More plumbing

go/cmd/zerotier/cli/help.go

@@ -44,7 +44,7 @@ Commands:
   addroot <locator> [name]             Add a VL1 root
   removeroot <name>                    Remove a VL1 root
   locator <command> [args]             Locator management commands
-    new <identity> <address> [...]     Create and sign a locator
+    new <identity> <address> [...]     Create and sign locator for identity
     newdnskey                          Create a secure DNS name and secret
     getdns <dns key> <locator>         Create secure DNS TXT records
   identity <command> [args]            Identity management commands
@@ -53,10 +53,10 @@ Commands:
     validate <identity>                Locally validate an identity
     sign <identity> <file>             Sign a file with an identity's key
     verify <identity> <file> <sig>     Verify a signature
-  networks                             Show joined VL2 virtual networks
+  networks                             List joined VL2 virtual networks
+  network <network ID>                 Show verbose network info
   join <network ID>                    Join a virtual network
   leave <network ID>                   Leave a virtual network
-  show <network ID>                    Show verbose network info
   set <network ID> <option> <value>    Set a network local config option
     manageips <boolean>                Is IP management allowed?
     manageroutes <boolean>             Is route management allowed?

go/cmd/zerotier/cli/identity.go

@@ -54,33 +54,13 @@ func Identity(args []string) {
 
 		case "getpublic":
 			if len(args) == 2 {
-				idData, err := ioutil.ReadFile(args[1])
-				if err != nil {
-					fmt.Printf("ERROR: unable to read identity: %s\n", err.Error())
-					os.Exit(1)
-				}
-				id, err := zerotier.NewIdentityFromString(string(idData))
-				if err != nil {
-					fmt.Printf("ERROR: identity in file '%s' invalid: %s\n", args[1], err.Error())
-					os.Exit(1)
-				}
-				fmt.Println(id.String())
+				fmt.Println(readIdentity(args[1]).String())
 				os.Exit(0)
 			}
 
 		case "validate":
 			if len(args) == 2 {
-				idData, err := ioutil.ReadFile(args[1])
-				if err != nil {
-					fmt.Printf("ERROR: unable to read identity: %s\n", err.Error())
-					os.Exit(1)
-				}
-				id, err := zerotier.NewIdentityFromString(string(idData))
-				if err != nil {
-					fmt.Printf("ERROR: identity in file '%s' invalid: %s\n", args[1], err.Error())
-					os.Exit(1)
-				}
-				if id.LocallyValidate() {
+				if readIdentity(args[1]).LocallyValidate() {
 					fmt.Println("OK")
 					os.Exit(0)
 				}
@@ -90,16 +70,7 @@ func Identity(args []string) {
 
 		case "sign", "verify":
 			if len(args) > 2 {
-				idData, err := ioutil.ReadFile(args[1])
-				if err != nil {
-					fmt.Printf("ERROR: unable to read identity: %s\n", err.Error())
-					os.Exit(1)
-				}
-				id, err := zerotier.NewIdentityFromString(string(idData))
-				if err != nil {
-					fmt.Printf("ERROR: identity in file '%s' invalid: %s\n", args[1], err.Error())
-					os.Exit(1)
-				}
+				id := readIdentity(args[1])
 				msg, err := ioutil.ReadFile(args[2])
 				if err != nil {
 					fmt.Printf("ERROR: unable to read input file: %s\n", err.Error())

go/cmd/zerotier/cli/join.go

@@ -13,6 +13,35 @@
 
 package cli
 
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	"zerotier/pkg/zerotier"
+)
+
 // Join CLI command
 func Join(basePath, authToken string, args []string) {
+	if len(args) != 1 {
+		Help()
+		os.Exit(1)
+	}
+
+	if len(args[0]) != 16 {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwid, err := strconv.ParseUint(args[0], 16, 64)
+	if err != nil {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwids := fmt.Sprintf("%.16x", nwid)
+
+	var network zerotier.APINetwork
+	network.ID = zerotier.NetworkID(nwid)
+	apiPost(basePath, authToken, "/network/"+nwids, &network, nil)
+	fmt.Printf("OK %s", nwids)
+	os.Exit(0)
 }

