Commit Graph

441 Commits

Author SHA1 Message Date
travisladuke
b071d6bbec Don't apply default route until zerotier is "online"
I was running into issues with restarting the zerotier service while
"full tunnel" mode is enabled.
When zerotier first boots, it gets network state from the cache
on disk. So it immediately applies all the routes it knew about
before it shutdown.
The network config may have change in this time.
If it has, then your default route is via a route
you are blocked from talking on. So you  can't get the current
network config, so your internet does not work.

Other options include
- don't use cached network state on boot
- find a better criteria than "online"
2023-08-11 10:13:34 -07:00
Brenton Bostick
e36127283c
Fix typos (#2075) 2023-08-01 08:53:55 -07:00
Joseph Henry
230ae6bd16 Fix reporting of secondaryPort and tertiaryPort See: #2039 2023-07-31 20:44:16 -07:00
travisladuke
fb6af1971b Fix network DNS on macOS
It stopped working for ipv4 only networks in Monterey.
See #1696

We add some config like so to System Configuration

```
scutil
show State:/Network/Service/9bee8941b5xxxxxx/IPv4
<dictionary> {
  Addresses : <array> {
    0 : 10.2.1.36
  }
  InterfaceName : feth4823
  Router : 10.2.1.36
  ServerAddress : 127.0.0.1
}

```
2023-07-27 14:26:36 -07:00
Grant Limberg
5a36b315a3
Exit if loading an invalid identity from disk (#2058)
* Exit if loading an invalid identity from disk

Previously, if an invalid identity was loaded from disk, ZeroTier would
generate a new identity & chug along and generate a brand new identity
as if nothing happened.  When running in containers, this introduces the
possibility for key matter loss; especially when running in containers
where the identity files are mounted in the container read only.  In
this case, ZT will continue chugging along with a brand new identity
with no possibility of recovering the private key.

ZeroTier should exit upon loading of invalid identity.public/identity.secret #2056

* add validation test for #2056
2023-07-18 14:10:31 -04:00
travis laduke
ee663d61cd Add warning to cli for allow default on FreeBSD
It doesn't work.
Not possible to fix with deficient network
stack and APIs.

ZeroTierOne-freebsd # zerotier-cli set 9bee8941b5xxxxxx allowDefault=1
400 set Allow Default does not work properly on FreeBSD. See #580
root@freebsd13-a:~/ZeroTierOne-freebsd # zerotier-cli get 9bee8941b5xxxxxx allowDefault
1
2023-07-13 13:20:22 -07:00
Grant Limberg
008a768f15
Add a 2nd auth token only for access to /metrics (#2043)
* Add a 2nd auth token for /metrics

Allows administrators to distribute a token that only has access to read
metrics and nothing else.

Also added support for using bearer auth tokens for both types of tokens

Separate endpoint for metrics #2041

* Update readme

* fix a couple of cases of writing the wrong token
2023-07-07 16:43:32 -07:00
Travis LaDuke
e0e21dfdda
fix oidc auth url memory leak (#2031)
getAuthURL() was not calling zeroidc::free_cstr(url);

the only place authAuthURL is called, the url can be retrieved
from the network config instead.

You could alternatively copy the string and call free_cstr in getAuthURL.
If that's better we can change the PR.

Since now there are no callers of getAuthURL I deleted it.

Co-authored-by: Grant Limberg <glimberg@users.noreply.github.com>
2023-07-06 11:27:54 -07:00
Brenton Bostick
f3da2b4031
Capture setContent by-value instead of by-reference (#2006)
Co-authored-by: Grant Limberg <glimberg@users.noreply.github.com>
2023-05-17 17:55:32 -07:00
Grant Limberg
6b5c9b1b8e
separate the bind & listen calls on the http backplane (#1988) 2023-05-02 16:46:06 -07:00
Grant Limberg
e5fc89821f
use cpp-httplib for HTTP control plane (#1979)
refactored the old control plane code to use [cpp-httplib](https://github.com/yhirose/cpp-httplib) instead of a hand rolled HTTP server.  Makes the control plane code much more legible.  Also no longer randomly stops responding.
2023-04-28 11:03:28 -07:00
Grant Limberg
8e6e4ede6d
Add prometheus metrics for Central controllers (#1969)
* add header-only prometheus lib to ext

* rename folder

* Undo rename directory

* prometheus simpleapi included on mac & linux

* wip

* wire up some controller stats

* Get windows building with prometheus

* bsd build flags for prometheus

* Fix multiple network join from environment entrypoint.sh.release (#1961)

* _bond_m guards _bond, not _paths_m (#1965)

* Fix: warning: mutex '_aqm_m' is not held on every path through here [-Wthread-safety-analysis] (#1964)

* Serve prom metrics from /metrics endpoint

* Add prom metrics for Central controller specific things

* reorganize metric initialization

* testing out a labled gauge on Networks

* increment error counter on throw

* Consolidate metrics definitions

Put all metric definitions into node/Metrics.hpp.  Accessed as needed
from there.

