DEV Community: ZeroTier

Introducing ZeroTier Webhooks

joy larkin — Thu, 02 Nov 2023 20:30:30 +0000

We have a special treat for all of the network administrators out there for Halloween this year: Webhooks!

Now our paid customers can receive notifications from ZeroTier Central in the form of a webhook for many actions performed on our UI and/or API so you can log or react to things happening in your ZeroTier networks. Actions that will call out to webhooks include:

A new machine joins a network
An administrator authorizes or deauthorizes a network member
An administrator changes the network configuration
An administrator changes a member configuration
An administrator creates or deletes a network
An administrator deletes a member
A new user is invited to, removed from, or accepts/rejects an invite to join your organization.
A user performs an SSO login to your network

This new feature requires some initial work on your end to set up an endpoint to receive hooks from us. Read on for more details.

Configuring Webhooks

There’s a new spot for paid accounts on the ZeroTier Central account page to configure webhooks.

The Endpoint URL field is the URL to your hook receiver where we will send the requests. This URL must be accessible from the internet and should preferably be secured with https. The description is optional. Event Types lets you select which event(s) you want to receive callbacks for. You can also configure multiple webhook receivers, each with their own list of events to receive.

Standing Up a Webhook Receiver

If you just want to test things out and see how they work, you can test things with Zapier. For example, if you want to receive an email every time a new member tries to join your network you can configure the “Webhooks by Zapier” action to receive the webhook.

Make sure you select “Catch Raw Hook” as the event so you have access to the POST body in the next step of the workflow

Next add a “Send Outbound Email” step with your email address and attach the Raw Body output of the previous step to the email body.

Finally, make sure to grab the webhook URL that Zapier generates for you. On your account page on ZeroTier Central, create a new webhook and paste that for your hook URL and select “Network Join” as the event type. Save and publish your webhook configuration and Zapier workflow, and you’ll now receive an email every time a new member tries to join your networks!

Something A Little More Advanced

Zapier is nice for getting something going quickly, but you may already have existing systems you want to integrate with. We’re giving you some additional tools to do just that.

First is a Go library released under the Mozilla Public License Version 2.0 with structs for deserializing the hook into easier objects to work with, and also validating hook calls. We’ve also provided a simple example to get you started with the Go library.

There is also a TypeScript library for validating hooks.

Verifying Your Webhooks

Hooks are great and all, but since the endpoint calling out to is public, you need a way to make sure the calls to it are actually from us, and not some random person/bot on the internet trying to fool you. We’ve added Webhook Signing Secrets for just that purpose.

Once you generate a secret, all outgoing calls to your webhook endpoint will be signed with that secret in the X-ZTC-Signature HTTP header. Examples are given in the repositories for both the Go and TypeScript libraries, as well as on our documentation site.

You can have multiple signing secrets active at the same time to give you time to rotate your webhook receivers. When multiple secrets are present, the hook will be signed by all active secrets.

Let Us Know What You Think

Talk with us on Mastodon or The Site Formerly Known as Twitter and let us know what you think. Have any issues with the libraries? Open an issue and let us know. Feeling extra ambitious and want to add another language? Open a Pull Request! Make something really cool with this feature? Show us!

We hope these webhooks will give you a new tool in your tool box for managing your ZeroTier networks.

Happy Halloween from the ZeroTier team!

The ZeroTier DNS Story

joy larkin — Mon, 11 Apr 2022 19:32:34 +0000

Let’s start with the basics, a summary of what is in this post:

How to enable DNS in ZeroTier, and what it gets you…
ZeroNSD — the flagship DNS implementation for ZeroTier — version 0.4.2 is out, with tons of new features, which we’ll talk about below. We’ll cover the differences from the 0.1 series forward.
zerotier-systemd-manager is here to make your lives easier on Linux with split-horizon DNS, which ZeroTier needs to behave like an adult on your device. We’ll cover setup and how it works under the hood.
If you don’t have or can’t use systemd, you’re good if you’re on OS X or Windows. Otherwise, you may want to consider the polyresolver project which works a lot like systemd-resolved. We’ll cover setup of polyresolver in those situations.
Finally, some thanks to the community who has made this possible, notably Benjamin Fry and the trust-dns team, what most of this work is based on. And rust, of course.

But most importantly, I’d like to thank the rest of the team at ZeroTier for being so generous with time allocation and understanding as this project has matured. Proper DNS support has been nearly a year in the making at ZeroTier at this point, and without that, it probably would have failed miserably.

Why DNS?

So some of you who have been using ZeroTier for a while may be wondering “why bother with DNS?”. This part isn’t for the rest of you.

Notably, DNS enables portable names for your addresses. While ZeroTier has the notion of identities that are independent from IP addresses, the IP stack must still be traversed for you to reach your host, and that means using an address. ZeroNSD enables floating and re-assignable IP addresses within 30 seconds or less from IP change, so if you do need to change things, you won’t break everyone.

Additionally, TLS certs are extremely dependent on DNS, something that will become more and more crucial in a world full of security issues — ones that ZeroTier is designed to prevent, but alas, cannot mitigate completely by itself.