go/cmd/zerotier/cli/leave.go

@@ -13,6 +13,31 @@
 
 package cli
 
+import (
+	"fmt"
+	"os"
+	"strconv"
+)
+
 // Leave CLI command
 func Leave(basePath, authToken string, args []string) {
+	if len(args) != 1 {
+		Help()
+		os.Exit(1)
+	}
+
+	if len(args[0]) != 16 {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwid, err := strconv.ParseUint(args[0], 16, 64)
+	if err != nil {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwids := fmt.Sprintf("%.16x", nwid)
+
+	apiDelete(basePath, authToken, "/network/"+nwids, nil)
+	fmt.Printf("OK %s", nwids)
+	os.Exit(0)
 }

go/cmd/zerotier/cli/locator.go

@@ -29,18 +29,9 @@ func locatorNew(args []string) {
 		os.Exit(1)
 	}
 
-	identityData, err := ioutil.ReadFile(args[0])
-	if err != nil {
-		fmt.Printf("FATAL: unable to read identity: %s\n", err.Error())
-		os.Exit(1)
-	}
-	identity, err := zerotier.NewIdentityFromString(string(identityData))
-	if err != nil {
-		fmt.Printf("FATAL: invalid identity: %s\n", err.Error())
-		os.Exit(1)
-	}
+	identity := readIdentity(args[0])
 	if !identity.HasPrivate() {
-		fmt.Println("FATAL: identity does not contain secret key")
+		fmt.Println("FATAL: identity does not contain a secret key (required to sign locator)")
 		os.Exit(1)
 	}
 

go/cmd/zerotier/cli/misc.go

@@ -16,8 +16,11 @@ package cli
 import (
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"os"
+	"strings"
+
 	"zerotier/pkg/zerotier"
 )
 
@@ -55,6 +58,23 @@ func apiPost(basePath, authToken, urlPath string, post, result interface{}) {
 	}
 }
 
+func apiDelete(basePath, authToken, urlPath string, result interface{}) {
+	statusCode, err := zerotier.APIDelete(basePath, zerotier.APISocketName, authToken, urlPath, result)
+	if err != nil {
+		fmt.Printf("FATAL: API response code %d: %s\n", statusCode, err.Error())
+		os.Exit(1)
+		return
+	}
+	if statusCode != http.StatusOK {
+		if statusCode == http.StatusUnauthorized {
+			fmt.Printf("FATAL: API response code %d: unauthorized (authorization token incorrect)\n", statusCode)
+		}
+		fmt.Printf("FATAL: API response code %d\n", statusCode)
+		os.Exit(1)
+		return
+	}
+}
+
 func enabledDisabled(f bool) string {
 	if f {
 		return "ENABLED"
@@ -66,3 +86,37 @@ func jsonDump(obj interface{}) string {
 	j, _ := json.MarshalIndent(obj, "", "  ")
 	return string(j)
 }
+
+func readIdentity(s string) *zerotier.Identity {
+	if strings.ContainsRune(s, ':') {
+		id, _ := zerotier.NewIdentityFromString(s)
+		if id != nil {
+			return id
+		}
+	}
+	idData, err := ioutil.ReadFile(s)
+	if err != nil {
+		fmt.Printf("FATAL: identity '%s' cannot be resolved as file or literal identity: %s", s, err.Error())
+		os.Exit(1)
+	}
+	id, err := zerotier.NewIdentityFromString(string(idData))
+	if err != nil {
+		fmt.Printf("FATAL: identity '%s' cannot be resolved as file or literal identity: %s", s, err.Error())
+		os.Exit(1)
+	}
+	return id
+}
+
+func networkStatusStr(int status) string {
+	switch status {
+	case zerotier.NetworkStatusNotFound:
+		return "NOTFOUND"
+	case zerotier.NetworkStatusAccessDenied:
+		return "DENIED"
+	case zerotier.NetworkStatusRequestConfiguration:
+		return "UPDATING"
+	case zerotier.NetworkStatusOK:
+		return "OK"
+	}
+	return "???"
+}

