search

zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.23k stars 1.66k forks source link

Binding ips doesn't works with primaryPort #1252

Closed StefanoBalocco closed 3 years ago

StefanoBalocco commented 4 years ago

I'm trying to setup a zerotier-one vpn (1.4.6) using both "bind" and "primaryPort" in my local.conf. When add "primaryPort": 65510 I got this result: TCP 127.0.0.1:65510 (LISTEN) TCP [::1]:65510 (LISTEN) UDP 192.168.1.1:65510 TCP 192.168.1.1:65510 (LISTEN) UDP 192.168.8.1:65510 ...other on 65510...

When I add (after or before primaryPort): "bind": [ "192.168.1.1" ] it seems to forget about the primary port configuration option and I got this result: TCP 127.0.0.1:65510 (LISTEN) TCP [::1]:65510 (LISTEN) UDP 192.168.1.1:33319 TCP 192.168.1.1:36465 (LISTEN) ...nothing else on TCP or UDP...

Linux, debian buster

laduke commented 4 years ago

You may need portMappingEnabled and allowSecondaryPort set to false -if you don't want two other random ports.

StefanoBalocco commented 4 years ago

I suppose that the formatting doesn't help. I reformatted the issue. If you look at the quoted part you can notice that in the first example there is a listening 162.168.1.1:65510 while on the second one is missing. With just primaryPort set there isn't any socket listening on random ports while with primaryPort and bind the primary port is used only for 127.0.0.1 and ::1 (but not for the bind ip).

I forgot to add that I already tried to set portMappingEnabled to false and allowSecondaryPort to false.

# zerotier-cli -j info { ... "settings": { "allowSecondaryPort": false, "allowTcpFallbackRelay": true, "bind": [ "192.168.1.1" ], "controllerDbPath": null, "portMappingEnabled": false, "primaryPort": 65510, "rabbitmq": null, "softwareUpdate": "disable", "softwareUpdateChannel": "release" }

thoradia commented 4 years ago

I confirm the issue In fact, it appears that the bind setting does not work at all

ps -ef | grep zero
  373 root      0:10 /storage/.kodi/addons/service.zerotier-one/bin/zerotier-one

more local.conf
{
  "physical": {
  },
  "virtual": {
  },
  "settings": {
    "bind": [ "192.168.0.123" ]
  }
}

zerotier-cli -j info
{
 "address": "..",
 "clock": ..,
 "config": {
  "physical": {},
  "settings": {
   "allowTcpFallbackRelay": true,
   "bind": [
    "192.168.0.123"
   ],
   "controllerDbPath": null,
   "portMappingEnabled": true,
   "primaryPort": 9993,
   "rabbitmq": null,
   "softwareUpdate": "disable",
   "softwareUpdateChannel": "release"
  },
  "virtual": {}
 },
 "online": true,
 "planetWorldId": ..,
 "planetWorldTimestamp": ..,
 "publicIdentity": "..",
 "tcpFallbackActive": false,
 "version": "1.4.6",
 "versionBuild": 0,
 "versionMajor": 1,
 "versionMinor": 4,
 "versionRev": 6
}

netstat -aptu | grep zero
tcp        0      0 192.168.0.123:42331     0.0.0.0:*               LISTEN      373/zerotier-one
tcp        0      0 localhost:9993          0.0.0.0:*               LISTEN      373/zerotier-one
tcp        0      0 localhost:9993          :::*                    LISTEN      373/zerotier-one
udp        0      0 192.168.0.123:45800     0.0.0.0:*                           373/zerotier-one
StefanoBalocco commented 4 years ago

My idea is that the bind option works, but only on the secondary/tertiary ports, ignoring each option to filter out those ports. Well, is a borderline meaning of "works".

thoradia commented 4 years ago

According to the current code, ports are bound to all addresses except the addresses of the bind setting I have submitted pull request #1257 to add ports to the addresses of the bind setting With #1257 ports are bound to the addresses of the bind setting, without it they are not.

