I had a problem with zerotier not connecting from any of my servers located at server4you (GoDaddy), it was working perfect since few weeks ago, then nothing.
What I found is this: I can’t ping any of these root servers:
https://zerotier.atlassian.net/wiki/spaces/SD/pages/7241732/Root+Server+IP+Addresses
Server4you says that “we don’t block anything…ask to Zerotier”.
So I’m here asking, can the root servers of zerotier ban/block some piece of network ips (92.204.40.0 - 92.204.41.255 in my case)
Thank you.
Best,
Alessandro
We do not block any traffic at our root servers.
Thank you for the quick reply.
This is the reply from my provider
I have just checked and found out that the server Zerotier shows as filtered through the IP address that it resolves to
Here is the Nmap report:
malta21088:~# nmap 104.194.8.134 -Pn -p 22
Starting Nmap 7.70 ( https://nmap.org ) at 2024-04-04 21:04 CEST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.00% done; ETC: 21:04 (0:00:01 remaining)
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:04 (0:00:00 remaining)
Nmap scan report for 104.194.8.134
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds
Also please send the support team of zerotier the following information aswell to show them that it appears that the issue is from their network
malta21088:~# mtr -r -c 10 104.194.8.134
Start: 2024-04-04T21:08:36+0200
HOST: malta21088 Loss% Snt Last Avg Best Wrst StDev
1.|-- static-ip-92-204-40-2.ina 0.0% 10 0.4 1.4 0.3 6.0 1.9
2.|-- 92.204.12.16 0.0% 10 0.4 0.5 0.3 0.7 0.1
3.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
As I can see also the server is reachable around the world from all places so the issue is definitely not from our side
Best Regards,
Petar Hristov
There’s something between you & the root that is doing that.
NMap from where I’m currently sitting:
$ nmap 104.194.8.134 -Pn -p 22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-04 13:56 PDT
Nmap scan report for 104.194.8.134
Host is up (0.0055s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
As I said before, we do no blocking or filtering of traffic at the roots.
Thanks again for your reply.
It’s the same things I told the provider that is now investigating with the network provider (GoDaddy).
Also from my internet at home ssh port is open and the root servers are pingable.
I keep you posted just in case it happen to someone else.
Best,
Alessandro
We’ve since had a few more customer reports and we did some digging. We went through support channels at GoDaddy and finally got this as a response:
I have received word back from the department which controls the networking, and they have advised to let you know that the traffic is blocked on our network intentionally and we do not support the use of ZeroTier at this time.
So there’s your answer.
Thank you for your update.
So we can confirm and affirm that “GoDaddy network intentionally block Zerotier and does not support the use of Zerotier”, at this time of course.
I would open a chapter in zerotier documentation regarding providers that block zerotier.
I respect the decision of GoDadd and I’m totally disappointed regarding their decision
I’m not sure if it was identified if they’re blocking based on IP, port, or DPI.
- If it’s port on the host side, you can maybe get it working by changing the primary port to something that is generally allowed and not rate limited (e.g. 1194/OpenVPN, 51820/WireGuard, 443/QUIC, etc…). You can use UDP iPerf tests to help identify that. If it’s the port on the root side (which is more likely), this wouldn’t work.
- If it’s IP (or the port towards the roots is blocked), you can host a private root elsewhere, and use that to traverse the root tree so hosts can talk. This won’t be possible for hosts that are smartphones since they can’t orbit private roots.
- If it’s DPI, then things would start to get a little complex and there’s not really a good solution. You’d need to encapsulate the traffic to a private root using something that they wouldn’t block (maybe WireGuard or OpenVPN). And all traffic would be relayed via the private root. This would mean you would need to have the overhead of both ZeroTier, and another solution and account for the decrease in the MTU. Probably not worth it at that point.