Ideas for a simple setup of a free tier

In fact, in my home network only my firewall has access to my private zerotier network as well as my iphone/laptop. With this I do not need to add clients to any other server in my home. They are all accessible via OPNSense firewall rules, pretty standard.

Before that I used this guide from zerotier and I was able to access my lan. I set it up in a way, that only my iPhone was able to do so, to minimize risk. All others (family) were able to remotely access only nodered dashboard. This guide is still a lot easier to apply than a VPN ... IMHO

3 Likes

Hi Walter, yes indeed the older ZeroTier tutorials mention 100 free devices, while it is currently 50. So it is going downwards.
With ZeroTier you can run everything local if you want (controller,...), but then it becomes complex again.
I was drawing a diagram to discuss this more easily, but due to christmas madness it is not completed yet. Stay tuned :wink:

There are multiple routes by which I can access Node-red using LAN and Zerotier.
My Node-red server is connected to my home ethernet and two zerotier networks;
ifconfig shows

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.11  netmask 255.255.255.0  broadcast 192.168.1.255
        
z.........h: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.192.11  netmask 255.255.255.0  broadcast 192.168.192.255

z.........6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 192.168.193.11  netmask 255.255.255.0  broadcast 192.168.193.255

And my laptop is connected to wifi and both zerotier networks.

Intel(R) Wi-Fi 6E AX210 160MHz
        inet addr:192.168.1.33 Mask: 255.255.255.0

ZeroTier Virtual Port #2
        inet addr:192.168.192.33 Mask: 255.255.255.0

ZeroTier Virtual Port
        inet addr:192.168.193.33 Mask: 255.255.255.0

I know on the laptop which route I'm connecting over because I specify the NR IP address.
But is it possible for NR dashboard to display the IP address[es] of connected client[s] and statistics for the available nw interfaces?

Due to christmas parties, son's license driver examination and other familly stuff... not much time to diff into the ZeroTier documentation in depth.

Here is my first draft diagram:

It will contain most probably errors, will be incomplete, and so on...
But at least then we have something to discuss about.
The red part is the port forwarding which we should avoid.

Some things that are unclear to me:

  1. The browser in the LAN on the windows portable (black dotted lines). Should it go directly to my Node-RED running on the Raspberry (so no ZeroTier One agent on the portable), or should it go via a ZeroThier agent via the virtual network (via a ZeroTier One agent on the portable)?

  2. As I already asked above in this discussion, the Google cloud platfrom requires a callback url (containing port 3001) to access the endpoint of node-red-contrib-google-smarthome node to send voice commands from a Google Home. Can this be setup via the ZeroTier virtual network, so without port forwarding of port 3001?

  3. Which rules could be usefull (for most users) to specify in the ZeroTier controller?

  4. Which ip addresses should be whitelisted in Node-RED? I am not sure which IP address would arrive in the Node-RED httpMiddleware if the ZeroTier agent acesses Node-RED: I assume the LAN ip address and not the ip address from the devices in the virtual network. Because I 'assume' it would be good that Node-RED only allows in this setup to only allow http requests from the virtual ip addresses from the virtual network?

  5. @smcgann99 : do you mean traffic via their root servers? And which traffic goes via their servers as last resort, and if what fails?

2 Likes

Hi Bart,

my work laptop is almost always connected to my zerotier network.

So to your first point (ad 1):

  1. If I am away I do access my nodered via zerotier interface
  2. If I am at home I assume it is done via my normal wlan subnet (it is a lot faster, and it remains my primary network interface to which my nodered lan ip refers)

EDIT:

After a bit more thinking: My nodered always resolves to 10.10.0.100.
-> At home this means it automatically routes through my locally assigned network interface.
-> At work this means it routes via zerotier 192.168.192.1 to it.

Why is this important? On my iPhone I made a bookmark to my nodered dashboard. Since I do not want to have 2 bookmarks (one for @ home, one for @ work) I set routes up like mentioned below.

END EDIT

ad 2)

This could be tricky. I do not use google voice. And if it only relies on ip:port it could work. But if it required broadcast messages this might not be possible. Also google voice needs to understand it is assigned to two subnets.

ad 3)

I have no rules at all. Called Flow Rules @ zerotier dashboard. Whenever I create a new network I do three things:

a) I auto assign an IP range (just choose one to your liking :))
b) add necessary Managed Routes (maybe this is what you are refering to whit flow?)
c) maintain fixed IP addresses for my clients

Bildschirmfoto 2023-12-26 um 13.08.33

  • In this picture you can see, that my zerotier subnet is 192.168.192.0/24 (LAN). This is all you need. If you stop here, you can remotely communicate between all devices joined to this network. iPhone, nodered server, etc. f.e.

