ZeroTier Principles and Practice

前言

因为网络上这方面的信息很少，我在使用的时候有时摸不着头脑，所以写下来供后人参考。
ZeroTier协议议定书，下面简称议定书。截止本文书写日期2024/04/11，现在处于v1版本，v2版本据说会大改，但是已经放卫星放四年了，而且这种网络基础设施应该会保持向下兼容，故信息大体上应该长期有效，细枝末节以当前版本为准。

什么是Planet

To achieve this VL1 is organized like DNS. At the base of the network is a collection of always-present root servers whose role is similar to that of DNS root name servers. Roots run the same software as regular endpoints but reside at fast stable locations on the network and are designated as such by a world definition. World definitions come in two forms: the planet and one or more moons. The protocol includes a secure mechanism allowing world definitions to be updated in-band if root servers’ IP addresses or ZeroTier addresses change.
There is only one planet. Earth’s root servers are operated by ZeroTier, Inc. as a free service. There are currently four root servers distributed across the globe and multiple network providers. Almost everyone in the world has one within less than 100ms network latency from their location.

其实我觉得ZeroTier里面的Planet和流浪地球电影版里面的全球根服务器非常非常相似

在ZeroTier世界里面，一切以Planet中心为主，可以理解成DNS里面的根服务器（他们也确实这么称呼，在议定书里面称为RootServers）。所有节点在联网的时候都会去尝试连接Planet来获得其他节点的信息。官方提供的Planet服务器是免费的。
Planet的功能包括，记录所有联网节点网络信息（记住这个），记录节点互联所使用的密钥并提供交换服务，在节点无法互相直连的情况下提供中继。

ZeroTier公司提供收费服务的只有网页端的Controller。其中的25个设备限制我们只需要自行建立Controller即可绕过，但是自建的Controller没有SSO，Ruler之类的功能。

zerotier在初次启动的时候会从Planet获得所有所需要的连接信息，首先会尝试通过ID定位Moon（如果设置）信息，并且缓存下来，如果无法连接到Planet会连接到缓存的Moon。

什么是Moon

Planet和Moon的关系可以理解成Moon是自己建立的Private Root Servers。功能基本上和Planet是完全一致的。
如果你选择自建Moon服务器，Moon服务器为了保证稳定性，官方建议不再承担其他网络功能（作为LEAF之类的）。所以意味着只要你知道别人的Moon服务器ID，可以直接加入，不需要对方同意。

加入Moon方式

zerotier-cli orbit <world ID> <seed> - Join a moon via any member root
#一般情况下world ID和seed可以一样

链路层结构

ZeroTier链路层分为VL1和VL2。
VL1称为点对点网络，只用于连接到基础设施Planet和Moon，以获取网络配置。在大部分情况是零配置，不需要关注。
VL2称为以太网虚拟层，是你自己通过my.zerotier.com或者自行构建Controller建立的网络
Planet/Moon 是 Zerotier VL1 层的设施，主要用来辅助 Peer 之间的连接建立。Controller 是 VL2 层的设施，主要用来保存虚拟网的配置。一个虚拟网中的设备首先要接入 VL1 与 Controller 沟通，最后才能接入 VL2 中的一个虚拟网。

节点类型

在执行zerotier-cli peers之后，其中<role>中可以看到每个节点的类型，这些类型是在VL1层中的角色。其中有LEAF,PLANET,MOON。
LEAF是普通的节点，一般是你的设备连上去之后会直接变成LEAF。

Controller

Controller位于链路层的VL2中，在VL1中是一个特殊的LEAF。
如果你想加入一个网络，或连接这个网络上的其他节点，你首先需要连接这个网络对应的Controller。
如果无法连接到Controller，表现为一直显示为Request Configure（请求配置中）。

如果你认真看完上面的文字，你应该明白Controller是不需要有公网IP的，但是要求必须连接稳定。为了这点，我自己是在Moon上面运行Controller，但是官方其实不建议这样做
ZeroTier官方提供了搭建Controller的方式，但是官方给出的是命令行的形式，已经有人套了个GUI，名字叫ztncui。

ztncui搭建

https://key-networks.com/ztncui/
注意最好不要使用ZeroTier网络来访问搭建好的Controller，因为这样如果出问题很容易丢失访问权限。我建议用CloudFlare Tunnel来访问，还可以设置二步验证，增强安全性。
ztncui默认是https协议，没有http协议，其证书是自签的。使用Cloudflare Tunnel来映射到域名访问，需要在Cloudflare里面设置要开启运行任意证书（因为默认Tunnel不认自签证书）才能正常访问。

下面是一些有用的快速脚本。

搭建moon的快速命令

cd /var/lib/zerotier-one
sudo su
#zerotier-idtool initmoon identity.public > moon.json
exit

#下面几行可以保存为一个脚本，之后只用改moon.json里面的stablePoint
zerotier-idtool genmoon moon.json
sudo mv 000000??????????.moon moons.d/
sudo systemctl restart zerotier-one

Preface

Given the scarcity of online information on this topic, I often found myself confused while using it, so I’m documenting my experience for future reference. The ZeroTier Protocol Specification, referred to below as the Specification, is currently (as of the writing date 2024/04/11) at version 1. Version 2 is said to involve major changes but has been promised for four years without release. Since this is network infrastructure, it should maintain backward compatibility. Therefore, the information provided here should remain largely valid in the long term, but details should be verified against the current version.

