-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial commit for bonus zerotier installation #1253
Conversation
I'll be adding the above mentioned features over the weekend during the #LightningHacksprint if my "proposal" to add ZeroTier is welcome 😉 |
ZeroTier looks like a nice addition if you want to run your RaspiBlitz in a more complex overlay network setup. @21isenough so sure :) happy to see an integration for RaspiBlitz. What is your personal use case? |
Very cool @rootzoll 👍 Yes, happy to integrate this properly. I literally couldn't be without ZeroTier anymore. It has almost completely replaced my "normal" LAN. Every device I own is hooked up into my ZeroTier network and it makes the devices completely location and network independent. Some of the things:
While much of this could be solved over TOR as well, ZeroTier is much less complex. My traffic is also encrypted over ZeroTier and there's no need for NAT - all my devices can talk to each other regardless of where I am. Here you go - that was my little love letter to ZeroTier ❤️ 😄 😆 |
If it works well for you, it will also for others :) With v1.6 there will also be IP2TOR tunnles that can be booked as subscription to make it very easy to connect to your node running behind TOR thru a public IP. ZeroTier could be a good alternative if people want to keep it all in a private overlay LAN. Some more integration points to consider: If you connect your mobile apps you should also consider to edit the And once you turn ZeroTier on and you have your overlay IP you should prob add it to the LND TLS cert - you can call the |
Perfect. Looking forward to that IP2TOR tunnel 🔥 Yes, will take care of this too 👍 Question regarding the LND TLS cert: |
Not sure about this, but isn't connecting through zerotier similar to Tor or and ssh tunnel that from the point of view from LND it comes from localhost? |
Ok, I see. Yes, I believe it's the same as with Tor or/and an SSH tunnel, works all fine with me without changing anything. |
This current version of the ZeroTier integration works. The install and uninstall scripts are functioning properly and the menu is enhanced to displayed ZeroTier items in the same way as other additional services. To further improve I would need to save the ZeroTier Network ID into |
The "SERVICES" menu is now split into two parts "SETTINGS" (which should ne the palce for ZeroTier because its part of the infrastructure) and "SERCIVES" (which are additional Apps). |
@21isenough I merged and added the missing features. Would be great if you then can do filal testing once the v1.6RC2 is out. |
Oh, wow ❤️ Yes, can absolutely do that. Nice addition with the [?networkid] as an additional parameter 👍 |
Always keep in mind that the all data once given to join a network (which can be with dialogs) then on a update/recovery needs to run automatically with the stored credentials. So the I think that works for prublic zerotier networks, but private once are a bit more difficult because it needs "manual acceptence" from the zerotier admin. To further support this process you can build something into |
Yes, your concerns are valid and I thought about this too. This is why I'm suggesting to implement a "GUI" through the I'm not exactly sure what you mean by "private" and "public" ZeroTier networks. But it is clear that the user will have to manually confirm his device and accept it back into his network through the ZeroTier admin panel after a restore process. There is indeed an option to preserve the installation and settings (app-data directory). BUT I discussed this option with @openoms a while ago and we agreed that it is not a good idea to save that data to the hdd because you can potentially get very easy access to a users ZeroTier network with a stolen RaspiBlitz by just running the recovery process. We think it is better that the user has to manually accept a device back into his network instead of automating it and introducing a vulnerability into your virtual private network (of course, if the attacker knows what they are doing, they can just preserve that directory from the SD card but it still doesn't happen automatically). What's your thoughts on this? |
Agreed @21isenough. The issue with automatically restoring the zerotier connection is indeed that with the recovery process one can reset the ssh password and can get back into to the zerotier VPN without needing to be accepted again. Needing to enter the networkID through the menu after an update would be an acceptable inconvenience and would avoid sacrificing security. There could be a a few lines about needing to login to the zerotier account and accepting the connection for the first time. |
When I created a network there was the option to switch it from a private to a public network where every device can join by network-id without manual adding.
Yes. The zerotier can check in the status (if ACCESS DENIED still) and let the user know to still add the devices and that would ne redone after every update. |
This bonus script adds the functionality to join a ZeroTier network via CLI for remote connection to the RaspiBlitz.
Things TODO:
00mainMenu.sh
00settingsMenuServices.sh
_bootstrap.provision.sh
Detect and deny uninstall if SSH connected via ZeroTierError message if incorrect/invalid Network ID entered