go/cmd/zerotier/cli/network.go

@@ -0,0 +1,105 @@
+/*
+ * Copyright (c)2019 ZeroTier, Inc.
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file in the project's root directory.
+ *
+ * Change Date: 2023-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2.0 of the Apache License.
+ */
+/****/
+
+package cli
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	"zerotier/pkg/zerotier"
+)
+
+// Network CLI command
+func Network(basePath, authToken string, args []string, jsonOutput bool) {
+	if len(args) != 1 {
+		Help()
+		os.Exit(1)
+	}
+
+	if len(args[0]) != 16 {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwid, err := strconv.ParseUint(args[0], 16, 64)
+	if err != nil {
+		fmt.Printf("ERROR: invalid network ID: %s\n", args[0])
+		os.Exit(1)
+	}
+	nwids := fmt.Sprintf("%.16x", nwid)
+
+	var network zerotier.APINetwork
+	apiGet(basePath, authToken, "/network/"+nwids, &network)
+
+	if jsonOutput {
+		fmt.Println(jsonDump(&network))
+	} else {
+		fmt.Printf("%s: %s\n", nwids, network.Config.Name)
+		fmt.Printf("\tstatus:\t%s\n", networkStatusStr(network.Config.Status))
+		enabled := "no"
+		if network.TapDeviceEnabled {
+			enabled = "yes"
+		}
+		bridge := "no"
+		if network.Config.Bridge {
+			bridge = "yes"
+		}
+		broadcast := "off"
+		if network.Config.BroadcastEnabled {
+			broadcast = "on"
+		}
+		fmt.Printf("\tport:\t%s dev %s type %s mtu %d enabled %s bridge %s broadcast %s\n", network.Config.MAC.String(), network.TapDeviceName, network.TapDeviceType, network.Config.MTU, enabled, bridge, broadcast)
+		fmt.Printf("\tmanaged addresses:\t")
+		for i, a := range network.Config.AssignedAddresses {
+			if i > 0 {
+				fmt.Print(' ')
+			}
+			fmt.Print(a.String())
+		}
+		fmt.Printf("\n\tmanaged routes:\t")
+		for i, r := range network.Config.Routes {
+			if i > 0 {
+				fmt.Print(' ')
+			}
+			fmt.Print(r.Target.String())
+			if r.Via == nil {
+				fmt.Print("->LAN")
+			} else {
+				fmt.Printf("->%s", r.Via.String())
+			}
+		}
+		managedIPs := "disabled"
+		if network.Settings.AllowManagedIPs {
+			managedIPs = "enabled"
+		}
+		managedIPsGlobal := "disabled"
+		if network.Settings.AllowGlobalIPs {
+			managedIPsGlobal = "enabled"
+		}
+		fmt.Printf("\n\tmanaged address local permissions:\t%s global %s\n", managedIPs, managedIPsGlobal)
+		managedRoutes := "diabled"
+		if network.Settings.AllowManagedRoutes {
+			managedRoutes = "enabled"
+		}
+		managedGlobalRoutes := "disabled"
+		if network.Settings.AllowGlobalRoutes {
+			managedGlobalRoutes = "enabled"
+		}
+		managedDefaultRoute := "disabled"
+		if network.Settings.AllowDefaultRouteOverride {
+			managedDefaultRoute = "enabled"
+		}
+		fmt.Printf("\tmanaged route local permissions:\t%s global %s default %s\n", managedRoutes, managedGlobalRoutes, managedDefaultRoute)
+	}
+}

