Commit Graph

1764 Commits

Author SHA1 Message Date
Adam Ierymenko
bf193dd3cf VERSION 1.0.4: Stability, LAN, and NAT traversal improvements
ZeroTier One version 1.0.4 brings several improvements to stability,
connectivity between hosts on the same LAN, and NAT traversal.

Direct connectivity improvements:

 - ZeroTier One now opens port mappings using uPnP and/or NAT-PMP
   if they are available on your network. These are then made
   available to other (1.0.4 or newer) nodes. This should greatly
   improve direct connectivity success rates for users on networks
   that support port mapping. To build with this option, you must
   include ZT_USE_MINIUPNPC=1 on the make path. Pre-build binaries
   are included for many common architectures to make this easier.

 - A new message has been introduced whereby nodes can "push" IP
   address suggestions to other nodes. This is only done to nodes
   with whom you have a trust relationship, which right now means
   they are members of a network you've joined. The IP addresses
   sent include local interface addresses and possibly uPnP mappings
   if any are available. When nodes receive pushed IPs, they can
   attempt connectivity at these addresses. This greatly improves
   connectivity on local LANs, since the old broadcast mechanism
   proved too unreliable under many real world scenarios.

 - IPv6 addresses are also "pushed" via the aforementioned message,
   allowing direct connectivity over IPv6 if both hosts have an
   IPv6 address.

 - Some of the aggressive port-scanning NAT-t behavior has been
   removed, since this occasionally triggered intrusion alarms on
   some networks and proved ineffective in the field. uPnP will be
   a much bigger win, and is less "hacky."

 - The rate of (tiny) UDP keepalive packet generation was slightly
   increased. We were as surprised as you to learn that there are
   many NAT routers in the wild with timeouts as short as 20 seconds
   even though the RFC stipulates that they should be no shorter
   than two minutes (120 seconds).

All of these connectivity improvements rely upon a new message
introduced with 1.0.4, so they'll only work between 1.0.4 nodes.
Older methods of connectivity establishment will continue to work
with earlier versions.

Platform-specific improvements:

 - Many improvements have been made to Windows support and stability.
   The NDIS6 driver is now used exclusively. If you have ports that
   use NDIS5, these will automatically be re-created using the NDIS6
   driver. You may see a "select this network's type" notification
   after 1.0.4 upgrade for this reason.

 - The dependency on the external "devcon.exe" binary on Windows has
   been completely removed in favor of internal direct calls to the
   Windows setup API to add and remove network ports. These are done
   via dynamically loaded instances of the system setup DLLs to use
   the most recent setup API code on your system for improved
   compatibility.

 - This version is tested with Windows 10 release, and was confirmed
   to work on a clean install.

 - The ARM32/Raspbian build is now back to using Debian Wheezy for
   library backward compatibility (binary build only).

 - The Mac icon is now a bit smaller to look better in the dock.

 - The ui/ subfolder is now distributed with the Linux binary installer
   and packages. This means Linux users can navigate to the UI at
   http://127.0.0.1:9993/ and enter their authtoken.secret to use
   the GUI locally. (This port could also be accessed via SSH port
   forwarding or other mechanisms to administrate graphically from a
   remote system.)

Other improvements:

 - The new beta SQLite-backed controller microservice found in
   controller/ and built with the ZT_ENABLE_NETWORK_CONTROLLER=1 make
   option is now in a much more "working" state. Feel free to give
   it a try! If you tried it before, delete controller.db before
   starting the new version.

 - A few tweaks were made to the path selection logic in the hope of
   eliminating some flaky network behavior reported by users.

