Hello all,
new ZeroTier user here and very impressed. I tried wireguard, cloudflare tunnels and tailscale and wanted to to give ZT a try.
I have a homelab and selfhosting a photoprism instance.
I set up a small vps instance with caddy, connected the VPS and my homelab on ZT with ease.
Caddy reverse proxies to my homelab via the ZT ip
http://<ZT_INTERNAL_IP>:2342
So all good however I started to worry about what happens if the public facing server is compromised, which had me wondering about the flow roles. I have other services on that particular server.
Question:
Can I create a flow rule from ZT (server) that only allows access to ZT (homelab) on one specific port, eg 2342 in my instance.
Should I have the traffic in between ZT nodes using TSL/HTTPS ? eg. setup a second reverse proxy ?
first time using a VPS in this way , usually reverse proxy to localhost apps within docker containers. Please let me know if I am over thinking it or if I should take these additional, or any other steps.
You can definitely filter that traffic. With ZeroTier, you can filter on source/destination based on the ZT Address, IP Address, and MAC Address (currently broken I believe). You can do something like these options below. They will allow the traffic you specify, and block everything else to it. Keep in mind, the flow engine isn’t stateful, so this will also impact the ability of the homelab host to communicate outbound on your ZT network. You may need to account for that if necessary.
accept
ipdest 10.100.200.111/32 and dport 2342
;
drop
ipdest 10.100.200.111/32
;
accept
ztdest 0123456789 and dport 2342
;
drop
ztdest 0123456789
;
There’s a number of typical reasons to use a reverse proxy. Ultimately, whether you want to do this is based on your own security posture:
Confidentiality of HTTP traffic - Since ZeroTier is encrypting the traffic, you don’t have to worry about that.
Providing a signed certificate - ZeroTier wouldn’t handle this. This is typically something that is more important for users of the service, as it helps to mitigate man in the middle attacks.
Limiting exposed ports - You can access everything on port 443 using subdomains or subfolders. Obviously, ZeroTier won’t handle this, but you can have everything under it’s own ZT IP, so you don’t have the same constraints of a single public IP.
Reverse proxies are generally not used for inside VPN accessed traffic, but that’s not to say you can’t do it. You’ll have to evaluate your threat surface and see if it makes sense for you.
One last note, the flow engine will allow/block access within the ZeroTier network, but it won’t modify anything on your underlay network. So if you already have the service exposed to the internet on a public IP, then that will remain. You’ll have to handle that separately via a host or network based firewall.
There are some examples in the docs site.
Remember, you can use iptables on your zerotier interfaces and addresses. Sometimes that works out easier than use rules.