* Revert "testing out a labled gauge on Networks"

This reverts commit 499ed6d95e.

* still blows up but adding to the record for completeness right now

* Fix runtime issues with metrics

* Add metrics files to visual studio project

* Missed an "extern"

* add copyright headers to new files

* Add metrics for sent/received bytes (total)

* put /metrics endpoint behind auth

* sendto returns int on Win32

---------

Co-authored-by: Leonardo Amaral <leleobhz@users.noreply.github.com>
Co-authored-by: Brenton Bostick <bostick@gmail.com>
2023-04-21 12:12:43 -07:00
Travis LaDuke
a372619fee
Fix addIp being called with applied ips (#1897)
This was getting called outside of the check for existing ips
Because of the added ifdef and a brace getting moved to the
wrong place.

```
if (! n.tap()->addIp(*ip)) {
	fprintf(stderr, "ERROR: unable to add ip address %s" ZT_EOL_S, ip->toString(ipbuf));
}
WinFWHelper::newICMPRule(*ip, n.config().nwid);

```
2023-03-10 10:57:54 -05:00
Adam Ierymenko
1c5897895b
1.10.4 merge into main (#1893)
* add note about forceTcpRelay

* Create a sample systemd unit for tcp proxy

* set gitattributes for rust & cargo so hashes dont conflict on Windows

* Revert "set gitattributes for rust & cargo so hashes dont conflict on Windows"

This reverts commit 032dc5c108.

* Turn off autocrlf for rust source

Doesn't appear to play nice well when it comes to git and vendored cargo package hashes

* Fix #1883 (#1886)

Still unknown as to why, but the call to `nc->GetProperties()` can fail
when setting a friendly name on the Windows virtual ethernet adapter.
Ensure that `ncp` is not null before continuing and accessing the device
GUID.

* Don't vendor packages for zeroidc (#1885)

* Added docker environment way to join networks (#1871)

* add StringUtils

* fix headers
use recommended headers and remove unused headers

* move extern "C"
only JNI functions need to be exported

* cleanup

* fix ANDROID-50: RESULT_ERROR_BAD_PARAMETER typo

* fix typo in log message

* fix typos in JNI method signatures

* fix typo

* fix ANDROID-51: fieldName is uninitialized

* fix ANDROID-35: memory leak

* fix missing DeleteLocalRef in loops

* update to use unique error codes

* add GETENV macro

* add LOG_TAG defines

* ANDROID-48: add ZT_jnicache.cpp

* ANDROID-48: use ZT_jnicache.cpp and remove ZT_jnilookup.cpp and ZT_jniarray.cpp

* add Event.fromInt

* add PeerRole.fromInt

* add ResultCode.fromInt

* fix ANDROID-36: issues with ResultCode

* add VirtualNetworkConfigOperation.fromInt

* fix ANDROID-40: VirtualNetworkConfigOperation out-of-sync with ZT_VirtualNetworkConfigOperation enum

* add VirtualNetworkStatus.fromInt

* fix ANDROID-37: VirtualNetworkStatus out-of-sync with ZT_VirtualNetworkStatus enum

* add VirtualNetworkType.fromInt

* make NodeStatus a plain data class

* fix ANDROID-52: synchronization bug with nodeMap

* Node init work: separate Node construction and init

* add Node.toString

* make PeerPhysicalPath a plain data class

* remove unused PeerPhysicalPath.fixed

* add array functions

* make Peer a plain data class

* make Version a plain data class

* fix ANDROID-42: copy/paste error

* fix ANDROID-49: VirtualNetworkConfig.equals is wrong

* reimplement VirtualNetworkConfig.equals

* reimplement VirtualNetworkConfig.compareTo

* add VirtualNetworkConfig.hashCode

* make VirtualNetworkConfig a plain data class

* remove unused VirtualNetworkConfig.enabled

* reimplement VirtualNetworkDNS.equals

* add VirtualNetworkDNS.hashCode

* make VirtualNetworkDNS a plain data class

* reimplement VirtualNetworkRoute.equals

* reimplement VirtualNetworkRoute.compareTo

* reimplement VirtualNetworkRoute.toString

* add VirtualNetworkRoute.hashCode

* make VirtualNetworkRoute a plain data class

* add isSocketAddressEmpty

* add addressPort

* add fromSocketAddressObject

* invert logic in a couple of places and return early

* newInetAddress and newInetSocketAddress work
allow newInetSocketAddress to return NULL if given empty address

