My coworker's kid uses zerotier to maintain a private gaming network with static IPs for all their friends. Does your system have anything similar or is it just out in the open? Taking a cursory glance at your page it's hard to tell exactly what is being done. Looks cool though.
Just fyi, I've found Tailscale to be excellent for this purpose. I just created a new google account, for sharing with friends and family to log in to tailscale, and it's completely free. A relay on my Raspberry pi allow me to expose select devices to those connected to my tailscale.
You actually don't need to share your account with friends and family to share access with Tailscale. You can share devices instead: https://tailscale.com/kb/1084/sharing/. (I believe the doc is out of date and that this is now a production feature.)
I use this for sharing a media server with family and friends and it works great!
Looks like innernet relies on third party "Nebula" from "Slack Technologies" (commercialised IRC) which uses 70.199.182.92.
Perhaps the definition of "self-hosted" varies from person to person. The definition I subscribe to for "self-hosted" peer-to-peer is that I have to supply the publicly reachable IP address and run a supernode on it. (I prefer supernodes that only provide IP:port information for peers to directly connect and do not pass any traffic once the peers are connected.) Many of the so-called "peer-to-peer" projects I see today provide the IP address of a server run by a third party as part of their default configuration, with the option that a user could run their own server on their own IP address. (How many users do that.) Under the definition I subscribe to, nothing is for "free". I have to pay for the publicly reachable IP address and run the supernode from that address. Under another person's definition of "self-hosted", a third party might be hosting a necessary server. If they stop providing that service, the "self-hosted" solution no longer works.
Your understanding of how Nebula works is incorrect.
If you checked Nebula's readme you'd see the following:
> Nebula lighthouses allow nodes to find each other, anywhere in the world. A lighthouse is the only node in a Nebula network whose IP should not change. Running a lighthouse requires very few compute resources, and you can easily use the least expensive option from a cloud hosting provider. If you're not sure which provider to use, a number of us have used $5/mo DigitalOcean droplets as lighthouses.
This puts Nebula in a relatively small group of what I would call true self-hosted overlay networks (by the definition of "self-hosted" I subscribe to). Kudos for that.
What drew my attention was the remote IP address in
Anyway, while I would not necessarily choose to run Nebula myself (I prefer smaller overlay networks, for example), it is certainly an exception to the pattern I see in so many other "self-hosted" peer-to-peer projects. I apologise if the comment I submitted implied otherwise.
Note I never suggested innernet "runs on Nebula". The words I used were "innernet relies on Nebula." Of course, that, too, is incorrect. The blog post was just comparing innernet to Nebula. My bad! I am just too cynical about peer-to-peer projects since so many fall into the same patterns I dislike; hence I skimmed where I should have read more closely.
This system is a little simpler, it creates a public endpoint that will tunnel traffic to the game server over the playit program. So when the program and game server are running, anyone can connect to the server through the public address.
It has the advantage that only the server needs to run a program. It also does a few tricks like mapping each client's public IP to a LAN IP like 127.5.21.3 so ip banning / whitelisting still works in game.
At the moment the program only run on PCs, however a few users have figured out how to run it on mobile. But that's just for the server, the server that is tunneled can be connected to by anything. We have a few users hosting Minecraft Bedrock servers that are being connected to by mobile and consoles.
How are people tunneling their console over the zerotier vpn? I assume this requires zerotier to be installed on the gateway, which is a bit beyond most users sadly :(
Looks like this uses https://github.com/cloudflare/boringtun, a userspace implementation of Wireguard written in Rust, and (I'm guessing) user IP:port is sent to third party at api.playit.gg.
Version 3 did, however I was needing to manage the TCP IP stack in application. I tried using and patching smoltcp, then made things more stable by linking to gvisor (a go project) but users were still having performance issues. Ended up launching v4 which uses the http2 protocol under the hood.
The users we have vary quite drastically in terms of their network access and computer hardware.