go/cmd/zerotier/cli/networks.go

@@ -13,6 +13,37 @@
 
 package cli
 
+import (
+	"fmt"
+	"os"
+
+	"zerotier/pkg/zerotier"
+)
+
 // Networks CLI command
-func Networks(basePath, authToken string, args []string) {
+func Networks(basePath, authToken string, args []string, jsonOutput bool) {
+	var networks []zerotier.APINetwork
+	apiGet(basePath, authToken, "/network", &networks)
+
+	if jsonOutput {
+		fmt.Println(jsonDump(networks))
+	} else {
+		fmt.Printf("%-16s %-24s %-17s %-8s <type>  <device>         <managed IP(s)>\n", "<id>", "<name>", "<mac>", "<status>")
+		for _, nw := range networks {
+			t := "PRIVATE"
+			if nw.Config.Type == zerotier.NetworkTypePublic {
+				t = "PUBLIC"
+			}
+			fmt.Printf("%.16x %-24s %-17s %-16s %-7s %-16s ", uint64(nw.ID), nw.Config.Name, nw.Config.MAC.String(), networkStatusStr(nw.Config.Status), t, nw.TapDeviceName)
+			for i, ip := range nw.Config.AssignedAddresses {
+				if i > 0 {
+					fmt.Print(',')
+				}
+				fmt.Print(ip.String())
+			}
+			fmt.Print("\n")
+		}
+	}
+
+	os.Exit(0)
 }

go/cmd/zerotier/cli/peers.go

@@ -28,7 +28,7 @@ func Peers(basePath, authToken string, args []string, jsonOutput bool) {
 	if jsonOutput {
 		fmt.Println(jsonDump(&peers))
 	} else {
-		fmt.Printf("<ztaddr>   <ver>   <role> <lat> <link> <lastTX> <lastRX> <path(s)>\n")
+		fmt.Printf("<address>  <ver>   <role> <lat> <link> <lastTX> <lastRX> <path(s)>\n")
 		for _, peer := range peers {
 			role := "LEAF"
 			link := "RELAY"

go/cmd/zerotier/cli/removeroot.go

@@ -13,6 +13,27 @@
 
 package cli
 
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"zerotier/pkg/zerotier"
+)
+
 // RemoveRoot CLI command
 func RemoveRoot(basePath, authToken string, args []string) {
+	if len(args) != 1 {
+		Help()
+		os.Exit(1)
+	}
+	result, _ := zerotier.APIDelete(basePath, zerotier.APISocketName, authToken, "/root/"+url.PathEscape(strings.TrimSpace(args[0])), nil)
+	if result == http.StatusOK {
+		fmt.Printf("%s removed\n", args[0])
+		os.Exit(0)
+	}
+	fmt.Printf("ERROR: root %s not found or another error occurred: status code %d\n", args[0], result)
+	os.Exit(1)
 }

go/cmd/zerotier/cli/roots.go

@@ -28,7 +28,7 @@ func Roots(basePath, authToken string, args []string, jsonOutput bool) {
 	if jsonOutput {
 		fmt.Println(jsonDump(roots))
 	} else {
-		fmt.Printf("%32s <ztaddr>   <address(es)>\n", "<name>")
+		fmt.Printf("%32s <address>  <physical/virtual>\n", "<name>")
 		for _, r := range roots {
 			rn := r.Name
 			if len(rn) > 32 {

go/cmd/zerotier/cli/show.go

@@ -1,18 +0,0 @@
-/*
- * Copyright (c)2019 ZeroTier, Inc.
- *
- * Use of this software is governed by the Business Source License included
- * in the LICENSE.TXT file in the project's root directory.
- *
- * Change Date: 2023-01-01
- *
- * On the date above, in accordance with the Business Source License, use
- * of this software will be governed by version 2.0 of the Apache License.
- */
-/****/
-
-package cli
-
-// Show CLI command
-func Show(basePath, authToken string, args []string) {
-}

