Freebsd 14.0 zerotier 401 error

reg · November 19, 2023, 8:36am

when start zerotier in freebsd 14.0,
#zerotier-cli info
401 info{}
zerotier-cli peers
401 peers {}

zerotier-cli dump

Error connecting to the ZeroTier service: {}
Please check that the service is running and that TCP port 9993 can be contacted via 127.0.0.1.
open 127.0.0.1:9993 in browser return only
{}
i test on freebsd 13.2(vm), it’s ok.
anyone else encounter this problem?

aew · November 22, 2023, 1:19am

:Same problem. It is only the cli that’s not working, the daemon does configure the interfaces and routes properly.

Checking with curl shows that connecting using to ‘::1’ instead of ‘127.0.0.1’ works:

curl -H "X-ZT1-Auth: $(cat /var/db/zerotier-one/authtoken.secret )" http://[::1]:9993/status -v

*   Trying [::1]:9993...
* Connected to ::1 (::1) port 9993
> GET /status HTTP/1.1
> Host: [::1]:9993
> User-Agent: curl/8.4.0
> Accept: */*
> X-ZT1-Auth: 2x1nkf8t9u0x9c791mfjrxrw
> 
< HTTP/1.1 200 OK
< Content-Length: 1589
< Content-Type: application/json
< Keep-Alive: timeout=5, max=5
< 
* Connection #0 to host ::1 left intact
...

Using IPv4 127.0.0 gets you 401 Unauthorized:

curl -H "X-ZT1-Auth: $(cat /var/db/zerotier-one/authtoken.secret )" http://127.0.0.1:9993/status  -v

*   Trying 127.0.0.1:9993...
* Connected to 127.0.0.1 (127.0.0.1) port 9993
> GET /status HTTP/1.1
> Host: 127.0.0.1:9993
> User-Agent: curl/8.4.0
> Accept: */*
> X-ZT1-Auth: 2x1nkf8t9u0x9c791mfjrxrw
> 
< HTTP/1.1 401 Unauthorized
< Content-Length: 2
< Content-Type: application/json
< Keep-Alive: timeout=5, max=5
< 
* Connection #0 to host 127.0.0.1 left intact

A quick comparison of the packets with tcpdump shows no differences in the payload.

Update: It looks like in FreeBSD 14 getpeername() return sockaddr{AF_INET6, [::ffff:127.0.0.1]:9993} whereas prior versions returned sockaddr{AF_INET, 127.0.0.1:9993}

For a workaround add the following to your “local.conf” and restart zerotier-one:

    "settings": {
        "allowManagementFrom": [ "127.0.0.1", "::1", "10.0.0.0/8", "ffff:127.0.0.1" ]
    }

reg · November 25, 2023, 11:46am

solved.
thank you very much.

edlitmus · December 7, 2023, 3:17pm

Just in case anyone else runs into this issue the way I did I want to point out that if you do not have a “local.conf” file you can created one in /var/db/zerotier-one like this (to be valid JSON):

{
  "settings": {
    "allowManagementFrom": [
      "127.0.0.1",
      "::1",
      "10.0.0.0/8",
      "ffff:127.0.0.1"
    ]
  }
}

After that everything should work fine.

system · January 6, 2024, 3:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.