ztncui

ZeroTier network controller user interface

Introduction

ztncui - ZeroTier network controller user interface

ZeroTier delivers a virtual networking solution that is aptly named Global Area Networking. This enables devices to connect to one another over the Internet (and private networks) as though they were connected on the same Local Area Network (LAN). It is very simple to deploy - just install the ZeroTier One software and join a ZeroTier network using the network's 16-digit network ID.

ZeroTier networks are set up and configured on a ZeroTier network controller. You can either use the network controllers hosted by ZeroTier or set up your own standalone network controller. Setting up a standalone network controller is quite simple - just install the ZeroTier One software and follow the installation instructions below to install ztncui on a Linux machine.

Docker Container Image

The quickest and easiest way to evaluate ztncui if you know how to use Docker:

github.com/key-networks/ztncui-containerized

Source Code

ztncui is open source software, licensed under the GNU GPL version 3. The source code can be found at:

github.com/key-networks/ztncui

Installation

RPM installation on EL8/9

To install on an EL8/9 flavour of Linux, such as RedHat Enterprise Linux 8/9 or AlmaLinux 8/9, follow these steps:

  1. Install zerotier-one as per instructions here: zerotier.com/download.shtml.
  2. sudo yum install https://download.key-networks.com/el7/ztncui/1/ztncui-release-1-1.noarch.rpm -y
  3. sudo yum install ztncui -y
  4. Optional: install TLS/SSL certificate as per instructions below, or skip this step to use the default self-signed certificate.
  5. Restrict access to port 3443 on the public network interface to your IP address (at least until the admin password is set).
  6. sudo sh -c "echo ZT_TOKEN=`sudo cat /var/lib/zerotier-one/authtoken.secret` > /opt/key-networks/ztncui/.env"
  7. sudo sh -c "echo HTTPS_PORT=3443 >> /opt/key-networks/ztncui/.env"
  8. sudo sh -c "echo NODE_ENV=production >> /opt/key-networks/ztncui/.env"
  9. sudo chmod 400 /opt/key-networks/ztncui/.env
  10. sudo chown ztncui.ztncui /opt/key-networks/ztncui/.env
  11. sudo systemctl restart ztncui
  12. Connect to port 3443 over HTTPS in your web browser - e.g. https://my.network.controller:3443
  13. Log in as user admin with password password.
  14. Learn the Truth

DEB installation on Debian/Ubuntu

Systemd is a requirement for ztncui at this stage (if you need it to run on older systems with SysV init systems, please let us know via the Contact form above).

  1. Install zerotier-one as per instructions here: zerotier.com/download.shtml.
  2. curl -O https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.8.14_amd64.deb
  3. sudo apt install ./ztncui_0.8.14_amd64.deb
  4. Optional: install TLS/SSL certificate as per instructions below, or skip this step to use the default self-signed certificate.
  5. Restrict access to port 3443 on the public network interface to your IP address (at least until the admin password is set).
  6. sudo sh -c "echo ZT_TOKEN=`sudo cat /var/lib/zerotier-one/authtoken.secret` > /opt/key-networks/ztncui/.env"
  7. sudo sh -c "echo HTTPS_PORT=3443 >> /opt/key-networks/ztncui/.env"
  8. sudo sh -c "echo NODE_ENV=production >> /opt/key-networks/ztncui/.env"
  9. sudo chmod 400 /opt/key-networks/ztncui/.env
  10. sudo chown ztncui.ztncui /opt/key-networks/ztncui/.env
  11. sudo systemctl restart ztncui
  12. Connect to port 3443 over HTTPS in your web browser - e.g. https://my.network.controller:3443
  13. Log in as user admin with password password.
  14. Learn the Truth

Notes

TLS/SSL Certificate

There are a few options for installing the TLS/SSL certificate so that you can access ztncui over HTTPS:

Self-signed Certificate

This is the default option - ztncui comes with a pre-generated self-signed certificate when you install it. You can use this as it is, or you can generate your own by executing the following:

sudo -i
cd /opt/key-networks/ztncui/etc/tls
rm -f privkey.pem fullchain.pem
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privkey.pem -out fullchain.pem
chown ztncui.ztncui *.pem
chmod 600 privkey.pem

Browser Warning

Note, that if you use a self-signed certificate, your web browser will give you a warning that the certificate is not trusted because it is self-signed. You can add an exception (best to make it non-permanent) so that it doesn't keep warning you every time. The process for doing this is browser dependent, so search the Internet for browser-specific instructions.

Purchase a Certificate

You may already have a certificate for a web server on the machine that you could use for ztncui, or you could purchase one from the numerous Certificate Authorities on the Internet. Once you have purchased and installed the certificate, make a soft link to the private key and full chain certificate, for example:

sudo -i
cd /opt/key-networks/ztncui/etc/tls
rm -f privkey.pem fullchain.pem
ln -s /path/to/private/key privkey.pem
ln -s /path/to/full/chain/cert fullchain.pem

where the paths to the private key and full chain certificate are substituted appropriately.