What is a Planet

To achieve this VL1 is organized like DNS. At the base of the network is a collection of always-present root servers whose role is similar to that of DNS root name servers. Roots run the same software as regular endpoints but reside at fast stable locations on the network and are designated as such by a world definition. World definitions come in two forms: the planet and one or more moons. The protocol includes a secure mechanism allowing world definitions to be updated in-band if root servers’ IP addresses or ZeroTier addresses change.
There is only one planet. Earth’s root servers are operated by ZeroTier, Inc. as a free service. There are currently four root servers distributed across the globe and multiple network providers. Almost everyone in the world has one within less than 100ms network latency from their location.

I actually think the “Planet” in ZeroTier is very, very similar to the global root servers in the movie “The Wandering Earth.”

In the ZeroTier world, everything revolves around the central Planet, which can be understood as the root servers in DNS (they indeed refer to them as such, calling them RootServers in the specification). All nodes attempt to connect to the Planet upon going online to obtain information about other nodes. The officially provided Planet servers are free.

The functions of a Planet include recording all online node network information (remember this), recording the keys used for node interconnection and providing exchange services, and acting as a relay when nodes cannot directly connect to each other.

ZeroTier, Inc. only charges for the web-based Controller service (my.zerotier.com). The 25-device limit imposed there can be bypassed by setting up our own Controller. However, a self-hosted Controller lacks features like SSO and Ruler.

When ZeroTier starts for the first time, it obtains all necessary connection information from the Planet. It first tries to locate Moon information (if configured) via ID and caches it. If it cannot connect to the Planet, it will connect to the cached Moon.

What is a Moon

The relationship between a Planet and a Moon can be understood as the Moon being a privately established set of Root Servers. Its functions are fundamentally identical to those of a Planet.
If you choose to set up your own Moon server, for stability, the official recommendation is that the Moon server should not take on other network functions (like acting as a LEAF, etc.). This means that as long as you know someone else’s Moon server ID, you can directly join it without needing their approval.

How to Join a Moon

zerotier-cli orbit <world ID> <seed> - Join a moon via any member root
#Generally, the world ID and seed can be the same

Link Layer Structure

The ZeroTier link layer is divided into VL1 and VL2.
VL1 is called the peer-to-peer network, used only to connect to the infrastructure Planets and Moons to obtain network configuration. In most cases, it requires zero configuration and needs no attention.
VL2 is called the Ethernet Virtual Layer, which is the network you create yourself through my.zerotier.com or a self-built Controller.
Planets/Moons are facilities in the Zerotier VL1 layer, primarily used to assist in establishing connections between Peers. Controllers are facilities in the VL2 layer, mainly used to store virtual network configurations. Devices in a virtual network must first connect to VL1 to communicate with the Controller before they can join a virtual network in VL2.

Node Types

After executing zerotier-cli peers, you can see the type of each node within the <role> field, which refers to their role in the VL1 layer. The types include LEAF, PLANET, and MOON.
LEAF is a normal node. Generally, your device becomes a LEAF once connected.

Controller

The Controller is located within the VL2 layer of the link layer. In VL1, it is a special type of LEAF.
If you want to join a network, or connect to other nodes on that network, you first need to connect to the Controller corresponding to that network.
If you cannot connect to the Controller, the status will persistently show as “Request Configure” (requesting configuration).

If you have carefully read the above, you should understand that a Controller does not need a public IP address, but it requires a stable connection. For this reason, I personally run a Controller on a Moon server, although the official documentation doesn’t recommend this.
ZeroTier officially provides methods for setting up a Controller, but their method uses command-line instructions. Someone has already created a GUI wrapper for it, called ztncui.

Setting up ztncui

https://key-networks.com/ztncui/
It is advisable not to access the built Controller via the ZeroTier network itself, as this can easily lead to loss of access if issues arise. I recommend using CloudFlare Tunnel for access, which also allows setting up two-factor authentication for enhanced security.
By default, ztncui uses the HTTPS protocol, not HTTP, with a self-signed certificate. When using Cloudflare Tunnel to map it to a domain name for access, you need to enable the option in Cloudflare to allow unverified certificates (as the Tunnel by default does not accept self-signed certificates) for normal access.

Here are some useful quick scripts.

Quick Commands to Set Up a Moon

cd /var/lib/zerotier-one
sudo su
#zerotier-idtool initmoon identity.public > moon.json
exit

# The following lines can be saved as a script; afterwards, you only need to modify the stablePoint in moon.json
zerotier-idtool genmoon moon.json
sudo mv 000000??????????.moon moons.d/
sudo systemctl restart zerotier-one