Self-hosted Controller Network Not Accessible Outside LAN

Hey everyone, hope all is well. I’m trying to create a private network to grant clients access to a NAS on my home network. I have installed ZeroTier on three devices. The self-hosted network controller is installed on the NAS itself, and I installed the client on an Android phone and on a local PC with Ubuntu Linux. The network seems to not be visible remotely, and the Android device cannot find it even on the local LAN.

The NAS is a Synology running DSM 7.2 (DS223). I tried these instructions ( Synology NAS | ZeroTier Documentation ) but they failed because the architecture did not match my NAS. I went around those instructions and just installed it using the default docker image.

Once that was completed, I followed these instructions ( Network Controllers | ZeroTier Documentation) to set up the network controller on the NAS. I got the network ID.

I followed the install instructions, for the Linux PC on the same LAN ( sorry in advance, I can only have two links as a noob - https ://www.zerotier.com/ download/ ). I ran the CLI commands to join the network, and I was able to join. I validated this on the server side. I then authorized the Linux PC as a member, and could validate from that machine that status went from ACCESS_DENIED to OK.

I then tried installing it on an Android device ( https ://play.google.com/store/apps/details?id=com.zerotier.one ). I followed the instructions and set it up with the wireless adapter turned off so it would not be connected to the local LAN. When I try enabling it, I go from OFFLINE to ONLINE but I see ‘Network Not Found’ in a message the bottom of the screen. It would seem that it cannot find the ZeroTier network remotely. So, I turned off ‘Allow Mobile Data’ in the app, then enabled wireless on the phone so it was on the LAN, and tried re-enabling the network again via the app. It still says the same thing. When I look at details for it, it says “Network Not Found” as the Status, but it does show a MAC as well as that the type is Private (so it would seem as though it has some info). But, from the CLI on the NAS where the network controller was initialized, it is not listed as a member.

I have tried dozens of other things in this process. Changing firewall settings, opening up ports on my router. I’m just unable to figure out what the problem may be, and I’ve run out of ways I know to troubleshoot this. Also, the ISP that I am on does not allow VPN connections without a static IP address. I decided to use ZeroTier in part because I could avoid that and avoid opening ports, but it may be playing a role here.

So, my questions are basically where to go next. Is there any other way I could troubleshoot the inability to connect to the network? Should I try setting up a ZeroTier account and using one of their servers to test and perhaps eliminate other issues by process of elimination? Any chance I’m missing something entirely? Any insights anyone may have are welcome!

Just wanted to add to this that I have gotten a static IP address from my ISP and I am still having the same issues. The static IP does not seem to have resolved my ability to connect from outside of the LAN.

Okay - so, still working on this, but I made some excellent progress until I hit another roadblock.

The issue with what I was doing above was that I hadn’t run the full command that is supposed to be used with the Synology device. Since I was using a different docker image to install, I had just run it normally, and was missing probably necessary elements of the command with the ‘cap-add’ and ‘device’ arguments. So, I ran it as follows:

docker run -d \
 --name zt \
 --restart=always \
 --device=/dev/net/tun \
 --net=host \
 --cap-add=NET_ADMIN \
 --cap-add=SYS_ADMIN \
 -v /var/lib/zerotier-one:/var/lib/zerotier-one zerotier/zerotier:latest

After I did that, and re-did everything else I said above, my phone could connect to the network outside of the LAN!

Unfortunately, now I run into another issues, which I think is related to having the synology NAS join its own network. I now have three machines running on this; the NAS, my desktop PC, and my phone. I am unfortunately unable to access the NAS, which was the entire point.

I can ping the IP that was assigned to my phone from my desktop PC, but I cannot ping the IP that was assigned to the NAS. When I run the commands to get member info for the node that is on the NAS, it returns information suggesting it’s a proper member. But, when I run zerotier-cli listnetworks on the NAS, it returns nothing (as if it isn’t assigned to its own network).

Does anyone know - can I self-host the network, and have the same device that is hosting the network be a client/member of it? Since my phone can now connect to the network, I know the network is fine. But since my PC cannot ping the client/node that is on the same NAS that created the network, and the network doesn’t show up when I do the list command, it’d seem as if there’s some issue with that.

Okay, after looking at the logs on the docker container as I was trying to run it, I found the following:

ERROR: unable to configure virtual network port: could not open TUN/TAP device: No such file or directory

Lots of rabbit holes lead me to here ( Running zerotier-one on synology nas using docker ) where I saw that they change the permissions on the /dev/net/tun so I did that and it worked.

So, ultimately it seems to come down to following the instructions here ( Synology NAS | ZeroTier Documentation ) except for changing the permissions on the /dev/net/tun:

chmod 0666 /dev/net/tun

And using the following docker run command:

docker run -d \
 --name zt \
 --restart=always \
 --device=/dev/net/tun \
 --net=host \
 --cap-add=NET_ADMIN \
 --cap-add=SYS_ADMIN \
 -v /var/lib/zerotier-one:/var/lib/zerotier-one zerotier/zerotier:latest

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.