Project

General

Profile

Actions

Feature #9238

open

Add support for Zerotier

Added by Corey Boyle almost 3 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
New Package Request
Target version:
-
Start date:
12/30/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Adding support for ZeroTier with its multi-path feature, would give pfS a better position in the SD-WAN market.

Actions #1

Updated by Corey Boyle almost 3 years ago

Excerpt from https://zerotier.com/blog/2018-05-04-128.shtml

1.4.0 should be our next major release. It includes support for multiple concurrent physical network paths
(discovered automatically in most cases) with load balancing and much faster handling of path failures.
This is step one toward "SD-WAN" features, bringing us closer to our goal of a converged
VPN/SDN/SD-WAN/P2P solution. After automatic path bonding and fast fail-over we will be introducing
support for QoS (quality of service) rules and very likely a plugin architecture for packet classification.

Actions #2

Updated by Corey Boyle almost 3 years ago

Minimal functionality required would be joining and leaving networks. The controller service is not necessary as that can be done elsewhere on a cheap VPS.

Actions #3

Updated by Jim Pingle over 2 years ago

  • Target version changed from 48 to 2.5.0
Actions #4

Updated by Corey Boyle over 2 years ago

The integration could be very similar to OpenVPN. An OpenVPN client or server, shows up as a virtual NIC, the same way a ZT network does. ZT virtual NICs could then be assigned to pfS interfaces for firewall purposes.

Actions #5

Updated by Christian McDonald over 2 years ago

Seconding this request!

It seems Corey has and ChanceM have already done most of the heavy lifting:

Ref: https://github.com/ChanceM/pfSense-pkg-zerotier
Ref2: https://github.com/coreybrett/pfSense-pkg-zerotier/

Actions #6

Updated by Corey Boyle over 2 years ago

I don't think my code would be of much use, I was just trying to get the package to work with the latest pfS version. ChanceM did the hard part. For the core pfS team, this would probably be trivial to get done.

Actions #7

Updated by Deon George over 2 years ago

I think it would be pretty awesome if PF supported this. ZT is a great and simple way of securing devices in a virtual network.

Actions #8

Updated by Jim Pingle over 2 years ago

  • Project changed from pfSense to pfSense Packages
  • Category set to New Package Request
  • Target version deleted (2.5.0)
Actions #9

Updated by Gregory Moore almost 2 years ago

Package has been updated to run on 2.4.4-RELEASE-p3. Still some work to be done on setting up the interfaces, right now it has to be done manually. Controller functionality needs to be redone as the API changed/never was complete.

Actions #10

Updated by Val Schmidt 10 months ago

+1 for this feature!!!

Actions #11

Updated by Corey Boyle 9 months ago

@Netgate - Any chance this could be added to 2.5 ?

Actions #12

Updated by Amy Nagle 7 months ago

Just a warning to anyone doing an update from 2.4 to 2.5: make sure you don't have an interface assigned to any zerotier network at the time you do the update. The update process removed the pfSense-pkg-zerotier package, which led to it getting stuck at boot. I had to connect to the console, boot pfSense into single-user mode, and edit /cf/conf/config.xml to remove the interface manually. It will look something like the snippet below. Just remove the entire <optX>...</optX> section, save, and reboot.

<opt6>
    <descr><![CDATA[ZEROTIER]]></descr>
    <if>ztXXXXXXXXXXX</if>
    <spoofmac></spoofmac>
    <enable></enable>
</opt6>
Actions #13

Updated by Gregory Moore 7 months ago

Amy Nagle wrote:

Just a warning to anyone doing an update from 2.4 to 2.5: make sure you don't have an interface assigned to any zerotier network at the time you do the update. The update process removed the pfSense-pkg-zerotier package, which led to it getting stuck at boot. I had to connect to the console, boot pfSense into single-user mode, and edit /cf/conf/config.xml to remove the interface manually. It will look something like the snippet below. Just remove the entire <optX>...</optX> section, save, and reboot.

[...]

I would suspect it removed the zerotier package because there was a version upgrade to the base BSD. Which would result in an interface mismatch. Removal of just the pfSense-pkg-zerotier by it self wouldn't cause this as the interfaces would still come up if zerotier was still installed.

Actions #14

Updated by Amy Nagle 7 months ago

The pfSense-pkg-zerotier package's uninstall action removes zerotier from the rc.conf.local, so it won't start automatically anymore (see here: https://github.com/ChanceM/pfSense-pkg-zerotier/blob/master/files/usr/local/pkg/zerotier.inc#L66).

Surprisingly, the zerotier package itself wasn't removed and still worked just fine after reinstalling the updated pfSense-pkg-zerotier package. I did, however, update it to the newest version just to limit any potential future issues.

Actions #15

Updated by Gregory Moore 7 months ago

Amy Nagle wrote:

The pfSense-pkg-zerotier package's uninstall action removes zerotier from the rc.conf.local, so it won't start automatically anymore (see here: https://github.com/ChanceM/pfSense-pkg-zerotier/blob/master/files/usr/local/pkg/zerotier.inc#L66).

Surprisingly, the zerotier package itself wasn't removed and still worked just fine after reinstalling the updated pfSense-pkg-zerotier package. I did, however, update it to the newest version just to limit any potential future issues.

Ah, you're right. Not exactly sure how to handle that one, I guess I assumed if you were going to uninstall the package you wouldn't want zerotier to start. I think the best way to solve it would be to see if I can remove the zt interfaces on uninstall as removing the dependent package would still cause this issue.

Actions

Also available in: Atom PDF