Looks convenient. I assume multiple servers share the same IP(s) on different non-default ports? I don’t see any info on how this works on the site.
I can’t imagine providing a free unique static IPv4 for 4000+ active servers would be a sustainable business model. IPv6 of course would be fine, if residential ISPs ever leave the Stone Age. (Looking at you, Bell Canada)
Yes, I'm assigning a random port to each tunnel. I have been considering purchasing an IP space to offer a premium version but it's hard to make the numbers work at my current scale.
Minecraft is quite nice as it supports SRV records so the provided tunnel address doesn't need to show the port number. For other games you'll notice you have the non standard port.
i had a similar use case for sharing my plex media server. i am behind a cgnat so dont have a fixed IP address nor can I port-forward if I wanted to. the solution I came up with, involves zerotier and a cheap vps qith a static ip (required as I cant setup zerotier everywhere (apple tvs, chromecasts, iphones, etc.) the vps acts as a relay to the private zerotier network (single address only, the plex server) which allows anyone i have shared my plex server with to access without any setup.
I'd look at using an SSH reverse tunnel. If you can connect from the plex-server to a server hosted on EC2, Linode, DigitalOcean, etc, you could expose the service from that.
There's also good ol' (newish?) WireGuard on a relay VPS. But I understand how it'd be another extra step that could get in the way for someone unfamiliar with the tech.
For people who want to use WireGuard to receive a clean IPv4 and IPv6 public address (no blacklist and good reputation), you can check out https://hoppy.network
All ports are unblocked and you can choose plans with guaranteed speeds of 500Mbit. It’s great for people who self-host, and don’t want to manage a cloud VPS.
This looks awesome. I recently moved and had to get a new ISP and router and I gave up trying to get my home server working because the router firmware is so bugged out that port forwarding doesn’t work.
A bit late of a reply, but, to me, wireguard is more of a catchall solution, where as zerotier focuses on one job, accessing internal services externally.
Zerotier seems like a fine tool, but I feel like learning how to use wireguard has more opportunity to come in handy later. Not to mention how wireguard is a part of the kernel now, which makes things a bit more convenient as well.
This seems to create long-running tunnel sessions, doesn't it? If so, that seems to me to potentially create load that's too great for the service to be free.
That is correct. It's been difficult, I've had to rebuild the entire system 4 times finding new optimizations here and there. I'm at break even cost wise from people purchasing custom domains for $1/month, or $6/year.
The latest version, v4 is performing really well and is helping me keep costs low while we're getting more users.
I thought that virtual hosts for TCP would be an interesting feature to have to support multiple services on a single port. I remember reading about this years back: http://www.litech.org/~brian/tcphosts/paper.html
A better solution would be to have each service on its own IP address and to do away with ports entirely. Ports are a hack to deal with limited IP addresses.
If you download and run the program it will launch the web browser to https://playit.gg/manage. On that page you should be able to add a Custom TCP tunnel. I don't quite follow the features you're looking for but I think the custom TCP tunnel should cover a good bit.
As for banning IPs, public IPs are mapped to local IPs (for example 127.3.5.6) so in game banning should work. I have thought about creating a premium tier that lets you add firewall rules to the edge (our tunnel servers) so the traffic you filter never gets tunneled to you.
Is it possible to self host it? I don't mind paying for a premium tier that lets me self host/configure; I don't mind if it isn't open source, but I have a need to host something like this for players in APAC region and also be able to select my own ports.
It looks like there's a tunnel app... could I use it to tunnel other stuff if I got creative? I'm behind CGNAT with Starlink on one of my connections, and I wouldn't mind a freebie tunnel to, say, a webserver in there...
Yes, you're free to tunnel whatever you like with the custom TCP and UDP tunnels. We have users tunneling their SSH and FTP servers and all sorts of things. Though if the bandwidth starts disrupting game severs, I may need to reconsider :).
