ZeroTier One Network Virtualization Service ====== This is the common background service implementation for ZeroTier One, the VPN-like OS-level network virtualization service. It provides a ready-made core I/O loop and a local HTTP-based JSON control bus for controlling the service. This control bus HTTP server can also serve the files in ui/ if this folder's contents are installed in the ZeroTier home folder. The ui/ implements a React-based HTML5 user interface which is then wrappered for various platforms via MacGap, Windows .NET WebControl, etc. It can also be used locally from scripts or via *curl*. ### Network Virtualization Service API The JSON API supports GET, POST/PUT, and DELETE. PUT is treated as a synonym for POST. Other methods including HEAD are not supported. Values POSTed to the JSON API are *extremely* type sensitive. Things *must* be of the indicated type, otherwise they will be ignored or will generate an error. Anything quoted is a string so booleans and integers must lack quotes. Booleans must be *true* or *false* and nothing else. Integers cannot contain decimal points or they are floats (and vice versa). If something seems to be getting ignored or set to a strange value, or if you receive errors, check the type of all JSON fields you are submitting against the types listed below. Unrecognized fields in JSON objects are also ignored. API requests must be authenticated via an authentication token. ZeroTier One saves this token in the *authtoken.secret* file in its working directory. This token may be supplied via the *auth* URL parameter (e.g. '?auth=...') or via the *X-ZT1-Auth* HTTP request header. Static UI pages are the only thing the server will allow without authentication. A *jsonp* URL argument may be supplied to request JSONP encapsulation. A JSONP response is sent as a script with its JSON response payload wrapped in a call to the function name supplied as the argument to *jsonp*. #### /status * Purpose: Get running node status and addressing info * Methods: GET * Returns: { object }
FieldTypeDescriptionWritable
addressstring10-digit hexadecimal ZeroTier address of this nodeno
publicIdentitystringFull public ZeroTier identity of this nodeno
onlinebooleanDoes this node appear to have upstream network access?no
tcpFallbackActivebooleanIs TCP fallback mode active?no
versionMajorintegerZeroTier major versionno
versionMinorintegerZeroTier minor versionno
versionRevintegerZeroTier revisionno
versionstringVersion in major.minor.rev formatno
clockintegerNode system clock in ms since epochno
#### /config * Purpose: Get or set local configuration * Methods: GET, POST * Returns: { object } No local configuration options are exposed yet.
FieldTypeDescriptionWritable
#### /network * Purpose: Get all network memberships * Methods: GET * Returns: [ {object}, ... ] Getting /network returns an array of all networks that this node has joined. See below for network object format. #### /network/\ * Purpose: Get, join, or leave a network * Methods: GET, POST, DELETE * Returns: { object } To join a network, POST to it. Since networks have no mandatory writable parameters, POST data is optional and may be omitted. Example: POST to /network/8056c2e21c000001 to join the public "Earth" network. To leave a network, DELETE it e.g. DELETE /network/8056c2e21c000001. Most network settings are not writable, as they are defined by the network controller.
FieldTypeDescriptionWritable
nwidstring16-digit hex network IDno
macstringEthernet MAC address of virtual network portno
namestringNetwork short name as configured on network controllerno
statusstringNetwork status: OK, ACCESS_DENIED, PORT_ERROR, etc.no
typestringNetwork type, currently PUBLIC or PRIVATEno
mtuintegerEthernet MTUno
dhcpbooleanIf true, DHCP may be used to obtain an IP addressno
bridgebooleanIf true, this node may bridge in other Ethernet devicesno
broadcastEnabledbooleanIs Ethernet broadcast (ff:ff:ff:ff:ff:ff) allowed?no
portErrorintegerError code (if any) returned by underlying OS "tap" driverno
netconfRevisionintegerNetwork configuration revision IDno
multicastSubscriptions[string]Multicast memberships as array of MAC/ADI tuplesno
assignedAddresses[string]ZeroTier-managed IP address assignments as array of IP/netmask bits tuplesno
portDeviceNamestringOS-specific network device name (if available)no
#### /peer * Purpose: Get all peers * Methods: GET * Returns: [ {object}, ... ] Getting /peer returns an array of peer objects for all current peers. See below for peer object format. #### /peer/\ * Purpose: Get information about a peer * Methods: GET * Returns: { object }
FieldTypeDescriptionWritable
addressstring10-digit hex ZeroTier addressno
lastUnicastFrameintegerTime of last unicast frame in ms since epochno
lastMulticastFrameintegerTime of last multicast frame in ms since epochno
versionMajorintegerMajor version of remote if knownno
versionMinorintegerMinor version of remote if knownno
versionRevintegerRevision of remote if knownno
versionstringVersion in major.minor.rev formatno
latencyintegerLatency in milliseconds if knownno
rolestringLEAF, HUB, or SUPERNODEno
paths[object]Array of path objects (see below)no
Path objects describe direct physical paths to peer. If no path objects are listed, peer is only reachable via indirect relay fallback. Path object format is:
FieldTypeDescriptionWritable
addressstringPhysical socket address e.g. IP/port for UDPno
lastSendintegerLast send via this path in ms since epochno
lastReceiveintegerLast receive via this path in ms since epochno
fixedbooleanIf true, this is a statically-defined "fixed" pathno
preferredbooleanIf true, this is the current preferred pathno