The next version of ZeroTier One will focus on performance and memory
footprint reduction, and may also include perfect forward security/secrecy
(a.k.a. PFS) once our design is finalized and reviewed.
2015-07-31 11:33:52 -07:00
Adam Ierymenko
facb009a1d Add security notice to auto-update info in -h output, and fix a missing paren. 2015-07-31 09:50:55 -07:00
Adam Ierymenko
8d09c37140 Remove a bit of redundant logic, and also announce MULTICAST_LIKEs to controllers (for future use). 2015-07-31 09:37:13 -07:00
Adam Ierymenko
f6ced547be Dead code removal. 2015-07-31 08:56:31 -07:00
Adam Ierymenko
c826cec1d4 Bring back _winPokeAHole() to dynamically allocate firewall exception. Shouldn't be needed but seems to help on Windows 8. 2015-07-30 17:52:35 -07:00
Adam Ierymenko
620562f7cf Because Windows, because Windows. Now it upgrades correctly from 1.0.1, including automatic driver update from NDIS5 to NDIS6. Also a bit more robust on creating new ports, just in case. 2015-07-30 17:00:57 -07:00
Adam Ierymenko
922d9657b9 Save enumeration of statically assigned IPs so they will always be reassigned on device "power cycle." 2015-07-30 14:10:32 -07:00
Adam Ierymenko
499b2dccad 1.0.4 installer GUID 2015-07-30 13:30:10 -07:00
Adam Ierymenko
1e3d5c4d87 Suppress icacls output on lockDownFile(). 2015-07-30 12:05:56 -07:00
Adam Ierymenko
6f46f0e0e1 Because Windows. 2015-07-30 11:57:48 -07:00
Adam Ierymenko
8169b35482 Kill the devcon.exe dependency by dynamically loading cfgmgr32, newdev, and setupapi and using these functions directly. 2015-07-30 11:31:38 -07:00
Adam Ierymenko
7cd3c419ee 1.0.4 release installer changes 2015-07-29 16:17:52 -07:00
Adam Ierymenko
fa03d50e90 Rebuild Mac UI wrapper with smaller icon and a small UI fix. 2015-07-29 15:58:16 -07:00
Adam Ierymenko
0dff741310 Add border around Mac icon so it looks better in Finder. 2015-07-29 15:53:05 -07:00
Adam Ierymenko
fcc5bf1e66 Go ahead and spec out controller DB support for AuthToken -- GitHub issue #211 -- even though full implementation won't make it into 1.0.4. 2015-07-29 15:09:23 -07:00
Adam Ierymenko
7578b56298 docs 2015-07-28 17:22:59 -07:00
Adam Ierymenko
2599b1bacc Add CLI support for /explicit/urls (automatically outputs JSON in this case), and some cleanup. 2015-07-28 17:10:56 -07:00
Adam Ierymenko
e3983f8a57 Get rid of -I on Mac and Linux since we include miniupnpc headers by direct path reference. 2015-07-28 16:51:46 -07:00
Adam Ierymenko
14264c2d6f Add miniupnpc builds for Windows, fix some Windows build warnings. 2015-07-28 16:50:18 -07:00
Adam Ierymenko
3c54187c40 Linux x86 libminiupnpc.a 2015-07-28 15:56:37 -07:00
Adam Ierymenko
7df4eb69b5 Linux x64 libminiupnpc.a 2015-07-24 17:49:56 -07:00
Adam Ierymenko
559e384130 Linux make support for libminiupnpc. 2015-07-28 15:37:18 -07:00
Adam Ierymenko
ebe5c526bb libminiupnpc.a for arm6l 2015-07-28 15:05:04 -07:00
Adam Ierymenko
5097aae716 Add miniupnpc to third party libs. 2015-07-28 14:50:24 -07:00
Adam Ierymenko
569c5e77fd Add binary build of libminiupnpc for Mac x64. 2015-07-28 14:48:26 -07:00
Adam Ierymenko
9c87decba6 Merge branch 'adamierymenko-dev' of http://git.int.zerotier.com/zerotier/zerotierone into adamierymenko-dev 2015-07-28 14:32:46 -07:00
Adam Ierymenko
fe6d5b1402 UPNP/NAT-PMP support with libminiupnpc (if built with it) -- GitHub issue #64 2015-07-28 14:32:02 -07:00
Adam Ierymenko
eea8d58afa docs,cleanup 2015-07-28 12:39:03 -07:00
Adam Ierymenko
21e6850722 Cancel NAT-t attempts if peer is no longer "alive" 2015-07-28 12:18:59 -07:00
Adam Ierymenko
5986d83738 Kill more kittens. 2015-07-28 12:04:14 -07:00
Adam Ierymenko
4564dd95ff Revert... no luck with any of that. 2015-07-28 12:00:50 -07:00
Adam Ierymenko
d2bfdfa6e7 Play with NAT-t tweaks some more. 2015-07-28 11:57:18 -07:00
Adam Ierymenko
b69afa010e Disable type punning on ARM by ifdef. 2015-07-28 11:50:01 -07:00
Adam Ierymenko
708aac1ea7 Remove some left over debug code, and fix attempt to send to self if we are an active bridge. 2015-07-28 11:43:09 -07:00
Adam Ierymenko
17bfd4d55e Add TRACE for NAT-t debugging. 2015-07-28 11:32:34 -07:00
Adam Ierymenko
b31071463c Try another NAT traversal improvement. 2015-07-28 11:28:47 -07:00
Adam Ierymenko
dda376c9eb Nuke some abandoned code. 2015-07-28 11:16:43 -07:00
Adam Ierymenko
40d5c79b62 Enable SO_NO_CHECK if available to skip UDP checksum on packet send for slight performance improvement. We do our own cryptographically secure authentication so UDP checksum is worthless. 2015-07-28 10:29:25 -07:00
Adam Ierymenko
1537109514 Merge branch 'master' into adamierymenko-dev 2015-07-28 09:40:54 -07:00
Adam Ierymenko
66c74f0ad9 Merge pull request #215 from nelsonjchen/patch-2
Update Application Mac Menu. Small MacGap leftover.
2015-07-28 09:39:42 -07:00
Adam Ierymenko
821f1f366e Fix to NAT escalation sequence. 2015-07-27 17:34:58 -07:00
Adam Ierymenko
e99eda4a4a Fix IP scoping bug, and disable remotely reported surface push... not helping. :( 2015-07-27 17:28:13 -07:00
Adam Ierymenko
fadb291962 Fix infinite loop typo. 2015-07-27 17:14:49 -07:00
Adam Ierymenko
f0003ea922 Push remote surface as reported by peers along with known interface direct paths to assist with (some) NAT traversal. (trying this, may back out if not effective) 2015-07-27 17:02:43 -07:00
Adam Ierymenko
e30ba3e138 Eliminate some aggressive port scanning NAT-t behavior that has proven ineffective. 2015-07-27 16:43:27 -07:00
Adam Ierymenko
7a15d8a7e3 Fix leaving of networks to actually call Network::destroy(). 2015-07-24 14:50:44 -07:00
Adam Ierymenko
dba91eaa09 Apply same Linux compiler-picker logic to Mac. 2015-07-24 13:17:41 -07:00
Adam Ierymenko
d57ea671d7 Add version to log. 2015-07-24 09:59:17 -07:00
Adam Ierymenko
d647a587a1 (1) Fix updating of network revision counter on member change.
(2) Go back to timestamp as certificate revision number. This is simpler
    and more robust than using the network revision number for this and
    forcing network revision fast-forward, which could cause some peers
    to fall off the horizon when you don't want them to.
2015-07-23 17:18:20 -07:00
Adam Ierymenko
a493fc23f4 Fix for make-linux: detect whether CC/CXX were explicitly overridden, and if not then use the gcc/clang selection logic. Otherwise ?= breaks this. 2015-07-23 13:05:18 -07:00