Bash Cli ZT for self-hosted ZeroTier controllers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi folks i want to show you this program i wrote called bash cly zt it's a set of bash grips that allow you to run your own zero tier controller self-hosted so you don't have to use their platform or their web interface to set up your networks and manage networks so that's part of the zero tier uh package and philosophy this is open source you download it you run your own controller now you do use their root servers in order to find the zero tier server that's closest to you to route traffic and forward to store metadata like your public keys and the ips of your clients so it knows how to get back and forth now what's important to understand though is by default zero tier will try to find the fastest route so it doesn't route your traffic through its servers it tries not to it tries to do point to point so when i connect to my server so here's my two nodes this is a lxc container and this is a host i have on the public internet and when these hosts communicate via zero tier it tries to communicate point-to-point directly so it's because it's faster now if there was some network configuration that prevented it from punching a hole through point-to-point then it would route traffic through its surface but just be aware that the traffic from between clients or and nodes in your lan are all encrypted so they still can't see your traffic and i'll do a traffic analysis video to show you how that works and how that looks to demonstrate that so there's a other another project called zt and kui and if you prefer a gui based interface to manage and you know have a self-hosted zero tier controller then you can use this by all means the only feature it doesn't have is the ability to modify your flow rules so one thing you can do is use a json program to uh and and study the format and add rules to it but that's something i did add to my program so i'm going to go ahead and download this script and here is my controller now your self-hosted controller it doesn't even need to be up and running all the time it's really only used to help to to join nodes or peers i keep going back and forth with that term need to be consistent join those to your your land so i'm going to download this here and just be sure when you install that you have the prerequisites curl jq happy calc and that should take care of it all right so i'm going to unzip to this and it creates the directory structure so i'm going to cd to bash ict and you don't need to be the root user to execute this you just need to be a user that can run the program so if you're a non-root user you can just type fast cdt networks like that and that brings up the menu and you navigate it using the options and numeric options here or the options you see in the brackets so first if i do five list networks there's no networks to connect to because i haven't created one yet but my self-hosted controller you know my initial development of this was all on a chromebook using the linux virtual machine with it built within it and i saw you know you yours your host your self-hosted controller can be a raspberry pi a raspberry zero or some device that that you want to use for the controller okay and just saw there are no networks here so let's go ahead and create a network this is my test ct network and i'm just going to allow to auto generate an ip range um oops i didn't hit the uh i z my test network oh dt network there we go i'll let it auto generate a range there's my network id you're going to need this for your peers because they're going to join it based on this id here okay and whenever you create a new network by default it's going to be private which means that users have to know what your network id is before they can join it hit enter here and here it auto generated this is what i'll be happy calc does for you it auto generates a network and wanna save the settings and no errors here so this is good so peers can now join the network and i hit five to list networks and you can see there's my zero to network and here is the range starting at one up to two hundred two five four all right so now let's look at adding peers to the network when you oh i did that without telling you you know exactly what i did my apologies let me go back type three go to the network three to manage peers and then you're gonna get a list of all your networks and in this case we have one so i just type one there and if i try to list peers i have no no peers there and i have no authorized peers or authorized peers okay so what i'm going to do now is i'm going to join this network with my two peers all right now these are geographically separated this is running in a linux container and this is a publicly accessible and you can see the ip address for this host is on a private network it is within my public lxc uh my public server but the two servers are geographically separate i think this is i don't know east coast somewhere and then this one i think is in california if i'm not mistaking all right so now i'm going to go back i'm going to get my network id right then i'm going to go to zero tier by join and my id and again i'm just using linux for quickly demonstrating but zero tier works on a variety of operating systems windows has a gui that you can use to join and you just copy and paste or type in the network id so i just joined these two to my network and if i go to unauthorized peers i have these two peers here because by default when someone joins your network because it's set to private by default they have to be authorized to join and you want to be sure that you know the client id before you authorize it just so you don't authorize a rogue device so you can see this matches number one and zero tier cli status here matches the node id so i'm gonna type one here i'm gonna type one and then i hit two to list i'm sorry three to list authorized peers you can see this host is now authorized to the network and it should have this ip address if i check the ips you can see there's the ip address right there which is auto assigned by zero tier and i go to list on authorized peers you can see i have my last one here hit one and now if i list appears i'll give it a moment there it may take a moment just to get an ip address there it goes and there's my other app okay so it it may just take a uh excuse me a few seconds to negotiate an ip address but that's totally normal all right i go to one to list all peers and you see that's my peers here so if i had you know 10 peers i can click on or hit this right here number one to show me all my peers that are authorized and you can unauthorize peer and you can also delete up here which means it's not going to show up in any any of the list here okay but when you're unauthorized up here it's going to be put back into the unauthorized peers so let me just show you that real quick hit four to unauthorize up here and let's just do one here i go to list on the authorized peers you see i only have one in my list now if i go hit that apa e yes right um so this host can no longer