Thisdocumentiswrittenforasoftwaredeveloperaudience.ForinformationonusingZeroTier,seethe:Website,DocumentationSite,andDiscussionForum
ZeroTierisasmartprogrammableEthernetswitchforplanetEarth.Itallowsallnetworkeddevices,VMs,containers,andapplicationstocommunicateasiftheyallresideinthesamephysicaldatacenterorcloudregion.
Thisisaccomplishedbycombiningacryptographicallyaddressedandsecurepeertopeernetwork(termedVL1)withanEthernetemulationlayersomewhatsimilartoVXLAN(termedVL2).OurVL2EthernetvirtualizationlayerincludesadvancedenterpriseSDNfeatureslikefinegrainedaccesscontrolrulesfornetworkmicro-segmentationandsecuritymonitoring.
AllZeroTiertrafficisencryptedend-to-endusingsecretkeysthatonlyyoucontrol.Mosttrafficflowspeertopeer,thoughweofferfree(butslow)relayingforuserswhocannotestablishpeertopeerconnections.
ThegoalsanddesignprinciplesofZeroTierareinspiredbyamongotherthingstheoriginalGoogleBeyondCorppaperandtheJerichoForumwithitsnotionof"deperimeterization."
VisitZeroTier'ssiteformoreinformationandpre-builtbinarypackages.AppsforAndroidandiOSareavailableforfreeintheGooglePlayandAppleappstores.
ZeroTierislicensedundertheBSLversion1.1.SeeLICENSE.txtandtheZeroTierpricingpagefordetails.ZeroTierisfreetouseinternallyinbusinessesandacademicinstitutionsandfornon-commercialpurposes.Certaintypesofcommercialusesuchasbuildingclosed-sourceappsanddevicesbasedonZeroTierorofferingZeroTiernetworkcontrollersandnetworkmanagementasaSaaSservicerequireacommerciallicense.
AsmallamountofthirdpartycodeisalsoincludedinZeroTierandisnotsubjecttoourBSLlicense.SeeAUTHORS.mdforalistofthirdpartycode,whereitisincluded,andthelicensesthatapplytoit.AllofthethirdpartycodeinZeroTierisliberallylicensed(MIT,BSD,Apache,publicdomain,etc.).
GettingStartedEverythingintheZeroTierworldiscontrolledbytwotypesofidentifier:40-bit/10-digitZeroTieraddressesand64-bit/16-digitnetworkIDs.Theseidentifiersareeasilydistinguishedbytheirlength.AZeroTieraddressidentifiesanodeor"device"(laptop,phone,server,VM,app,etc.)whileanetworkIDidentifiesavirtualEthernetnetworkthatcanbejoinedbydevices.
ZeroTieraddressescanbethoughtofasportnumbersonanenormousplanet-wideenterpriseEthernetsmartswitchsupportingVLANs.NetworkIDsareVLANIDstowhichtheseportsmaybeassigned.AsingleportcanbeassignedtomorethanoneVLAN.
AZeroTieraddresslookslike8056c2e21candanetworkIDlookslike8056c2e21c000001.NetworkIDsarecomposedoftheZeroTieraddressofthatnetwork'sprimarycontrollerandanarbitrary24-bitIDthatidentifiesthenetworkonthiscontroller.NetworkcontrollersareroughlyanalogoustoSDNcontrollersinSDNprotocolslikeOpenFlow,thoughaswiththeanalogybetweenVXLANandVL2thisshouldnotbereadtoimplythattheprotocolsordesignarethesame.YoucanuseourconvenientandinexpensiveSaaShostedcontrollersatmy.zerotier.comorrunyourowncontrollerifyoudon'tmindmessingaroundwithJSONconfigurationfilesorwritingscriptstodoso.
ProjectLayoutThebasepathcontainstheZeroTierOneservicemainentrypoint(one.cpp),selftestcode,makefiles,etc.
artwork/:icons,logos,etc.attic/:oldstuffandexperimentalcodethatwewanttokeeparoundforreference.controller/:thereferencenetworkcontrollerimplementation,whichisbuiltandincludedbydefaultondesktopandserverbuildtargets.debian/:filesforbuildingDebianpackagesonLinux.doc/:manualpagesandotherdocumentation.ext/:thirdpartylibraries,binariesthatweshipforconvenienceonsomeplatforms(MacandWindows),andinstallationsupportfiles.include/:includefilesfortheZeroTiercore.java/:aJNIwrapperusedwithourAndroidmobileapp.(ThewholeAndroidappisnotopensourcebutmaybemadesointhefuture.)macui/:aMacintoshmenu-barappforcontrollingZeroTierOne,writteninObjectiveC.node/:theZeroTiervirtualEthernetswitchcore,whichisdesignedtobeentirelyseparatefromtherestofthecodeandabletobebuiltasastand-aloneOS-independentlibrary.Notetodevelopers:donotuseC++11featuresinhere,sincewewantthistobuildonoldembeddedplatformsthatlackC++11support.C++11canbeusedelsewhere.osdep/:codetosupportandintegratewithOSes,includingplatform-specificstuffonlybuiltforcertaintargets.rule-compiler/:JavaScriptruleslanguagecompilerfordefiningnetwork-levelrules.service/:theZeroTierOneservice,whichwrapstheZeroTiercoreandprovidesVPN-likeconnectivitytovirtualnetworksfordesktops,laptops,servers,VMs,andcontainers.windows/:VisualStudiosolutionfiles,Windowsservicecode,andtheWindowstaskbarappUI.BuildandPlatformNotesTobuildonMacandLinuxjusttypemake.OnFreeBSDandOpenBSDgmake(GNUmake)isrequiredandcanbeinstalledfrompackagesorports.ForWindowsthereisaVisualStudiosolutioninwindows/.