go/cmd/zerotier/cli/status.go

@@ -33,39 +33,39 @@ func Status(basePath, authToken string, args []string, jsonOutput bool) {
 			online = "OFFLINE"
 		}
 		fmt.Printf("%.10x: %s %s\n", uint64(status.Address), online, status.Version)
-		fmt.Printf("\tports: %d %d %d\n", status.Config.Settings.PrimaryPort, status.Config.Settings.SecondaryPort, status.Config.Settings.TertiaryPort)
-		fmt.Printf("\tport search: %s\n", enabledDisabled(status.Config.Settings.PortSearch))
-		fmt.Printf("\tport mapping (uPnP/NAT-PMP): %s\n", enabledDisabled(status.Config.Settings.PortMapping))
-		fmt.Printf("\tmultipath mode: %d\n", status.Config.Settings.MuiltipathMode)
-		fmt.Printf("\tblacklisted interface prefixes: ")
+		fmt.Printf("\tports:\t%d %d %d\n", status.Config.Settings.PrimaryPort, status.Config.Settings.SecondaryPort, status.Config.Settings.TertiaryPort)
+		fmt.Printf("\tport search:\t%s\n", enabledDisabled(status.Config.Settings.PortSearch))
+		fmt.Printf("\tport mapping (uPnP/NAT-PMP):\t%s\n", enabledDisabled(status.Config.Settings.PortMapping))
+		fmt.Printf("\tmultipath mode:\t%d\n", status.Config.Settings.MuiltipathMode)
+		fmt.Printf("\tblacklisted interface prefixes:\t")
 		for i, bl := range status.Config.Settings.InterfacePrefixBlacklist {
 			if i > 0 {
-				fmt.Print(',')
+				fmt.Print(' ')
 			}
 			fmt.Print(bl)
 		}
 		fmt.Printf("\n\texplicit external addresses: ")
 		for i, ea := range status.Config.Settings.ExplicitAddresses {
 			if i > 0 {
-				fmt.Print(',')
+				fmt.Print(' ')
 			}
 			fmt.Print(ea.String())
 		}
 		fmt.Printf("\n\tsystem interface addresses: ")
 		for i, a := range status.InterfaceAddresses {
 			if i > 0 {
-				fmt.Print(',')
+				fmt.Print(' ')
 			}
 			fmt.Print(a.String())
 		}
 		fmt.Printf("\n\tmapped external addresses: ")
 		for i, a := range status.MappedExternalAddresses {
 			if i > 0 {
-				fmt.Print(',')
+				fmt.Print(' ')
 			}
 			fmt.Print(a.String())
 		}
-		fmt.Printf("\n\tidentity: %s\n", status.Identity.String())
+		fmt.Printf("\n\tidentity:\t%s\n", status.Identity.String())
 	}
 
 	os.Exit(0)

go/cmd/zerotier/zerotier.go

@@ -85,6 +85,11 @@ func main() {
 		cmdArgs = args[1:]
 	}
 
+	if *hflag {
+		cli.Help()
+		os.Exit(0)
+	}
+
 	basePath := zerotier.PlatformDefaultHomePath
 	if len(*pflag) > 0 {
 		basePath = *pflag
@@ -128,16 +133,16 @@ func main() {
 		cli.Identity(cmdArgs)
 	case "networks", "listnetworks":
 		authTokenRequired(authToken)
-		cli.Networks(basePath, authToken, cmdArgs)
+		cli.Networks(basePath, authToken, cmdArgs, *jflag)
+	case "network":
+		authTokenRequired(authToken)
+		cli.Network(basePath, authToken, cmdArgs, *jflag)
 	case "join":
 		authTokenRequired(authToken)
 		cli.Join(basePath, authToken, cmdArgs)
 	case "leave":
 		authTokenRequired(authToken)
 		cli.Leave(basePath, authToken, cmdArgs)
-	case "show":
-		authTokenRequired(authToken)
-		cli.Show(basePath, authToken, cmdArgs)
 	case "set":
 		authTokenRequired(authToken)
 		cli.Set(basePath, authToken, cmdArgs)

