search

mwarning / zerotier-openwrt

A OpenWrt package for ZeroTier One - Pull requests are welcome!
669 stars 140 forks source link

FW4 + zerotier ssh = connection refused (outdated documentation?) #124

Closed mwoz123 closed 1 week ago

mwoz123 commented 3 weeks ago

I get Connection refused when trying to login to zerotier ssh.

I'm using:

OpenWrt 23.05.4,
Zerotier 1.12.2 
OpenSSH_9.8p1

I'm connected to network with openwrt device

root@OpenWrt:/home/marcin# zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks 17d709436cec3125 Dom 26:86:4c:2c:5a:2d OK PRIVATE ztks56k4sj fd17:d709:436c:ec31:2599:93b7:a040:1924/88,192.168.192.1/24

and laptop.

I was doing step by step from documentation at https://openwrt.org/docs/guide-user/services/vpn/zerotier but it might be out dated:

Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

as it seems to be created for fw3 and now openwrt uses fw4

full log:

root@OpenWrt:/home/marcin# # Configure firewall
root@OpenWrt:/home/marcin# uci -q delete firewall.vpn
root@OpenWrt:/home/marcin# uci set firewall.vpn="zone"
root@OpenWrt:/home/marcin# uci set firewall.vpn.name="vpn"
root@OpenWrt:/home/marcin# uci set firewall.vpn.input="REJECT"
root@OpenWrt:/home/marcin# uci set firewall.vpn.output="ACCEPT"
root@OpenWrt:/home/marcin# uci set firewall.vpn.forward="REJECT"
root@OpenWrt:/home/marcin# uci set firewall.vpn.masq="1"
root@OpenWrt:/home/marcin# uci set firewall.vpn.mtu_fix="1"
root@OpenWrt:/home/marcin# uci add_list firewall.vpn.device="ztks56k4sj"
root@OpenWrt:/home/marcin# uci -q delete firewall.lan_vpn
root@OpenWrt:/home/marcin# uci set firewall.lan_vpn="forwarding"
root@OpenWrt:/home/marcin# uci set firewall.lan_vpn.src="lan"
root@OpenWrt:/home/marcin# uci set firewall.lan_vpn.dest="vpn"
root@OpenWrt:/home/marcin# uci -q delete firewall.ssh
root@OpenWrt:/home/marcin# uci set firewall.ssh="rule"
root@OpenWrt:/home/marcin# uci set firewall.ssh.name="Allow-SSH"
root@OpenWrt:/home/marcin# uci set firewall.ssh.src="vpn"
root@OpenWrt:/home/marcin# uci set firewall.ssh.dest_port="22"
root@OpenWrt:/home/marcin# uci set firewall.ssh.proto="tcp"
root@OpenWrt:/home/marcin# uci set firewall.ssh.target="ACCEPT"
root@OpenWrt:/home/marcin# uci commit firewall
root@OpenWrt:/home/marcin# service firewall restart
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
root@OpenWrt:/home/marcin#
ogarcia commented 3 weeks ago

We do not maintain that page (the OpenWrt wiki is maintained by the community), in fact on the page itself at the top of the page it tells you to always go to our wiki for the most up to date instructions.

That said, the instructions on that page are not entirely accurate. The easiest is to create both the interface and the zone with luci (it's more visual), but if you prefer the commands are as follows:

# Create interface
uci set network.ZeroTier=interface
uci set network.ZeroTier.proto='none'
uci set network.ZeroTier.device='ztks56k4sj'

# Create zone
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci add_list firewall.@zone[-1].network='ZeroTier'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'

# Commit changes
uci commit

If you realize before configuring the zone (the firewall) you have to create an interface so that the system works in the most orderly way possible. Nor is it necessary to create rules; it is simpler by default to allow traffic to and from the VPN since, by definition, it should be considered a secure network.

mwoz123 commented 3 weeks ago

Thanks @ogarcia :) Appreciate your help especially as I've nearly no knowledge when it comes to firewalls... I'll check that once I'm back next week

mwoz123 commented 1 week ago

Works:) thanks @ogarcia :)

Btw how about adding it to the wiki ? I was checking if I can edit/ create pr for it but seems public editing is disabled and gh doesn't handle pr for wiki...

mwarning commented 1 week ago

btw., it would be nice to move the wiki to the OpenWrt Wiki. :-)

ogarcia commented 1 week ago

On the ZeroTier page of the OpenWrt wiki the first line reads:

Zerotier creates a virtual network between hosts. You may refer to zerotier-openwrt's official Wiki for the latest instructions.

I think that leaving it as it is is the most accurate because the OpenWrt wiki can be edited by anyone (and therefore put an exotic configuration that only works for that person) and yet our wiki is controlled. Using only the OpenWrt wiki would force us to be regularly checking that nobody makes changes that break the configuration and that is a pain.

In any case I have edited our wiki page and the OpenWrt wiki page and added what we have discussed here. :wink: