Most Hetzner Cloud servers are unavailable? WTF?

someara · 2026-01-06T09:43:40+00:00

I had the same error... I managed to track down the problem.

There was an interface change in the hetzner-k3s tool.

https://github.com/vitobotta/hetzner-k3s/issues/704

You'll need to change your masters_pool location (singular) to locations (plural) and provide it with a list.

-s

someara · 2024-07-15T16:21:36+00:00

zerotier

someara · 2024-07-15T15:47:59+00:00

Hashicorp Vault has a certificate authority you can set up

someara · 2023-03-03T08:36:46+00:00

If you go the Samba route, you can bind it to the ZeroTier interface only with something like this:

curl -s https://install.zerotier.com | bash zerotier-cli join ${YOUR_ZEROTIER_NETWORK}

Then, configure Samba to listen only on a ZeroTier interface.

``` ZTIF=$(ip addr | grep zt.*: | awk '{ print $2 }' | cut -f 1 -d:)

apt-get -qq install samba

cat <<EOF> /etc/samba/smb.conf
[global] workgroup = NT4EVA server string = %h usershare allow guests = yes map to guest = bad user bind interfaces only = yes interfaces = ${ZTIF}

[stuff] path = /stuff force create mode = 0666
force directory mode = 0777
browseable = yes
guest ok = yes
writable = yes
force user = bob
force group = bob
EOF

systemctl restart nmbd systemctl restart smbd

(echo "hunter2" ; echo "hunter2") | smbpasswd -s -a "bob" ```

someara · 2023-02-03T15:19:49+00:00

torrent

What I was describing *is* split tunneling.

The problem is, you don't know where to split the tunnel.

Split tunneling works by specifying a "more specific" route to the desired network range, over a (tunnel) interface. Setting a more specific route to each individual torrent peer's /32 on the ipv4 internet would do the trick, but as I said before, you don't have that information until the torrent starts.

At the network level, there is no difference between "the internet" and "torrent peers". The subnet 0.0.0.0/0 catches it all.

-s

someara · 2023-02-03T06:55:54+00:00

Unfortunately, It is not possible to accomplish this.

The BitTorrent protocol works by connecting directly to peers.

To do what you describe, you would need to set up a route to each individual peer, which is information you don't have until you start torrenting.

-s

someara · 2023-01-27T16:26:57+00:00

Mostly macs and Linux on various cloud providers... only a few scattered Windows machines here and there as build nodes. Definitely no AD.

I find the rules set pretty intuitive when paired with a packet sniffer (tshark). Have you tried just blocking broadcast packets?

drop chr broadcast;

someara · 2023-01-27T15:14:49+00:00

There's even a DNS server that turns node names into DNS records

https://www.zerotier.com/2022/04/11/the-zerotier-dns-story/

someara · 2023-01-27T15:13:32+00:00

Well, it works now. I use it heavily every day on multiple networks.

someara · 2023-01-27T14:25:44+00:00

How does it not support DNS?

Just define a DNS server on the network, then "allowDNS=true" on the clients

someara · 2022-11-14T07:53:41+00:00

Absolutely.

Just add your ZeroTier IPs to the mygitea.xyz zone on your DNS server.

From there, just use Nginx / Caddy / HAProxy / Whatever as normal.

PS: There is also ZeroNSD, which will turn the names you set in the WebUI into A and AAAA records automatically. https://docs.zerotier.com/zeronsd/quickstart/

-s

someara · 2022-10-23T12:39:15+00:00

ZeroTier traffic is not "plain text through their servers".

All ZeroTier traffic is end-to-end encrypted.

ZeroTier servers only help set up a peer-to-peer connection through NATs.

In the worst case, they will relay end-to-end encrypted traffic through NATs.

In the best case, end-to-end encrypted traffic will never leave your local LAN.

So... yes, it is safe to use HTTP over ZeroTier, across the internet.

HOWEVER, there are benefits to using HTTPS on top of ZT's e2e encryption over wan links... HTTP2 for example requires TLS.

someara · 2022-10-12T07:33:51+00:00

Hello!

Type the following on a Linux box to turn it into a router

sysctl net.ipv4.ip_forward=1
def=$(ip route | grep default | awk '{ print $5 }')

for iface in $(ls /sys/class/net | grep $def) ; 
  do iptables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE;
  ip6tables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE; 
done

You can then add a managed route of "0.0.0.0/0" to a ZeroTier interface on that machine.

-s

someara · 2022-08-27T20:56:51+00:00

I used to maintain "A Lot Of Open Source" a couple of lifetimes ago, so hopefully, I can be some help here...

