Changing Listening ports

I understand from FAQ | ZeroTier Documentation
that ZeroTier will need to be accessible via TCP port 9993 for the UI and CLI to interact.

From sudo netstat -antp I can also see:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q  Local Address   Foreign Address    State   PID/Program name 
tcp        0      0  0.0.0.0:9993    0.0.0.0:*          LISTEN  559/zerotier-one

which suggests the zerotier-one client is listening for external tcp connections on 9993.

I am changing port 9993 to another port (eg 5235).
I can easily change my router and my Linux machines.
However there appears to be no way to change my android phones.

Two questions:

  1. if I change my listening port, do ZT’s network controllers know to interact with the new listening port?
  2. Does it matter that different devices in one ZT network have different listening ports?

(Why is this important:
When a vulnerability is eventually found in ZT, and shodan logs all machines with 9993 open
the disaster should be less serious for clients using different ports. )

ZeroTier can be run on just about any port. The port is not configurable on iOS or Android though.

Thanks for the reply Grant.

I do understand that ZT can be run on almost any port, and that on Android it is not configurable.

However my two questions are:

  1. If I change my listening port,
    do ZT’s network controllers know to interact with the new listening port?
    (ie what friction gets created)

  2. Does it matter that different devices in one ZT network have different listening ports?

As there is no documentation on how ports actually work
(other than “need to be accessible via TCP port 9993 for the UI and CLI to interact”)

Grateful if you could ask the Port Master to provide guidance.

The TCP port is only for the control plane (zerotier-cli, REST API).

UDP is used for node-to-node communication. Which port(s) used are sent to the root servers so that other nodes know which port to conatct you at.

See: What ports does ZeroTier use?

Ah, thank you, that is the key missing information!

So now, let me summarise the whole picture for others looking for the same information:

1. Zerotier listening port can be changed from 9993 on routers & laptops/desktops/servers/VMs
(“devices”) though not on Android or iOS.

2. When the listening port for a device is changed, the new port used is
sent to the root servers which will notify other nodes
(presumably in your network only).

3. A consequence of this is that nodes can use different listening ports,
so the fact that the Andoid/iOS port cannot be changed won’t cause problems in a mixed network.

4. To change the listening port in Linux, edit (or create if not there) the file:
/var/lib/zerotier-one/local.conf
with the following lines, for (say) port 4745:

	{
		"settings": {
			"primaryPort": "4745"
		}
	}

5. If you change your listening port to (say) 4745 you need to allow UDP traffic on this port 4745
through your firewalls.

(TCP traffic is for local comms between the UI/CLI and the Zerotier-One service only,
so not usually impacted by firewalls).

Please let me know of any errors in the above and/or of anything unclear.

One question outstanding:

If you change ports,
do you have to allow traffic to this port from ‘anywhere’
rather than just from your ZeroTier ip space
as you need to be contactable by the Network Controllers?

If the controllers just reply to your queries, then this will not be necessary
and you can just allow in traffic to this port from your Zerotier ip space - more secure.

Kindly allow me to ‘bump’ this.

My device firewalls (UFW) are currently blocking about 90% of zerotier traffic
(mostly because it is coming in on random ports.)

  • though zerotier still works,

If I could get an answer on the address space question above,
that would enable me to improve things and maintain security at the same time.