ZeroTier One version 1.0.4 brings several improvements to stability,
connectivity between hosts on the same LAN, and NAT traversal.
Direct connectivity improvements:
- ZeroTier One now opens port mappings using uPnP and/or NAT-PMP
if they are available on your network. These are then made
available to other (1.0.4 or newer) nodes. This should greatly
improve direct connectivity success rates for users on networks
that support port mapping. To build with this option, you must
include ZT_USE_MINIUPNPC=1 on the make path. Pre-build binaries
are included for many common architectures to make this easier.
- A new message has been introduced whereby nodes can "push" IP
address suggestions to other nodes. This is only done to nodes
with whom you have a trust relationship, which right now means
they are members of a network you've joined. The IP addresses
sent include local interface addresses and possibly uPnP mappings
if any are available. When nodes receive pushed IPs, they can
attempt connectivity at these addresses. This greatly improves
connectivity on local LANs, since the old broadcast mechanism
proved too unreliable under many real world scenarios.
- IPv6 addresses are also "pushed" via the aforementioned message,
allowing direct connectivity over IPv6 if both hosts have an
IPv6 address.
- Some of the aggressive port-scanning NAT-t behavior has been
removed, since this occasionally triggered intrusion alarms on
some networks and proved ineffective in the field. uPnP will be
a much bigger win, and is less "hacky."
- The rate of (tiny) UDP keepalive packet generation was slightly
increased. We were as surprised as you to learn that there are
many NAT routers in the wild with timeouts as short as 20 seconds
even though the RFC stipulates that they should be no shorter
than two minutes (120 seconds).
All of these connectivity improvements rely upon a new message
introduced with 1.0.4, so they'll only work between 1.0.4 nodes.
Older methods of connectivity establishment will continue to work
with earlier versions.
Platform-specific improvements:
- Many improvements have been made to Windows support and stability.
The NDIS6 driver is now used exclusively. If you have ports that
use NDIS5, these will automatically be re-created using the NDIS6
driver. You may see a "select this network's type" notification
after 1.0.4 upgrade for this reason.
- The dependency on the external "devcon.exe" binary on Windows has
been completely removed in favor of internal direct calls to the
Windows setup API to add and remove network ports. These are done
via dynamically loaded instances of the system setup DLLs to use
the most recent setup API code on your system for improved
compatibility.
- This version is tested with Windows 10 release, and was confirmed
to work on a clean install.
- The ARM32/Raspbian build is now back to using Debian Wheezy for
library backward compatibility (binary build only).
- The Mac icon is now a bit smaller to look better in the dock.
- The ui/ subfolder is now distributed with the Linux binary installer
and packages. This means Linux users can navigate to the UI at
http://127.0.0.1:9993/ and enter their authtoken.secret to use
the GUI locally. (This port could also be accessed via SSH port
forwarding or other mechanisms to administrate graphically from a
remote system.)
Other improvements:
- The new beta SQLite-backed controller microservice found in
controller/ and built with the ZT_ENABLE_NETWORK_CONTROLLER=1 make
option is now in a much more "working" state. Feel free to give
it a try! If you tried it before, delete controller.db before
starting the new version.
- A few tweaks were made to the path selection logic in the hope of
eliminating some flaky network behavior reported by users.
The next version of ZeroTier One will focus on performance and memory
footprint reduction, and may also include perfect forward security/secrecy
(a.k.a. PFS) once our design is finalized and reviewed.
(2) Go back to timestamp as certificate revision number. This is simpler
and more robust than using the network revision number for this and
forcing network revision fast-forward, which could cause some peers
to fall off the horizon when you don't want them to.