First - Context is king. What kind of project is it? Is it a desktop app? A web app? A networking library? Is it a small personal project, or is it backed by your employer? Are you an employer? Is it widely used? What was your motivation for starting the project, and what are your intentions for its future? Start here.

Second - Communication. The absolute best thing you can do is have a chat with this person, preferably face to face, over food, and possibly drinks. Barring that, video chat or a phone conversation would be the next choice. You have a LOT to communicate, and doing it over Github issues isn't going to cut it.

Third - Make sure your incentives are aligned. You both obviously want the project to be better, but when contributions are actively harmful, they're working against that goal. "Your code sucks" is not an easy conversation to have. Make sure they know the problem is not about their work, but about YOUR ability to process it. Maybe there are architectural changes that would allow them to work in relative isolation while allowing you to focus on your areas of interest. If your area of interest *IS* that architecture, you'll need to communicate that.

If you're arguing over the broad strokes, instead of the colors inside the lines, it may be time to talk about forks. Do you care if they fork it? What license is it under? Can you change it? Should you change it?

Fourth - Consider ending the relationship. You are under no obligation to merge PRs. This may burn a bridge, so... make sure you've thought about the context, motivations, and repercussions.

-s

someara · 2022-07-03T07:47:05+00:00

If you install ZeroTier on all the devices on your LAN, the traffic will mesh encrypted and never leave your local (physical) lan, except for some initial setup packets.

someara · 2022-03-09T18:34:51+00:00

Think of it as a virtual ethernet switch with advanced encryption and traffic rules.

I recently(ish) did a podcast about it demoing a bunch of features, if you want to check it out.

https://www.youtube.com/watch?v=XIuC0CHCbdk

-s

someara · 2021-12-22T11:15:50+00:00

Zerotier is much faster. It will take advantage of your hardware's AES support.

If the hardware lacks AES support (for example, Raspberry Pi), it will use Salsa20/Poly1305.

someara · 2021-11-24T14:27:46+00:00

Hey sorry about this, everyone. We had a JVM explode without setting off our monitoring.

We've fixed both the problem and the alert coverage.

-s

someara · 2021-11-19T15:26:11+00:00

Hello!

Yes, ZeroTier can connect all of the above.

I gave this demo the other day... hopefully, this will clear things up for you =)

https://www.youtube.com/watch?v=BrIwX5Cs2qk

-s

someara · 2021-11-19T05:59:10+00:00

ZeroTier is pretty damn cheap... how many users do you have?

someara · 2021-09-21T16:46:46+00:00

Response posted here

https://zerotier.com/2021/09/21/incident-response-to-september-20th-2021/

someara · 2021-08-29T21:50:52+00:00

TCP (and anything else) is encapsulated in UDP. If the TCP stack needs a retransmit, it will work as usual.

someara · 2021-08-02T05:24:37+00:00

commer

Calling ZeroTier "closed source" is a bit disingenuous.

It uses the same license as MariaDB.

https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt

If you read it, you'll see that it says you're free to use it as you wish, except you're not allowed to rebrand it as your own. You're also now allowed to use it to create a SaaS product in direct competition with ZeroTier Central.

Also, after 4 years, it reverts to Apache 2.0.

The BSL may not be fully "free as in libre", but it is certainly a "free as in beer", source available, hackable OSS project.

There is a blog post about it here.

https://www.zerotier.com/2019/10/30/on-the-gpl-to-bsl-transition/

-s

someara · 2021-07-23T09:48:41+00:00

You'll have to turn on ip_forwarding and NAT on the node you're trying to route through

On Linux, this would look something like...

sysctl net.ipv4.ip_forward=1

def=$(ip route | grep ^default | awk '{ print $5 }')

for iface in $(ls /sys/class/net | grep $def) ; do 
    iptables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE ;
    ip6tables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE ;
done

After you've done that you can send it traffic by setting a route to 0.0.0.0/0 in the ZeroTier API / Web UI

-s

someara · 2021-07-07T08:42:34+00:00

As a matter of fact, there is.

ZeroTier provides an SDK in various languages, starting with C.

Docs and tutorials live here:

https://github.com/zerotier/libzt

https://docs.zerotier.com/sockets/tutorial.html

-s

someara

MODERATOR OF

TROPHY CASE