Note that ztncui runs as the user ztncui and this user needs read access to the private key.

Get a Free Certificate from Letsencrypt.org

On the network controller machine:

  1. Install certbot by following the instructions at certbot.eff.org:
    1. For "Software" select "None of the above".
    2. For "System" select your OS.
    3. Follow the instructions to install certbot on your system.
  2. Use certbot to generate a certificate in webroot mode from the root of the ztncui directory:

    sudo -i
    cd /opt/key-networks/ztncui
    certbot --webroot -w public -d [network_controller_fqdn]

    where [network_controller_fqdn] is the FQDN that resolves back to the address of the machine running the ZeroTier network controller and ztncui. Make sure that this FQDN resolves publicly since that is what letsencrypt.org uses to identify your machine and communicate with certbot.

    If certbot runs successfully, it should give you the location of your certificate, which should be something like:

    /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
  3. Make soft links from etc/tls to the certificate and private key under /etc/letsencrypt/live:

    sudo -i
    cd /opt/key-networks/ztncui/etc/tls
    rm -f privkey.pem fullchain.pem
    ln -s /etc/letsencrypt/live/[network_controller_fqdn]/fullchain.pem
    ln -s /etc/letsencrypt/live/[network_controller_fqdn]/privkey.pem

    Note that ztncui runs as the user ztncui and this user needs read access to the private key.

  4. Take note of the options for renewing Letsencrypt certificates and implement an appropriate strategy.

Screenshots


Please note that these screenshots are out of date - the app has moved on a bit since these were made.

ztncui front page

Front Page

The Login link is in the top right corner

ztncui login page

Login Page

Log in as user admin with password password

ztncui change password

Change Password

You will be prompted to change the default password

ztncui create user

Create User

It's a good idea to create an admin account for yourself and delete the default admin account

ztncui list users

List Admin Users

Click the trash can to delete a user

ztncui controller home page

Controller Home Page

Click the Home tab to get here

ztncui list networks

List Networks

All ZeroTier networks controlled by the network controller

ztncui create network

Create Network

Set up a new ZeroTier network

ztncui newly created network

List Newly Created Network

The newly created network will appear in the list of networks

ztncui easy setup of network - link

Easy Setup of Network - link

Click on easy setup to quickly set up an IPv4 network

ztncui easy setup of network

Easy Setup of Network

Easy network setup page for a new network

ztncui help for easy setup of network

Help for Easy Setup of Network

Click the Help link for instructions

ztncui easy setup of network - generate network address

Generate Network Address

Click the Generate network address button to generate a random 10.x.x.0/24 address and IP assignment pool

ztncui easy setup of network - submit

Network Setup Succeeded

Click Submit to apply the configuration once you are happy with the details

ztncui network members - link

Network Members - Link

Click the members link to see members of the network

ztncui no network members

No Network Members

For a new network, there will be no members - invite some users to join

ztncui members - refresh

Network Members - Refresh

Click the Refresh button to see who has joined

ztncui members - joined

Network Members - Joined

Members who have joined the network will be listed

ztncui members - named

Network Members - Named

Get users to send you their ZeroTier address so that you can ID and name them

ztncui members - authorized

Network Members - Authorized

Once you have identified a user, you can authorize them by checking the checkbox (un-checking the checkbox will de-authorize them)

ztncui members - authorized + refresh

Network Members - Refresh

Click Refresh to see the IP assignment for the user

ztncui members - ip assignment

Network Members - IP Assignment

If the user is online, you should see their IP assignment appear

ztncui members - ip assignment link

Network Members - IP Assignment Link

Click the IP address to change the IP assignment

ztncui members - ip assignment add

Network Members - IP Assignment Add

Enter an IP address within the managed route subnet listed below, then click the + icon

ztncui members - ip assignment delete

Network Members - IP Assignment Delete

Click the trash-can icon next to the automatically assigned IP address to delete it

ztncui members - ip assignment done

Network Members - IP Assignment Done

IP Assignment completed - click the Back button to return to the Members page

ztncui members

Network Members

IP assignment changed

ztncui members - active bridge

Network Members - Active Bridge

Check Active bridge to enable Ethernet bridging between virtual and physical networks

ztncui network detail - link

Network Detail - Link

Click detail to view and edit the detail of a network

ztncui network detail - 1

Network Detail - 1

Certain parameters can be modified - e.g. ipAssignmentPools

ztncui network detail - 2

Network Detail - 2

Network name and routes can also be modified

ztncui network detail - 3

Network Detail - 3

v4AssignMode and v6AssignMode can be modified

ztncui member detail - link

Member Detail - Link

Click the member's ZT address to view member detail