* fix ANDROID-38: stack corruption in onSendPacketRequested

* use GETENV macro

* JniRef work
JniRef does not use callbacks struct, so remove
fix NewGlobalRef / DeleteGlobalRef mismatch

* use PRId64 macros

* switch statement work

* comments and logging

* Modifier 'public' is redundant for interface members

* NodeException can be made a checked Exception

* 'NodeException' does not define a 'serialVersionUID' field

* 'finalize()' should not be overridden
this is fine to do because ZeroTierOneService calls close() when it is done

* error handling, error reporting, asserts, logging

* simplify loadLibrary

* rename Node.networks -> Node.networkConfigs

* Windows file permissions fix (#1887)

* Allow macOS interfaces to use multiple IP addresses (#1879)

Co-authored-by: Sean OMeara <someara@users.noreply.github.com>
Co-authored-by: Grant Limberg <glimberg@users.noreply.github.com>

* Fix condition where full HELLOs might not be sent when necessary (#1877)

Co-authored-by: Grant Limberg <glimberg@users.noreply.github.com>

* 1.10.4 version bumps

* Add security policy to repo (#1889)

* [+] add e2k64 arch (#1890)

* temp fix for ANDROID-56: crash inside newNetworkConfig from too many args

* 1.10.4 release notes

---------

Co-authored-by: travis laduke <travisladuke@gmail.com>
Co-authored-by: Grant Limberg <grant.limberg@zerotier.com>
Co-authored-by: Grant Limberg <glimberg@users.noreply.github.com>
Co-authored-by: Leonardo Amaral <leleobhz@users.noreply.github.com>
Co-authored-by: Brenton Bostick <bostick@gmail.com>
Co-authored-by: Sean OMeara <someara@users.noreply.github.com>
Co-authored-by: Joseph Henry <joseph-henry@users.noreply.github.com>
Co-authored-by: Roman Peshkichev <roman.peshkichev@gmail.com>
2023-03-07 16:50:34 -05:00
Grant Limberg
0ae09577f6
Client & Central Controller updates to support additonal OIDC features (#1848)
Client side:
* Fix compatibility with OneLogin
* Requested scopes vary by OIDC provider. Different providers have different

Controller side:
*Update Postgres queries to latest Central schema
* Added Central Controller support for the different providers
* Base OIDC provider details are still attached to an org. Client ID & group/email lists are now associated with individual networks.
2023-01-19 15:39:15 -08:00
Joseph Henry
39f3f5b2d9 User-configurable physical MTU for individual links
This patch allows users to specify the physical layer MTU for individual links
when in multipath mode. For example:

{
  "settings":
  {
    "defaultBondingPolicy": "custom-balance-xor",
    "policies":
    {
      "custom-balance-xor":
      {
        "basePolicy": "balance-xor",
        "failoverInterval": 5000,
        "links": {
          "weird_5g_link": { "mtu": 1300 },
          "enp5s0": { "mtu": 1400  }
        }
      }
    }
  }
}
2023-01-12 07:12:19 +01:00
Joseph Henry
eccc31a4b9 Add forced TCP relay mode
This patch implements a "TUNNELED" status indicator and "forceTcpRelay" setting for custom relays via local.conf.

