If one were running a ZeroTier client behind a strict implicit-deny-any-outbound firewall, what domains/IPs/ports/protocols would have to be allowed for initial connection to the peering services?
I understand that outbound UDP 9993 would be necessary, but if the node can’t even reach ZeroTier central, that’s not as relevant.
Is there a list of domains/IPs that would have to be explicitly allowed for operation?
The absolute bare minimum is our root servers. Those can be found here: Root Server IP Addresses. If you only allow these, you’ll likely have some network connectivity issues as other peers won’t be able to communicate directly with yours (or yours with others). You’ll also have to allow inbound UDP packets from those servers or you’ll never receive a reply from them.
Our hosted network controllers for Central are not at static addresses and listen on non standard ports. If you’re using Central to manage your networks, you may have trouble communicating with the network controllers in your configuration.
We recommend allowing bi-directional communication on 9993/UDP to any host. Any and all traffic over ZeroTier is authenticated & encrypted. Any traffic that’s not supposed to be there is simply dropped by ZeroTier.
Thanks!
Since these systems are behind a NAT’d firewall, the hope is that UDP holepunching will allow for the return traffic… We are trying to avoid port forwards for the inbound UDP. We’ve architected this particular network to have many NAT’d systems all reaching out to a non-NAT’d bastion of sorts… So at least one side of the conversation will not be behind a NAT.
With that said, if we allow outbound to those root servers, do you expect we should be ok?
If you’re only allowing outbound to the root servers, you won’t get direct peer to peer communication with anything that’s not behind your firewall, including network controllers.
Ah, of course, that makes sense… We’re already allowing outbound to anywhere over UDP 9993. I was just wanting to be sure that it wouldn’t also require HTTPS API access to ZT central or anything like that.
No. It doesn’t require outbound HTTP(S). You’ll only need HTTPS on machines you need to access Central for network config management.