MacXcodecommandlinetoolsforOSX10.8ornewerarerequired.LinuxTheminimumcompilerversionsrequiredareGCC/G++4.9.3orCLANG/CLANG++3.4.2.(InstallclangonCentOS7asG++istooold.)Linuxmakefilesautomaticallydetectandpreferclang/clang++ifpresentasitproducessmallerandslightlyfasterbinariesinmostcases.YoucanoverridebysupplyingCCandCXXvariablesonthemakecommandline.WindowsWindows7ornewerissupported.ThismayworkonVistabutisn'tofficiallysupportedthere.ItwillnotworkonWindowsXP.WebuildwithVisualStudio2017.Olderversionsmaynotwork.ClangorMinGWwillalsoprobablyworkbutmayrequiresomemakefilehacking.FreeBSDGNUmakeisrequired.Typegmaketobuild.OpenBSDThereisalimitoffournetworkmembershipsonOpenBSDasthereareonlyfourtapdevices(/dev/tap0through/dev/tap3).GNUmakeisrequired.Typegmaketobuild.Typingmakeselftestwillbuildazerotier-selftestbinarywhichunittestsvariousinternalsandreportsonafewaspectsofthebuildenvironment.It'sagoodideatotrythisonnovelplatformsorarchitectures.
RunningRunningzerotier-onewith-hoptionwillshowhelp.
OnLinuxandBSD,ifyoubuiltfromsource,youcanstarttheservicewith:
sudo./zerotier-one-dOnmostdistributions,macOS,andWindows,theinstallerwillstarttheserviceandsetituptostartonboot.
Ahomefolderforyoursystemwillautomaticallybecreated.
TheserviceiscontrolledviatheJSONAPI,whichbydefaultisavailableat127.0.0.1port9993.Weincludeazerotier-clicommandlineutilitytomakeAPIcallsforstandardthingslikejoiningandleavingnetworks.Theauthtoken.secretfileinthehomefoldercontainsthesecrettokenforaccessingthisAPI.Seeservice/README.mdforAPIdocumentation.
Here'swherehomefolderslive(bydefault)oneachOS:
Linux:/var/lib/zerotier-oneFreeBSD/OpenBSD:/var/db/zerotier-oneMac:/Library/ApplicationSupport/ZeroTier/OneWindows:\ProgramData\ZeroTier\One(That'sforWindows7.Thebase'sharedappdata'foldermightbedifferentondifferentWindowsversions.)BasicTroubleshootingFormostusers,itjustworks.
Ifyouarerunningalocalsystemfirewall,werecommendaddingarulespermittingzerotier.IfyouinstalledbinariesforWindowsthisshouldbedoneautomatically.Otherplatformsmightrequiremanualeditingoflocalfirewallrulesdependingonyourconfiguration.
Seethedocumentationsiteformoreinformation.
TheMacfirewallcanbefoundunder"Security"inSystemPreferences.Linuxhasavarietyoffirewallconfigurationsystemsandtools.
OnCentOScheck/etc/sysconfig/iptablesforIPTablesrules.Forotherdistributionsconsultyourdistribution'sdocumentation.You'llalsohavetochecktheUIsordocumentationforcommercialthirdpartyfirewallapplicationslikeLittleSnitch(Mac),McAfeeFirewallEnterprise(Windows),etc.ifyouarerunninganyofthose.Somecorporateenvironmentsmighthavecentrallymanagedfirewallsoftware,soyoumightalsohavetocontactIT.
ZeroTierOnepeerswillautomaticallylocateeachotherandcommunicatedirectlyoveralocalwiredLANifUDPport9993inboundisopen.Ifthatportisfiltered,theywon'tbeabletoseeeachothers'LANannouncementpackets.Ifyou'reexperiencingpoorperformancebetweendevicesonthesamephysicalnetwork,checktheirfirewallsettings.WithoutLANauto-locationpeersmustattempt"loopback"NATtraversal,whichsometimesfailsandinanycaserequiresthateverypackettraverseyourexternalroutertwice.
Usersbehindcertaintypesoffirewallsand"symmetric"NATdevicesmaynotableabletoconnecttoexternalpeersdirectlyatall.ZeroTierhaslimitedsupportforportpredictionandwillattempttotraversesymmetricNATs,butthisdoesn'talwayswork.IfP2Pconnectivityfailsyou'llbebouncingUDPpacketsoffourrelayserversresultinginslowerperformance.SomeNATrouter(s)haveaconfigurableNATmode,andsettingthisto"fullcone"willeliminatethisproblem.IfyoudothisyoumayalsoseeamagicalimprovementforthingslikeVoIPphones,Skype,BitTorrent,WebRTC,certaingames,etc.,sincealloftheseuseNATtraversaltechniquessimilartoours.
IfafirewallbetweenyouandtheInternetblocksZeroTier'sUDPtraffic,youwillfallbacktolast-resortTCPtunnelingtorootserversoverport443(httpsimpersonation).ThiswillworkalmostanywherebutisveryslowcomparedtoUDPordirectpeertopeerconnectivity.
Additionalhelpcanbefoundinourknowledgebase.
评论