SSH into private machines from anywhere using Cloudflare Tunnel

> Question: do you use a different tool which require no maintenance or cost to run?

Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android

I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.

IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.

Downsides I'm aware of:

- Less attention to their encryption implementation than the current hotness (WireGuard).

- Did not work with minimal effort from the local public library.

- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.

- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).

Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.

Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.

Same, zerotier on everything. Router, laptops, servers, phone. It makes things very easy to connect without public addresses.

I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.

The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.

Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.

Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.

I updated re:free, thanks.

Their appear to be two (Node.js/GPL3) control panels: https://github.com/key-networks/ztncui and https://github.com/dec0dOS/zero-ui

> Question: do you use a different tool which require no maintenance or cost to run?

I run Wireguard, Tailscale and Yggdrasil on my home network.

I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.

Managing expectations re:v2 has been a total failure on our part. We put far too many things in one basket. But the work is still happening.

Learning moment for us: don't give timelines and don't reveal too much. Just say "when it's finished." Only Elon Musk can use Elon Time(tm). :)

Edit: we also promised some things that are just brutally hard, like fully decentralizing the root backplane via full data set replication. We are still working on that but it proved tougher than we originally thought, especially in light of scaling needs and security concerns. Some interesting technology in development but still in private repos.

Our competition just builds SaaS with a single controller run by a single entity. That's easy. We make it hard on ourselves by trying to keep going on the decentralization and control your own security boundary mission. Part of why everything is getting centralized into silos is that that's just so easy to engineer.

Which router support ZeroTier? Or are you using a custom router firmware?

I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.

So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.

Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.

[1] https://linux.die.net/man/1/autossh

Thanks for sharing this insight, it's good to have even an inkling of how the sausage is made.

I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.

Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.

Another ZeroTier user. Runs on few devices flawless.

FWIW your "decentralize until it hurts, then centralize until it works" is one of my favorite slogans, and I appreciate y'all making the effort.

It's nice to hear that someone cares about this. I feel like a lunatic howling at the moon. We think decentralization (actual decentralization) is a good thing, but it would be so easy to just run a cloud silo. Everything becomes totally straightforward and simple.

I also hate the way scammy cryptocurrency shonk has sucked all the air out of the room on this topic, especially since most of "web3" is not even decentralized. Most of it goes through a few companies' centralized hubs. Total hot air. I'm thinking about trying to coin a new term for actual decentralization.

It's important work. I wish we had better infrastructure for incentivizing things that are beneficial in the long term.

And don't even get me started on web3.

I went ahead and beefed up the ZT entry in the list[0] a bit.

[0]: https://github.com/anderspitman/awesome-tunneling

Please add webhooks for ZeroTier network endpoints coming online or going offline! I think some existing formal feature requests for this already exist?

Absolutely love ZeroTier!

What about mosh?

You might be into howling at moonshots, but when it’s dark outside you need a true luminary to reflect any light back to the rest of us. Many thanks for your continued lunacy.

>> maintain a persistent ssh tunnel

SSH agent forwarding was merged 3 months ago (after the patch waited 7+ years in one form or another), but per https://unix.stackexchange.com/a/437299 → https://github.com/mobile-shell/mosh/issues/337 (2012), mosh does not yet officially support port forwarding, despite https://github.com/mobile-shell/mosh/pull/583 (2013 → 2015 → 2017). It appears the initiator of the original patch has maintained their fork: https://github.com/rinne/mosh (disclaimer: I don't use mosh and have not tried or reviewed the differences from the official version).

Perhaps https://github.com/MisterTea/EternalTerminal is a viable alternative. Per https://github.com/MisterTea/EternalTerminal/issues/473#issu..., 'Several security teams have reviewed ET.'

Make sure you pay for the product/donate!

Have you tried using Tailscale. It does similar to Zerotier and I would interested to know if their NAT workaround is better than ZT in your use case

My issue with their zerotier was their slow relay server, which is only used when NAT hole punching doesn't work. I got this impression that zerotier doesn't really seem to be interested to invest more into their relay servers (adding more location and increasing capacity). Tailscale might has better relay servers but I haven't tested it yet, but I plan to test them later when I got some free time.