allow access to your zerotier network to a device controlled by untrusted people.
Note:
Applicable Uses:
(updated 14/07/2021)
Hi Edemol I am trying to install Zerotier in an Asus Router with Merlin WRT in Entware, do you know if its possible or what modifications should be done to the script?
Many thanks!
@PLAY911: Installing zerotier on devices other than CoreELEC is beyond the scope of this topic, but I’ve seen specific guides for Asus routers, look them up.
@loznic89: The use of entware repositories for the installation of zerotier and others, allows keeping the service updated with the opkg upgrade command, they are also trusted repositories.
ok, deleting py sorry
First off, thanks for the excellent guide.
I am having a slight problem understanding the concept in this post of yours, however.
My home local network is 192.168.1.XXX and my office local network is also 192.168.1.XXX
I have created a ZeroTier network that is assigning 10.145.20.xxx IPs.
I have 1 CE box at home and that has been auto assigned 10.145.20.2 lets say, and 10.145.20.3 for the office one. The LAN IPs for both are 192.168.1.2 and 1.3 respectively too, let us assume.
From my laptop, which is also on the same ZeroTier network, when I use 10.145.20.2 from any network (even remote) i can access the box at home and 20.3 for the box at office but I cant use 192.168.1.2 or 3 unless in the respective LAN to access them.
Is this correct behaviour? Your post seems to suggest otherwise. That the LAN IPs themselves suffice to access devices without remembering the ZT IPs. Please correct if my understanding is wrong. Thanks.
ZeroTier offers many alternatives, in your case where private networks have the same range of addresses, the best alternative is to address the devices using the IPs of the ZeroTier network 10.145.20.0/24. The behavior you suggest is correct.
I recommend that you leave the ZeroTier network only with:
10.145.20.0/24 -----> (LAN)
and don’t do any additional routing.
In this way, when you address a device with 192.168.1.0/24, it will only search the private network to which it is connected, and will not be able to look at the ZeroTier network.
It’s easy, just spend a little time thinking about the routing logic on each of the private networks and the ZeroTier network. A device connected to the ZeroTier network can see two networks, and if routing rules are not established the two networks are absolutely separate without a gateway between them.
I hope I have clarified some of your doubts.
Strange but script https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee does not work when run manually with ‘status’ and ‘start’ option:
/opt/etc/init.d/S90zerotier-one.sh stop
/opt/etc/init.d/S90zerotier-one.sh status
ZeroTier-One is already running.
although zerotier process killed:
ps ax | grep zero
6792 root 0:00 grep zero
And when I tried to start zerotier
/opt/etc/init.d/S90zerotier-one.sh start
ZeroTier-One is already running.
although actually zerotier process does not exists.
I don’t know what you’re saying, it works well for me
x96air:~/.opt/etc/init.d # ./S90zerotier-one
Usage: /etc/init.d/zerotier-one {start|stop|status}
x96air:~/.opt/etc/init.d # ./S90zerotier-one status
ZeroTier-One is NOT running
x96air:~/.opt/etc/init.d # ./S90zerotier-one start
Starting ZeroTier-One
x96air:~/.opt/etc/init.d # ./S90zerotier-one status
4565
ZeroTier-One is running.
x96air:~/.opt/etc/init.d # ./S90zerotier-one stop
4565
Stopping ZeroTier-One
x96air:~/.opt/etc/init.d # ./S90zerotier-one status
ZeroTier-One is NOT running
x96air:~/.opt/etc/init.d # ./S90zerotier-one start
Starting ZeroTier-One
x96air:~/.opt/etc/init.d # ./S90zerotier-one status
4614
ZeroTier-One is running.thank you for this info. Can you show output of command
ps ax | grep zero
when ./S90zerotier-one status and ./S90zerotier-one start?
thanks I found an error - I actually run not a S90zerotier-one.sh script but symbolic link on it:
ls -l zerotier-one
lrwxrwxrwx 1 root root 34 Dec 24 17:53 zerotier-one -> /opt/etc/init.d/S90zerotier-one.sh
Reflections about ZeroTier
In the last two years I have used the ZeroTier VPN network quite successfully but I have to admit that the smooth transmission of video stream is not guaranteed, even at 5 Mb/s, for this reason I continue to use ZeroTier as an alternative VPN network in case of WireGuard main VPN network failure that has no bandwidth limitations.
When managing unattended remote devices, there is always the possibility of failure of one of the VPN networks or devices, almost always in the software update processes. For this reason I am only using ZeroTier, much more robust than WG, to restore with SSH, SFTP or VNC the device that lost the WireGuard link.
People interested in VPN can take a look at tinc. Tinc creates a private net like ZeroTier but without a root server. It is a peer to peer network without the need of an external server which is not your own server.
ZeroTier has great advantages over other VPN networks: (1) it is very easy to configure, (2) it works behind a router, and (3) it is very robust with respect to updates, it never goes down. ZeroTier also has a major drawback: it requires connection to ZeroTier hosts as gateways to your virtual private network. When ZeroTier hosts have little work, everything is fine and there are no problems with the transmission of video streams, but when ZeroTier hosts are few or have a lot of workload, they are unable to maintain a minimum speed in a sustained way. The only thing the user can do is wait for ZeroTier to bring a sufficient number of hosts into service.
Regarding tinc, my opinion is worse than any other VPN network because I think that it needs the opening of ports in the router, in each and every one of the nodes, which is sometimes impossible.
Thanks to you I am using Zerotier in my box since quite some time but I have not faced any issue with network speed.
About | FAQ | Terms of Service | Privacy Policy | Legal Notice