### Network Controller API If ZeroTier One was built with *ZT\_ENABLE\_NETWORK\_CONTROLLER* defined, the following API paths are available. Otherwise these paths will return 404. #### /controller * Purpose: Check for controller function and return controller status * Methods: GET * Returns: { object }
FieldTypeDescriptionWritable
controllerbooleanAlways 'true' if controller is runningno
apiVersionintegerJSON API version, currently 1no
clockintegerController system clock in ms since epochno
#### /controller/network * Purpose: List all networks hosted by this controller * Methods: GET * Returns: [ string, ... ] This returns an array of 16-digit hexadecimal network IDs. Unlike /network under the top-level API, it does not dump full network information for all networks as this may be quite large for a large controller. #### /controller/network/\ * Purpose: Create, configure, and delete hosted networks * Methods: GET, POST, DELETE * Returns: { object } By making queries to this path you can create, configure, and delete networks. DELETE is final, so don't do it unless you really mean it. It's important to understand how network IDs work. The first ten digits (most significant 40 bits) of a network ID are the ZeroTier address of the controller. This is how clients find it. The last six digits (least significant 24 bits) are arbitrary and serve to identify the network uniquely on the controller. Thus a network's first ten digits *must* be the controller's address. If your controller is *deadbeef01*, then the networks it controls must have IDs like *deadbeef01feed02* or *deadbeef01beef03*. This API however *does not* enforce this requirement. It will allow you to add arbitrary network IDs, but they won't work since clients will never be able to find them. To create a new network with a random last six digits safely and atomically, you can POST to */controller/network/##########\_\_\_\_\_\_* where ########## is the controller's address and the underscores are as shown. This will pick a random unallocated network ID, which will be returned in the 'nwid' field of the returned JSON object.
FieldTypeDescriptionWritable
nwidstring16-digit hex network IDno
namestringShort network name (max: 127 chars)yes
privatebooleanFalse if public network, true for access controlyes
enableBroadcastbooleanTrue to allow Ethernet broadcast (ff:ff:ff:ff:ff:ff)yes
allowPassiveBridgingbooleanTrue to allow any member to bridge (experimental!)yes
v4AssignModestring'none', 'zt', or 'dhcp' (see below)yes
v6AssignModestring'none', 'zt', or 'dhcp' (see below)yes
multicastLimitintegerMaximum number of multicast recipients per multicast/broadcast addressyes
creationTimeintegerTime network was created in ms since epochno
revisionintegerNetwork config revision numberno
members[string]Array of ZeroTier addresses of network membersno
relays[object]Array of network-specific relay nodes (see below)yes
ipAssignmentPools[object]Array of IP auto-assignment pools for 'zt' assignment modeyes
rules[object]Array of network flow rules (see below)yes
The network member list includes both authorized and unauthorized members. DELETE unauthorized members to remove them from the list. Relays, IP assignment pools, and rules are edited via direct POSTs to the network object. New values replace all previous values. **Relay object format:** Relay objects define network-specific preferred relay nodes. Traffic to peers on this network will preferentially use these relays if they are available, and otherwise will fall back to the global supernode infrastructure.
FieldTypeDescription
addressstring10-digit ZeroTier address of relay node
phyAddressstringFixed path address in IP/port format e.g. 192.168.1.1/9993
**IP assignment pool object format:**
FieldTypeDescription
networkstringIP network e.g. 192.168.0.0
netmaskBitsintegerIP network netmask bits e.g. 16 for 255.255.0.0
**Rule object format:** * **Note**: at the moment, only rules specifying allowed Ethernet types are used. The database supports a richer rule set, but this is not implemented yet in the client. Other types of rules will have no effect (yet). Rules are matched in order of ruleId. If no rules match, the default action is 'drop'. To allow all traffic, create a single rule with all *null* fields and an action of 'accept'. Rule object fields can be *null*, in which case they are omitted from the object. A null field indicates "no match on this criteria." IP related fields apply only to Ethernet frames of type IPv4 or IPV6. Otherwise they are ignored.
FieldTypeDescription
ruleIdintegerUser-defined rule ID and sort order
nodeIdstring10-digit hex ZeroTier address of node (a.k.a. "port on switch")
vlanIdintegerEthernet VLAN ID
vlanPcpintegerEthernet VLAN priority code point (PCP) ID
etherTypeintegerEthernet frame type
macSourcestringEthernet source MAC address
macDeststringEthernet destination MAC address
ipSourcestringSource IP address
ipDeststringDestination IP address
ipTosintegerIP TOS field
ipProtocolintegerIP protocol
ipSourcePortintegerIP source port
ipDestPortintegerIP destination port
actionstringRule action: accept, drop, etc.
#### /controller/network/\/member/\ * Purpose: Create, authorize, or remove a network member * Methods: GET, POST, DELETE * Returns: { object }
FieldTypeDescriptionWritable
nwidstring16-digit hex network IDno
addressstring10-digit hex ZeroTier addressno
authorizedbooleanIs member authorized?yes
activeBridgebooleanThis member is an active network bridgeyes
lastAtstringSocket address (e.g. IP/port) where member was last seenno
lastSeenintegerTimestamp of member's last request in ms since epochno
firstSeenintegerTimestamp member was first seen in ms since epochno
identitystringFull ZeroTier identity of memberno
ipAssignments[string]Array of IP/bits IP assignmentsyes