It does not happen to me, every day the router restarts and changes the home network WAN IP, CoreELEC included, and I have no problem accessing CoreELEC from outside the home. In the ZeroTier network, the changes take a few seconds.
The only reason why ZeroTier does not work is that the zerotier root servers are banned by the firewall of your router or your ISP.
In my router I have a lot of security installed and I have, in addition to the Skynet firewall with daily update, thousands of IP addresses banned from DigitalOcean AS14061, EGIHosting AS18779, and Sharktech AS46844, all Americans that are the most dangerous. In addition, my router has additional protection with TrendMicro and I use AdGuard DNS. My surveillance system is CoreELEC through Syslog-ng entware server. Of course, all this is useless, without a device access control to Google, Microsoft, Facebook, etc. accounts, also using unique complex passwords for each service and two-pass verification.
With all this I have gone from multiple serious daily attacks, even changing my WAN IP every day, to none that requires my attention.
Okay! but never open any ports on the router, with the exception of the OpenVPN port, and don’t forget to use OpenVPN. Anything else is very dangerous. Even my DynDNS has a complex name that neither my router nor any application knows, only OpenVPN client. The bad guys stalk! I know this from experience.
How to join two home networks with CoreELEC and zerotier (or CoreELEC as router)
Imagine that we want to join two home networks (for example, one in Germany and one in the Canary Islands) so that devices connected to a single zerotier network can access any device (including devices that are not connected to the zerotier network) of both networks.
We will need at least one CoreELEC device connected to the zerotier network in each of the home networks.
Scenario example:
Network zerotier:
Domain: 10.10.10.0/24
CoreELEC IP (A): 10.10.10.12
CoreELEC IP (B): 10.10.10.24
Home network A:
Domain: 192.168.8.0/24
CoreELEC IP (A): any (for example 192.168.8.34)
Home network B:
Domain: 192.168.4.0/24
CoreELEC IP (B): any (for example 192.168.4.25)
Routing rules in Home network A:
Add the following to /storage/.config/autostart.sh in CoreELEC (A):
…
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
…
Routing rules in Home network B:
Add the following to /storage/.config/autostart.sh in CoreELEC (B):
…
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.pv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
…
Last step:
Forget about the zerotier network, the domain 10.10.10.0/24 and the devices 10.10.10.12 and 10.10.10.24. You don’t need it at all and everything works transparently.
In this way any device attached to your zerotier network has access to any device that belongs to domains 192.168.8.0/24 and 192.168.4.0/24. It works even behind a CGNAT or mobile network.
Be careful if you allow access to your zerotier network to a device controlled by untrusted people.
Note:
Replace eth0 with wlan0 if you are using a WiFi connection instead of ethernet
Applicable Uses:
Multimedia
Remote security cameras
Access to servers that cannot connect to the zerotier network
Hi Edemol I am trying to install Zerotier in an Asus Router with Merlin WRT in Entware, do you know if its possible or what modifications should be done to the script?
Many thanks!
@PLAY911: Installing zerotier on devices other than CoreELEC is beyond the scope of this topic, but I’ve seen specific guides for Asus routers, look them up.
@loznic89: The use of entware repositories for the installation of zerotier and others, allows keeping the service updated with the opkg upgrade command, they are also trusted repositories.
I am having a slight problem understanding the concept in this post of yours, however.
My home local network is 192.168.1.XXX and my office local network is also 192.168.1.XXX
I have created a ZeroTier network that is assigning 10.145.20.xxx IPs.
I have 1 CE box at home and that has been auto assigned 10.145.20.2 lets say, and 10.145.20.3 for the office one. The LAN IPs for both are 192.168.1.2 and 1.3 respectively too, let us assume.
From my laptop, which is also on the same ZeroTier network, when I use 10.145.20.2 from any network (even remote) i can access the box at home and 20.3 for the box at office but I cant use 192.168.1.2 or 3 unless in the respective LAN to access them.
Is this correct behaviour? Your post seems to suggest otherwise. That the LAN IPs themselves suffice to access devices without remembering the ZT IPs. Please correct if my understanding is wrong. Thanks.
ZeroTier offers many alternatives, in your case where private networks have the same range of addresses, the best alternative is to address the devices using the IPs of the ZeroTier network 10.145.20.0/24. The behavior you suggest is correct.
I recommend that you leave the ZeroTier network only with:
10.145.20.0/24 -----> (LAN)
and don’t do any additional routing.
In this way, when you address a device with 192.168.1.0/24, it will only search the private network to which it is connected, and will not be able to look at the ZeroTier network.
It’s easy, just spend a little time thinking about the routing logic on each of the private networks and the ZeroTier network. A device connected to the ZeroTier network can see two networks, and if routing rules are not established the two networks are absolutely separate without a gateway between them.
In the last two years I have used the ZeroTier VPN network quite successfully but I have to admit that the smooth transmission of video stream is not guaranteed, even at 5 Mb/s, for this reason I continue to use ZeroTier as an alternative VPN network in case of WireGuard main VPN network failure that has no bandwidth limitations.
When managing unattended remote devices, there is always the possibility of failure of one of the VPN networks or devices, almost always in the software update processes. For this reason I am only using ZeroTier, much more robust than WG, to restore with SSH, SFTP or VNC the device that lost the WireGuard link.
People interested in VPN can take a look at tinc. Tinc creates a private net like ZeroTier but without a root server. It is a peer to peer network without the need of an external server which is not your own server.
ZeroTier has great advantages over other VPN networks: (1) it is very easy to configure, (2) it works behind a router, and (3) it is very robust with respect to updates, it never goes down. ZeroTier also has a major drawback: it requires connection to ZeroTier hosts as gateways to your virtual private network. When ZeroTier hosts have little work, everything is fine and there are no problems with the transmission of video streams, but when ZeroTier hosts are few or have a lot of workload, they are unable to maintain a minimum speed in a sustained way. The only thing the user can do is wait for ZeroTier to bring a sufficient number of hosts into service.
Regarding tinc, my opinion is worse than any other VPN network because I think that it needs the opening of ports in the router, in each and every one of the nodes, which is sometimes impossible.