go/pkg/zerotier/api.go

@@ -69,6 +69,29 @@ func APIPost(basePath, socketName, authToken, queryPath string, post, result int
 	if err != nil {
 		return http.StatusTeapot, err
 	}
+	req.Header.Add("Content-Type", "application/json")
+	req.Header.Add("Authorization", "bearer "+authToken)
+	resp, err := client.Do(req)
+	if err != nil {
+		return http.StatusTeapot, err
+	}
+	if result != nil {
+		err = json.NewDecoder(resp.Body).Decode(result)
+		return resp.StatusCode, err
+	}
+	return resp.StatusCode, nil
+}
+
+// APIDelete posts DELETE to a path and fills result with the outcome (if any) if result is non-nil
+func APIDelete(basePath, socketName, authToken, queryPath string, result interface{}) (int, error) {
+	client, err := createNamedSocketHTTPClient(basePath, socketName)
+	if err != nil {
+		return http.StatusTeapot, err
+	}
+	req, err := http.NewRequest("DELETE", "http://socket"+queryPath, nil)
+	if err != nil {
+		return http.StatusTeapot, err
+	}
 	req.Header.Add("Authorization", "bearer "+authToken)
 	resp, err := client.Do(req)
 	if err != nil {
@@ -90,8 +113,8 @@ type APIStatus struct {
 	PeerCount               int
 	PathCount               int
 	Identity                *Identity
-	InterfaceAddresses      []net.IP
-	MappedExternalAddresses []*InetAddress
+	InterfaceAddresses      []net.IP       `json:",omitempty"`
+	MappedExternalAddresses []*InetAddress `json:",omitempty"`
 	Version                 string
 	VersionMajor            int
 	VersionMinor            int
@@ -102,9 +125,9 @@ type APIStatus struct {
 // APINetwork is the object returned by API network inquiries
 type APINetwork struct {
 	ID                     NetworkID
-	Config                 *NetworkConfig
-	Settings               *NetworkLocalSettings
-	MulticastSubscriptions []*MulticastGroup
+	Config                 NetworkConfig
+	Settings               *NetworkLocalSettings `json:",omitempty"`
+	MulticastSubscriptions []*MulticastGroup     `json:",omitempty"`
 	TapDeviceType          string
 	TapDeviceName          string
 	TapDeviceEnabled       bool
@@ -113,8 +136,7 @@ type APINetwork struct {
 func apiNetworkFromNetwork(n *Network) *APINetwork {
 	var nn APINetwork
 	nn.ID = n.ID()
-	c := n.Config()
-	nn.Config = &c
+	nn.Config = n.Config()
 	ls := n.LocalSettings()
 	nn.Settings = &ls
 	nn.MulticastSubscriptions = n.MulticastSubscriptions()
@@ -175,7 +197,7 @@ func apiCheckAuth(out http.ResponseWriter, req *http.Request, token string) bool
 }
 
 // createAPIServer creates and starts an HTTP server for a given node
-func createAPIServer(basePath string, node *Node) (*http.Server, error) {
+func createAPIServer(basePath string, node *Node) (*http.Server, *http.Server, error) {
 	// Read authorization token, automatically generating one if it's missing
 	var authToken string
 	authTokenFile := path.Join(basePath, "authtoken.secret")
@@ -184,14 +206,14 @@ func createAPIServer(basePath string, node *Node) (*http.Server, error) {
 		var atb [20]byte
 		_, err = secrand.Read(atb[:])
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		for i := 0; i < 20; i++ {
 			atb[i] = "abcdefghijklmnopqrstuvwxyz0123456789"[atb[i]%36]
 		}
 		err = ioutil.WriteFile(authTokenFile, atb[:], 0600)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		_ = acl.Chmod(authTokenFile, 0600)
 		authToken = string(atb[:])
@@ -348,7 +370,7 @@ func createAPIServer(basePath string, node *Node) (*http.Server, error) {
 				for _, nw := range networks {
 					if nw.id == queriedID {
 						_ = node.Leave(queriedID)
-						_ = apiSendObj(out, req, http.StatusOK, nw)
+						_ = apiSendObj(out, req, http.StatusOK, apiNetworkFromNetwork(nw))
 						return
 					}
 				}
@@ -468,7 +490,7 @@ func createAPIServer(basePath string, node *Node) (*http.Server, error) {
 