  • However, via 192.168.192.1 (zerotier IP of my central local device - could be raspberry with nodered or OPNSense) I set routes to my three local subnets. So I additionally use these routes to gain remote access to my local network as described above.

ad 4) all local and zerotier remote IP addresses I assume. This is the smart thing here - you have full controll about all subnet ip ranges, and they remain stable.

1 Like

I have asked this question in the ZeroTier community (see here). Hopefully somebody over there has a good tip to do this.

2 Likes

And you must be careful with any laptops, etc that have the client configured and so can reach the network. This is often the downfall of VPN's, a compromised client.

1 Like

Just ignore if this is a daft question :face_with_raised_eyebrow:, but how does ZeroTier deal work with edge computing, such as a cloud MQTT broker, or if clients are cloud hosted? Would the handshakes work...

It does look like a weakness of ZT that you have to login to manage it, but once authorised, devices seem to connect automatically, no login with 2FA.

According to @smcgann99 you can restrict ZT to certain ports. I have not found a simple example of this yet but I think if only port 1880 was allowed, that would prevent eg ssh connections to other nw devices.

Every device connected to zerotier has it's own internet connection as well as the ZT network, so I assume that publishing or subscribing to a cloud based mqtt broker would work perfectly well. I don't have to set up any special routing to browse the web or receive email while the laptop is connected to a zt virtual network.

1 Like

I'm no expert but logically I would have to say this is unlikely to be possible. To be a part of the network you need to communicate via the zero tier client.

I use Alexa, with the Alexa remote node, some recent issues with this made me to look at alternative workarounds.

I created a virtual light, in Alexa app I created routines. A particular routine might be called when I say "tell me who is at home", this routine then sets the virtual light to 1% brightness. I receive this change of state message from the virtual device in NR and carry out the required actions.

If your use is similar then this may meet your needs ? (I'm assuming that there are equivalent functions in the google app) There are virtual Google device nodes at least.

I am not familiar with zerotier (but will have a look when I have time)
I have been using NGROK to create secure tunnels from my network (which is behind a CGNAT) to create secure tunnels out of our network I can then use to access back into our network from the internet. I open and close those tunnels witĄ a Telegram message to a bot and Telegram node.
So I send message '/nr open' and it opens a secure tunnel out to the internet through a NGROK server, the NR sends me the internet url via telegram to access the tunnel. A telegram command '/nr close' or '/close all' close the tunnel (and the url is no longer valid).
Can open many seperate tunnels like one for NR UI, another for NR development, another for a NAS (not on my PI). Only one that doesn't work is back into my Router.... OPNSense recognises the access is redirected!
NGROK is solid, easy to set up and free. Telegram also easy to setup but the NR telegram bot Node has problems on Raspi throwing regular connection errors and needs restarting. So there are frequent lost messages. Telegram Node also doesnt work with NODE 20. So looking for alternate messaging to use.

1 Like

Maybe try out pushover to send out the tunnel URLs and see if that's more reliable

Have you submitted issues on the telegram node's github page for the various issues you have encountered?

Not reliable? I find it rock solid.

more reliable for @ianH as they are the one having issues with it

We all have our own cross to bear :slight_smile:

Yep, it is an issue in Github. Developer thinks it is a Raspi issue that cause the connection to stop. Seperate issue raised for node 20 incompatability.

Thanks for that, but looking at the Node it appears to be one way (from NR to remote client). Unfortunately I need to also need to send commands into nr to open or close tunnels.
I do have a few things to try including not using the Node, and install Telegram on the RasPi and accessing that through commands to Bash.

Strange I use nodejs 20.2.0 with no issues.

You can send messages to telegram with a http request node, using the telegram api.
Scratch that, you could use a free tier cloud based mqtt broker to send messages into node-red

Hey Guys , thought to join on this discussion...
I was needing a access from anywhere system development system , so first i setup a proxmox on my old pc, with an ubuntu image running docker and portainer, and a pfsense running as a openvpn. quickly discarded it, as dydns service of digital ocean/pfsense was not always syncing, and my home connection link will drop every ~1h, so tried fixing this with zerotier directly on the ubuntu, but that also failed :confused:
And now i'm running a ubuntu VPS/ Droplet on Digital Ocean , with all ports enabled to zerotier only. And i am using Cloudflare Tunnel to expose any needed apps to the cloud :slight_smile:
Would look more in the future to switch ZeroTier with something self hosted, as i noticed greater speed's.

I would recommend only exposing (port forwarding) a VPN server out of your home network and nothing else :rofl:

EDIT #1
Was doing a google mail attachment's project earlier this month. And while i did made all of the functionality myself for auth and token refresh, if i restart the container, i would need to login ,and after being redirected to the callback url (which is 127.0.0.1:2335/callback?callback=...) i just copy paste the server address and port instead of localhost).