StefanoBalocco commented 4 years ago

According to the current code, ports are bound to all addresses except the addresses of the bind setting I have submitted pull request #1257 to add ports to the addresses of the bind setting With #1257 ports are bound to the addresses of the bind setting, without it they are not.

Great, your patch also allow to respect allowSecondaryPort: false and portMappingEnabled: false?

thoradia commented 4 years ago

Great, your patch also allow to respect allowSecondaryPort: false and portMappingEnabled: false?

Yes

flysatss commented 3 years ago

OPNsense (freebsd) zerotier client 1.6.2

enable "bind" options -> bind to selected ip:RANDOM_PORT.

Error see more 6 month. In my network config, need add reflection rules. Disappointed dev reaction.

taniaengel commented 3 years ago

On Win10 running ZT 1.6.5 we see this problem still. We have this local.conf:

{"settings":{"primaryPort":9993,"allowSecondaryPort":false,"portMappingEnabled":false,"allowTcpFallbackRelay":false}}

c:\ProgramData\ZeroTier\One>netstat -an | find "9993" TCP 10.5.33.14:9993 0.0.0.0:0 LISTENING TCP 127.0.0.1:9993 0.0.0.0:0 LISTENING TCP 192.168.1.105:9993 0.0.0.0:0 LISTENING TCP [::1]:9993 [::]:0 LISTENING TCP [::1]:9993 [::1]:59406 TIME_WAIT TCP [fd70:616e:6761:6561:580a:5049:55cf:4eba]:9993 [::]:0 LISTENING UDP 10.5.33.14:9993 : UDP 192.168.1.105:9993 : UDP [fd70:616e:6761:6561:580a:5049:55cf:4eba]:9993 :

We update our local.conf

{"settings":{"primaryPort":9993,"allowSecondaryPort":false,"portMappingEnabled":false,"allowTcpFallbackRelay":false, "bind": ["192.168.1.105"]}}

We restart the ZeroTier One service. Now it is not listening on UDP at all:

c:\ProgramData\ZeroTier\One>netstat -an | find "9993" TCP 127.0.0.1:9993 0.0.0.0:0 LISTENING TCP [::1]:9993 [::]:0 LISTENING

c:\ProgramData\ZeroTier\One>zerotier-cli -j info { "address": "2c42e9a194", "clock": 1624907402632, "config": { "physical": null, "settings": { "allowSecondaryPort": false, "allowTcpFallbackRelay": false, "bind": [ "192.168.1.105" ], "controllerDbPath": null, "portMappingEnabled": false, "primaryPort": 9993, "softwareUpdate": "disable", "softwareUpdateChannel": "release" } }, "online": true, "planetWorldId": 8097874995283583487, "planetWorldTimestamp": 1624660534026, "publicIdentity": "2c42e9a194:0:55182a26e0c759b756a1bd754e62bbe08ee4c7eb054cc0dd7ba2e7dc938d516ece152ab18ab7f2abade9a6537b90883102a8bcbf9c7a18725d5bd8dff95662a0", "tcpFallbackActive": false, "version": "1.6.5", "versionBuild": 0, "versionMajor": 1, "versionMinor": 6, "versionRev": 5 }

laduke commented 3 years ago

If anyone has a chance, try the dev branch. Thanks, @thoradia!

taniaengel commented 3 years ago

The dev does seem to work! c:\ProgramData\ZeroTier\One>zerotier-cli -j info { "address": "2c42e9a194", "clock": 1625008566188, "config": { "physical": null, "settings": { "allowSecondaryPort": false, "allowTcpFallbackRelay": false, "bind": [ "192.168.1.105" ], "controllerDbPath": null, "portMappingEnabled": false, "primaryPort": 9993, "softwareUpdate": "disable", "softwareUpdateChannel": "release", "ssoRedirectURL": null } },

c:\ProgramData\ZeroTier\One>netstat -an | find "9993" TCP 127.0.0.1:9993 0.0.0.0:0 LISTENING TCP 192.168.1.105:9993 0.0.0.0:0 LISTENING TCP [::1]:9993 [::smirk::0 LISTENING UDP 192.168.1.105:9993 :