 	listener, err := createNamedSocketListener(basePath, APISocketName)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	httpServer := &http.Server{
 		MaxHeaderBytes: 4096,
@@ -479,12 +501,34 @@ func createAPIServer(basePath string, node *Node) (*http.Server, error) {
 	}
 	httpServer.SetKeepAlivesEnabled(true)
 	go func() {
-		err := httpServer.Serve(listener)
-		if err != nil {
-			node.log.Printf("ERROR: unable to start API HTTP server: %s (continuing anyway but CLI will not work!)", err.Error())
-		}
+		_ = httpServer.Serve(listener)
 		_ = listener.Close()
 	}()
 
-	return httpServer, nil
+	var tcpHttpServer *http.Server
+	tcpBindAddr := node.LocalConfig().Settings.APITCPBindAddress
+	if tcpBindAddr != nil {
+		tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{
+			IP:   tcpBindAddr.IP,
+			Port: tcpBindAddr.Port,
+		})
+		if err != nil {
+			node.log.Printf("ERROR: unable to start API HTTP server at TCP bind address %s: %s (continuing anyway)", tcpBindAddr.String(), err.Error())
+		} else {
+			tcpHttpServer = &http.Server{
+				MaxHeaderBytes: 4096,
+				Handler:        smux,
+				IdleTimeout:    10 * time.Second,
+				ReadTimeout:    10 * time.Second,
+				WriteTimeout:   600 * time.Second,
+			}
+			tcpHttpServer.SetKeepAlivesEnabled(true)
+			go func() {
+				_ = tcpHttpServer.Serve(tcpListener)
+				_ = tcpListener.Close()
+			}()
+		}
+	}
+
+	return httpServer, tcpHttpServer, nil
 }

go/pkg/zerotier/localconfig.go

@@ -33,7 +33,7 @@ type LocalConfigPhysicalPathConfiguration struct {
 // LocalConfigVirtualAddressConfiguration contains settings for virtual addresses
 type LocalConfigVirtualAddressConfiguration struct {
 	// Try is a list of IPs/ports to try for this peer in addition to anything learned from roots or direct path push
-	Try []*InetAddress
+	Try []*InetAddress `json:",omitempty"`
 }
 
 // LocalConfigSettings contains node settings
@@ -59,26 +59,29 @@ type LocalConfigSettings struct {
 	// MultipathMode sets the multipath link aggregation mode
 	MuiltipathMode int
 
+	// IP/port to bind for TCP access to control API (disabled if null)
+	APITCPBindAddress *InetAddress `json:",omitempty"`
+
 	// InterfacePrefixBlacklist are prefixes of physical network interface names that won't be used by ZeroTier (e.g. "lo" or "utun")
-	InterfacePrefixBlacklist []string
+	InterfacePrefixBlacklist []string `json:",omitempty"`
 
 	// ExplicitAddresses are explicit IP/port addresses to advertise to other nodes, such as externally mapped ports on a router
-	ExplicitAddresses []*InetAddress
+	ExplicitAddresses []*InetAddress `json:",omitempty"`
 }
 
 // LocalConfig is the local.conf file and stores local settings for the node.
 type LocalConfig struct {
 	// Physical path configurations by CIDR IP/bits
-	Physical map[string]*LocalConfigPhysicalPathConfiguration
+	Physical map[string]*LocalConfigPhysicalPathConfiguration `json:",omitempty"`
 