For example:

{
  "settings":
  {
    "tcpFallbackRelay": "6.79.53.215/443",
    "forceTcpRelay":true
  }
}
2023-01-12 07:12:19 +01:00
Adam Ierymenko
ab503902c8
Merge pull request #1825 from zerotier/windows-allow-ping
enable ICMPv4 in windows firewall
2023-01-04 11:49:26 -05:00
travis laduke
4959d8079b enable ICMP in windows firewall 2022-12-21 15:38:46 -08:00
Joseph Henry
4100615cd6 Merge branch 'dev' into dev-low-bandwidth 2022-12-05 13:26:57 -08:00
Joseph Henry
3c9ea2b667
Add low-bandwidth mode 2022-12-05 13:21:05 -08:00
Brenton Bostick
5b5f9a069a fix typos 2022-12-05 11:29:21 -05:00
Joseph Henry
85c0322313
Fix TCP relay setting 2022-12-01 15:12:54 -08:00
Joseph Henry
880a99adf8
Minor edits to comments 2022-10-25 14:17:23 -07:00
Joseph Henry
3b11915eab Merge remote-tracking branch 'origin/expose-surface-addresses' into dev 2022-10-25 13:55:21 -07:00
travis laduke
82c799b9d1 Expose surface addresses in info json
Surface Addresses are the addresses that
the roots report back to you.

This is helpful for trouble shooting.

If you're behind NAT, the source port is different
than what zerotier is bound to.
If the list of surface address ports is larger than the list of
bound addresses, you are probably behind symmetric NAT.

Anways this can be added to later with a more simple
"easy" or "hard" nat computed message somewhere.
2022-10-25 11:25:21 -07:00
Joseph Henry
e1f60e3f83
Behavioral changes to multipath balance modes (See: #1745 and #1753) 2022-10-09 23:07:16 -07:00
Joseph Henry
bc521504ca
Improved multipath link monitoring 2022-09-20 14:27:34 -07:00
Joseph Henry
0797adf223
Improve output of bond list command 2022-09-16 13:43:34 -07:00
Joseph Henry
50e131a4ff
Partial fix for discrepancy between docs and implementation 2022-09-15 15:56:23 -07:00
Grant Limberg
d7030b6e9c
html & unicode -> svg for sso logo 2022-06-08 16:17:28 -07:00
Grant Limberg
e1ca3c995d
this should not be quoted 2022-06-08 09:26:37 -07:00
Grant Limberg
c329fab966
add isError to sso template variables 2022-05-16 09:25:36 -07:00
Grant Limberg
4c22793850
Embed default template in service 2022-05-13 16:18:34 -07:00
Grant Limberg
da74b9651c
Wire up inja for html template processing 2022-05-13 15:55:48 -07:00
Grant Limberg
c4df88354b
updates for macOS for inja support 2022-05-13 09:51:37 -07:00
Grant Limberg
b65c1ed3a0
Add inja
Requries update to C++17 standard
2022-05-13 09:34:15 -07:00
Grant Limberg
b329fb68a9
Cleanup rust-analyzer warnings 2022-05-12 21:04:16 -07:00
Grant Limberg
da179d9930
Clean up error flow for sso
error messages can now propagate to the user's browser
2022-05-12 17:00:43 -07:00
Grant Limberg
4151749dc9
Handle sso token exchange errors in zerotier client 2022-05-11 19:59:58 -07:00
Joseph Henry
55ec325961
Add localSocket to listpeers JSON output 2022-04-28 15:58:12 -07:00
Joseph Henry
caf1de3bcf
Allow TCP fallback when multipath is enabled 2022-04-28 11:12:04 -07:00
Joseph Henry
a9ad2924ac
Re-add user-configurable TCP fallback 2022-04-28 11:05:54 -07:00
Grant Limberg
1c464c2da1
fix potential cstring leaks 2022-04-15 09:16:02 -07:00
Grant Limberg
c2cfb4d1dc
remove stray #endif 2022-04-13 17:47:56 -07:00
Adam Ierymenko
f0b0172434
Merge branch 'master' into dev 2022-04-13 19:55:22 -04:00
Grant Limberg
23ef742e08
Fix for #1626
Port used for PortMapping was not properly randomized causing multiple clients on the same lan to request the same UPnP port, and not all routers handle this gracefully.

Also fixes issue where the portmapper wasn't started at all if a secondary port wasn't specified, or if the tertiary port was manually specified.
2022-04-13 13:53:42 -07:00
Joseph Henry
1294767b44 Fix ZT_SSO_SUPPORTED flag behavior. Allow disabling for embedded targets. 2022-04-13 10:05:49 -07:00
Joseph Henry
04b77773c4
Remove Synology-specific IP add block 2022-03-31 22:01:50 -07:00
Joseph Henry
6f4a69703b
Fix ZT_SSO_SUPPORTED flag behavior. Allow disabling for embedded targets. 2022-03-31 21:45:38 -07:00