How to enable DNS in ZeroTier

For GUI users, the solution is as simple as checking the “Allow DNS” flag in ZeroTier’s GUI:

For OS X and Windows CLI users, you must set the allowDNS flag to true in the CLI.

$ zerotier-cli set <network id> allowDNS=true

If you see a bunch of JSON output, you’ve done the right thing.

You must rejoin your network for changes to take effect (leave then join).

For Linux users, we provide zerotier-systemd-manager which just needs to be installed to work in most instances. See how to do more with it in further sections below.

Serving DNS over ZeroTier

Fundamentally, ZeroTier just provides an IP and you can run any DNS server against it by listening on its IP address(es). Nothing is keeping you from running BIND9 or Unbound against a ZeroTier network.

However, this way you’re stuck editing DNS names in one spot and configuring ZeroTier IP infrastructure at another. ZeroNSD syncs your ZeroTier node names in ZeroTier Central as DNS names in the service so they can be resolved by your DNS resolver. This allows for a one-stop place to edit all the infrastructure on your ZeroTier network. ZeroNSD relies on the trust-dns framework of libraries to provide DNS instead of rolling its own implementation, allowing for maximum robustness when it comes to your DNS needs.

What’s happened to ZeroNSD since 0.1.0?

Our last blog post on ZeroNSD was posted almost a year ago, promoting it in alpha. A lot has happened since then!

PTR record support for IPv6.
Easier methods of supervision (zeronsd supervise); supports systemd and OS X.
Better docker support.
Good support for Alpine, Windows, and Homebrew (OS X).
RFC4193 & 6Plane support.
Wildcard domains support.
Robust Logging with levels.
Robust Testing Framework.
Name coercion: if you have a non-DNS name in the names field in Central, it’ll be transformed into a DNS name (like Mac OS).
Can be embedded as a rust library.
Multiple Listening Addresses if the ZeroTier instances is assigned more than one.
IPv6 listener support.
Firewall Punching for Windows (installer-only).
Better support for forwarding records to an upstream DNS provider in situations where the TLD does not match.
Configuration files instead of just CLI arguments.
Using the DNS-standard home.arpa. as the default domain.
DNS-over-TLS support!

We use it internally, I use it at home for my family to make life easier for them to get at zerotier-enabled services I run in the home. We have many other users contributing to the project through bug reports and patches. If you were on the fence about its stability, you should give it a shot.

Getting AllowDNS on Linux – zerotier-systemd-manager

If you’re a Linux user, you may have noticed that the allowDNS flag doesn’t do much on it. This is because Linux doesn’t have a canonical way of doing split-horizon DNS, or the notion that some domains will direct to some nameservers, and other domains to other nameservers. zerotier-systemd-manager enables this by injecting a small systemd timer that runs a program that populates /etc/systemd/network.d with configuration that points your ZeroTier configured domains to the DNS server of choice.

Note, that you do not need to use ZeroNSD to leverage zerotier-systemd-manager, just a DNS server that’s populated in the ZeroTier Central UI.

Don’t have systemd, OS X, or Windows?

If you don’t have systemd, OS X, or Windows, you have two (major) options for split-horizon DNS at the client:

You can direct everything at ZeroNSD — it will act as a backup forwarding plane for your root-level DNS server in a pinch.
Try the polyresolver project, a new project to provide systemd-resolved functionality without systemd. Just point /etc/resolv.conf at it and add configuration files to a directory as your system brings interfaces up.

Some final words

Thanks to all of those who made this project possible.

ZeroTier Technical Talks at Networking Field Day 27

joy larkin — Wed, 09 Feb 2022 20:50:32 +0000

On January 27, 2022, Founder Adam Ierymenko gave a technical talk about the high-level concepts behind ZeroTier networking at NFD27. Here are the official videos from the three-part presentation.

...

⏁ Part I: ZeroTier The Planetary Data Center

What is a planetary data center? Is ZeroTier a VPN, an SD-WAN, or a network overlay? What are ZT’s main features, integrations, and use cases? Is ZeroTier Zero Trust?
https://www.youtube.com/watch?v=T2BbrqpnMAE

⏁ Part II: ZeroTier Networking Demo

Telnet, ping, network traffic sniffing, using mDNS/Avahi, accessing a Cockroach DB cluster, playing Hunt the Wumpus. Yes, these are all things you can do with ZeroTier.
https://www.youtube.com/watch?v=iAITDB24KKg

⏁ Part III: ZeroTier Technical Deep Dive

Learn how ZeroTier’s layered architecture approach enables both a “Planetary Wire Closet” and “Secure Wide Area VLANs” all in one robust networking service.
https://www.youtube.com/watch?v=VhQ30bVF3_s

......

ZeroTier Central now integrates with HashiCorp Terraform

joy larkin — Wed, 20 Oct 2021 18:23:11 +0000

Configure multi-cloud zero trust network access for up to 9 different cloud providers with our quickstart guide.

Learn more: https://www.zerotier.com/2021/10/14/zerotier-central-now-integrates-with-hashicorp-terraform/

ZeroTier makes running private cloud storage more accessible and easier to use

joy larkin — Wed, 28 Jul 2021 21:42:13 +0000

Today we’re going to replace our cloud storage on our mobile and desktop devices with Seafile, inside of docker-compose, to run at home.