 	// Virtual node specific configurations by 10-digit hex ZeroTier address
-	Virtual map[Address]*LocalConfigVirtualAddressConfiguration
+	Virtual map[Address]*LocalConfigVirtualAddressConfiguration `json:",omitempty"`
 
 	// Network local configurations by 16-digit hex ZeroTier network ID
-	Network map[NetworkID]*NetworkLocalSettings
+	Network map[NetworkID]*NetworkLocalSettings `json:",omitempty"`
 
 	// LocalConfigSettings contains other local settings for this node
-	Settings LocalConfigSettings
+	Settings LocalConfigSettings `json:",omitempty"`
 }
 
 // Read this local config from a file, initializing to defaults if the file does not exist

go/pkg/zerotier/node.go

@@ -170,6 +170,7 @@ type Node struct {
 	zn                     *C.ZT_Node
 	id                     *Identity
 	apiServer              *http.Server
+	tcpApiServer           *http.Server
 	online                 uint32
 	running                uint32
 	runLock                sync.Mutex
@@ -285,7 +286,7 @@ func NewNode(basePath string) (*Node, error) {
 		return nil, err
 	}
 
-	n.apiServer, err = createAPIServer(basePath, n)
+	n.apiServer, n.tcpApiServer, err = createAPIServer(basePath, n)
 	if err != nil {
 		n.log.Printf("FATAL: unable to start API server: %s", err.Error())
 		C.ZT_GoNode_delete(n.gn)
@@ -399,13 +400,21 @@ func NewNode(basePath string) (*Node, error) {
 // Close closes this Node and frees its underlying C++ Node structures
 func (n *Node) Close() {
 	if atomic.SwapUint32(&n.running, 0) != 0 {
-		_ = n.apiServer.Close()
+		if n.apiServer != nil {
+			_ = n.apiServer.Close()
+		}
+		if n.tcpApiServer != nil {
+			_ = n.tcpApiServer.Close()
+		}
+
 		C.ZT_GoNode_delete(n.gn)
+
+		n.runLock.Lock() // wait for maintenance gorountine to die
+		n.runLock.Unlock()
+
 		nodesByUserPtrLock.Lock()
 		delete(nodesByUserPtr, uintptr(unsafe.Pointer(n.gn)))
 		nodesByUserPtrLock.Unlock()
-		n.runLock.Lock() // wait for maintenance gorountine to die
-		n.runLock.Unlock()
 	}
 }
 
@@ -943,9 +952,9 @@ func goVirtualNetworkConfigFunc(gn, _ unsafe.Pointer, nwid C.uint64_t, op C.int,
 				for i := 0; i < int(ncc.routeCount); i++ {
 					tgt := sockaddrStorageToIPNet(&ncc.routes[i].target)
 					viaN := sockaddrStorageToIPNet(&ncc.routes[i].via)
-					var via net.IP
-					if viaN != nil {
-						via = viaN.IP
+					var via *net.IP
+					if viaN != nil && len(viaN.IP) > 0 {
+						via = &viaN.IP
 					}
 					if tgt != nil {
 						nc.Routes = append(nc.Routes, Route{

go/pkg/zerotier/route.go

@@ -24,7 +24,7 @@ type Route struct {
 	Target net.IPNet
 
 	// Via is how to reach this target (null/empty if the target IP range is local to this virtual LAN)
-	Via net.IP
+	Via *net.IP
 
 	// Route flags (currently unused, always 0)
 	Flags uint16
@@ -35,7 +35,7 @@ type Route struct {
 
 // String returns a string representation of this route
 func (r *Route) String() string {
-	if len(r.Via) == 0 {
+	if r.Via != nil {
 		return r.Target.String() + "->LAN"
 	}
 	return r.Target.String() + "->" + r.Via.String()