May be silly what is SSO.
also I'm thinking of doing the admin seat it may be the better option for what I'm trying to do.
Ty you will look at after dr. Appt
Now that you have got the two units connected (presumably on Zerotier) then you can use NR from the remote device across the link as if you are there
From your remote device - bring up a browser and http://TheVirtual IP Address of the PI/1880/ui and you are away
This is a virtual network that only the devices that you give permission to can access.
If you have enabled login securtiy on your NR then you will be presented with the usual login screen
Craig
Since a lot is discussed about Zerotier I'm just curious if anybody knows the details of the security it provides? I understand it is using encryption for communication but we have learrned that when using VPN connections it is maybe not enough, how about certificate handling? Are there both client and server certificates involved when establishing connections and are they updated on a regular basis? Anybody knows?
Best regards, Walter
Yes I tried that, it works.
as far as nr security i still need to read that a third time before i start messing with it.
cheers.
OK good one - so now you have a secured tunnel to your NR and can turn off anything in the firewalls/waps where you were allowing traffic into the Pi
Obviously any other machines you want to access (or use to access the PI) you just run the same process and add them into the Virtual network you have created
Craig
yes , like my cell phone, and my 3 laptops.
but as of now it doesnt ask for a password with zerotier.
but will when i have set up correctly in nodered.
next question is how to have others be able to do the same thing so they can brew a beer with me!
Had a quick look but I'm not sure I'm any the wiser. I did spot that they recommend running a higher-level security over Zerotier such as SSH. So clearly there are limitations. I wouldn't want to rely on it for anything commercial without a deeper dive into it personally. But for low-value home automation it seems fine as far as I can tell so far.
Hello Julian, yes, agree, for low-value hoe automations I think is fine. It is in a way "the same thinking" with connections to MS Azure. As example, static connection strings would probaply by fine for the same type of low-value application but not for production systems in commercial or business oriented applications. I heard the best then would be if the device itself would have a TPM 2.0 hw chip (Trusted Platform Module) on board.
Would anyway be interesting to know if Zerotier is using a static setup or if it is auto updated/changed periodically
For enterprise-grade IoT, I'd want isolated LAN's fed through a VPN to Azure (unless you have ExpressRoute on-site).
just 2 infos about zerotier.
- If you want to revalidate your Pi with a new identity, you have to run these 3 commands:
sudo systemctl stop zerotier-one
sudo rm /var/lib/zerotier-one/identity.*
sudo systemctl start zerotier-one
- Web pages embedded in another web page do not work. They are blocked by the browser when viewed via the zerotier IP.
This is a very good tool for everyday use.
Here is the link to the manual that provides details about the security as implemented
It does a couple of things - but the main one is
Asymmetric public key encryption is Curve25519/Ed25519, a 256-bit elliptic curve variant.
Every VL1 packet is encrypted end to end using (as of the current version) 256-bit Salsa20 and authenticated using the Poly1305 message authentication (MAC) algorithm. MAC is computed after encryption (encrypt-then-MAC) and the cipher/MAC composition used is identical to the NaCl reference implementation.
As of today we do not implement forward secrecy or other stateful cryptographic features in VL1. We donāt do this for the sake of simplicity, reliability, and code footprint, and because frequently changing state makes features like clustering and fail-over much harder to implement. See our discussion on GitHub.
Craig
to allow others to join (once you have secured your PI) - you can login to your Zerotier central and send them and invite which provides a link to your network number and links to download and install the software - if is fairly straightforward if they are 1/2 way computer literate.
Once they confirm to you that they have downloaded the software and joined the network - you go back into your Zerotier Contrl panel and authorise them as a node on your virtual network.
If you want to be more secure you can create an additional network for others to attach to (your devices can attach to more than one network at a time) - you then attach your PI to the 2nd network and invite them to join that network - this way they can not see any of your devices (there is no routing between ZT networks unless you specifically allow it) so no one can use this link as a jumping off point to try and attack your home PC etc
You can also delve down further into the network definitions and lock down specific ports etc that you will allow across there (and nothing else)
Craig
Yes, that is why I was non-the-wiser after reading it! It really doesn't actually tell you much of practical use.
Well it does tell you it is 256 bit !! I guess you could delve into the source code if you were that interested !!
As of today we do not implement forward secrecy or other stateful cryptographic features in VL1. We donāt do this for the sake of simplicity, reliability, and code footprint, and because frequently changing state makes features like clustering and fail-over much harder to implement
Doesn't this say that things are pretty static even if it is encrypted? No dynamic changes of keys or certificates etc
...as zt receives a lot of attention here, maybe it is worth to point out that wireguard is another option.
Mind you that a wireguard network is a mesh, not a standard client server solution - although people still conceive it as one).
wireguard is getting more and more implemented in standard ISP router appliances, like mikrotik RouterOS (well also zt, here - and in Germany even AVM FritzOS has wireguard now).
I am starting the installation precedure via the website (Install Tasmota) but what is the difference between tasmotizer and Tasmota?
From that web browser link right? The link from my previous post? just above this one?
After the webbrowser thing:
this doesn't work