communicate with the network let's just test that dot two 192.168.24.23 four two three six sorry something like that see i communicate with this peer because it doesn't exist anymore all right so it exists it's just not authorized excuse me i apologize for that it's not authorized so i'm going to leave this ping running and then i'm going to authorize this pier so three and then oops uh there's another spears two one moment and now you see the pings are now working all right let me be sure i can ping one not two once against eight got two one four that two three four but i'm going to ping from here to this host now there we go the next thing about zero tier very quick very easy very simple to set up once you have a pier that joins the network then depending on the flow rules or the firewalls you have in place they can see each other so this is behind an added host this container but i can very easily communicate out to it and also this public host can communicate directly to this container on a private network that's the beauty of zero tier it's a global area network to allow you to bring in distributed hosts into one lan flatland okay so let's go back here and now i'm gonna explain how you can edit flow rules this is what allows you to add firewall rules to your network so even though you may have you know i don't know 100 peers on one network with zero tier and i don't have it in this this current version you can set up vlans so that 10 hosts are on one vlan and the other 90 hosts are on a separate lan this theoretically or you can set up you know multiple vlans i just don't have that capability but you can do that with zero tier so even though you have one network for example you can still separate and isolate those to a specific land and apply specific flow rules or firewall rules to that as well all right so now i'm going to edit rules flow rules right here before and your list of networks will be here so you can select the one that you want to add the rules for i go to type one and by default you're going to have this template here that shows you the format for the rules right and by default with zero tier even via their web interface all traffic is allowed and all these protocols here are allowed as well and if you don't want or don't use api v6 then you can just comment abby v6 out for example because my rules are really not set up for fpv6 yet it's just supports apple v4 right now and you know i should have chosen a better delimiter because that's coal and snow i think about it well i've thought about that before but anyway so i don't want appyv6 and all you got to do now is follow these this format to add or remove firewalls drywall rules so i'm going to install oh i have ssh installed on this system here yeah so i'm going to ssh to 192.168. at 214.236. you see that's a prompt i'm not going to log in i'm just going to show you how the flow rules work i can ssh from my container here over to my public system via the zero tier network all right so i'm going to drop tcp colon port 22. that's all you got to do just follow the examples that i have here in this template you can do source and destination and things that nature as well all right and then i'm going to control x to save that no no all right i think i made a mistake there i just saw it sorry six commented out to show you how you can comment out protocols there we go we want to control x modify buffer yes there it changes yes and what it does here is it prints out the the role in the json format that zero tier uses by default okay so you can just scroll through and and look at the capabilities and look at the the format that was that was added there all right and you can see here is the rule to drop 22 right there ossh all right and there's a protocol six all right and then down here has row committed and be sure to test all right anytime you implement a five wall rule you always want to be sure it works so i'm going to try to ssh oops you know that's that's not going to work i'm sorry i forgot i had that on a different port number let me edit this see i went back here i edited my role there we go yes that change yes there we go scroll up see that's my 10 22 all right now you see i now can no longer ssh so that's how you can add in your your rules firewall rules okay and if you have multiple routes or correction if you have multiple nodes you can use a zero tier node as a gateway to another network if you so choose and number six this is where you would manage those routes if necessary there are some a couple of advanced options that you can enable if you want to pursue that you can check out the documentation on their website and you can update your like if you want to choose a different ip address range let's say this conflicts with the arrange that you have on a remote network otherwise you're going to run into routing issues then you could completely change the network ip assignment update the description and you can delete a zero tier network as well all right so this is my bash cly zt program that that we wrote and that i created to allow someone to host their own zero chair controller so let me edit the rule i'm going to now excuse me remove this or comment this out x to save it yes enter changes yes right and now that rule is gone it's no longer in the list here so now see i got my prompt oh director is very powerful you can put in rules here so that if you want to have like a a game server that you want to host on your private network then you can do that and then you can put in a rule that only allows specific users access or correction those nodes that connect you can you can force them to use a specific port and any other port they try then you can by all means drop that as well and within the documentation here in this template it explains to you the different rules that you can you can um enable for example if you want to drop all traffic then you can modify the rules here so that only specific traffic is allowed asian default accept to drop for example okay and then you have to put in explicit rules to allow users to to connect back and forth let's be aware of that all right okay so if you have any questions let me know if any features you'd like to see let me know uh i want to you know extend this i am about to start teaching and doing a research working on my my dissertation so my availability may be limited but i will get back to you regarding uh you know feature requests and things of that nature i'm gonna need a break from all the writing of what i'm gonna be doing the next several months so happy to extend and build on to this this program so if you'd like to see anything else please let me know and i hope you have an opportunity to use this my program and contribute code or provide suggestions any issues and bugs you find i'd appreciate that all right well thanks folks and i hope that you will make use of it okay
Info
Channel: Duane Dunston
Views: 667
Rating: undefined out of 5
Keywords:
Id: C2HS3cQZY5U
Channel Id: undefined
Length: 19min 57sec (1197 seconds)
Published: Sat Aug 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.