Hi, if you know ZeroTier (https://zerotier.com) and want to expand your network without using their own SaaS infrastructure (maybe for privacy or budget or why not!).

Keep reading and following my steps. Happy GAN-ing.

0- Preliminary checks

First of all if you are dealing with a brand new virtual Ubuntu server on GCE or EC2. Please make sure your server is up to date and timezone is correct.

sudo apt update && sudo apt upgrade -y
sudo timedatectl set-timezone Europe/Istanbul

We cannot use IP address for this network controller. So your FQDN (top level domain or a subdomain) is ready by giving A and or CNAME record from your DNS management.

If you can at least ping it than keep going.

1- Install ZeroTier CLI

Then we can install ZeroTier's official CLI

curl -s https://install.zerotier.com | sudo bash

If everything is fine, you will see something like this if you check your current status;

sudo zerotier-cli status
200 info 1ab23c456d 1.4.6 ONLINE

2- Install ztncUI

Now we are going to install Key-Networks' ztncui (https://key-networks.com/ztncui/) for network controller web interface

curl -O https://s3-us-west-1.amazonaws.com/key-networks/deb/ztncui/1/x86_64/ztncui_0.5.8_amd64.deb
sudo apt-get install ./ztncui_0.5.8_amd64.deb

3- Install Let's Encrypt certbot

Thanks to ISGR and EFF, we can easily secure our GAN with Let's Encrypt (https://letsencrypt.org/) certbot (https://certbot.eff.org/)

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

sudo apt-get install certbot

sudo -i
cd /opt/key-networks/ztncui

sudo certbot certonly --standalone -d zero.onurkeskin.com

cd /opt/key-networks/ztncui/etc/tls
mkdir defaults
mv *.pem defaults/
ln -s /etc/letsencrypt/live/zero.onurkeskin.com/fullchain.pem
ln -s /etc/letsencrypt/live/zero.onurkeskin.com/privkey.pem

4- Verify network controller can read SSL certificates

Most probably due to user permissions we cannot read our new certificates from ztncui. But let's check it anyway

sudo -u ztncui cat /etc/letsencrypt/archive/zero.onurkeskin.com/fullchain1.pem 
namei -lo /etc/letsencrypt/archive/zero.onurkeskin.com/privkey1.pem

If you can’t read/access keep going.

sudo chmod 755 -R /etc/letsencrypt/archive/
sudo chmod 755 -R /etc/letsencrypt/live/
sudo chown -h ztncui:ztncui /opt/key-networks/ztncui/etc/tls/*.pem
sudo chmod 644 .env
sudo chown ztncui:ztncui .env

Now, ztncui can also read SSL certificates and import them into it's express.js web application.

5-Set automatic SSL renewal

sudo certbot renew --dry-run 

6-Serve Web GUI

We have two options for publishing our web GUI to public network.

First one is to publish under a custom port such as https://zero.onurkeskin.com:3443.

Or much more generic way, we can use reverse proxy for publishing directly under standard https port. Such as https://zero.onurkeskin.com

6.1- Serving under a custom port

Tell ztncui that we are going to use TCP port 3443 for HTTPS access.

sudo sh -c "echo 'HTTPS_PORT=3443' > /opt/key-networks/ztncui/.env"

And tell your firewall to accept these requests

sudo /sbin/iptables -I INPUT 1 -p tcp --dport 3443 -j ACCEPT

We can check our latest firewall rule

sudo /sbin/iptables -L -v

And check public access

nc -vz zero.onurkeskin.com 3443

If everything works, restart service

sudo systemctl restart ztncui

And access web interface from https://zero.onurkeskin.com:3443 with default login credentials

username: admin    
password: password

[SecTip] First thing to do after successful login is creating a new admin account and delete default admin account.

6.2- Using reverse proxy

We can use nginx or apache for this.

sudo apt install -y nginx

Remove default site configuration

sudo unlink /etc/nginx/sites-enabled/default

Create a new site configuration

sudo nano /etc/nginx/sites-available/ztncui.conf

For example of this configuration may be like this;

server {
        listen 80;
        return 301 https://$host$request_uri;

    server {
        listen 443 ssl http2;
        server_name zero.onurkeskin.com;

        ssl_certificate /etc/letsencrypt/live/zero.onurkeskin.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/zero.onurkeskin.com/privkey.pem;
        ssl on;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver valid=300s;
        resolver_timeout 30s;

        #add_header Strict-Transport-Security "max-age=63072000" always;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;

        access_log /var/log/nginx/access.log;

        location / {
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass http://localhost:3000;
            proxy_read_timeout 90;
            proxy_redirect http://localhost:3000 https://zero.onurkeskin.com;

Test your configuration and enable it

sudo nginx -t
sudo ln -s /etc/nginx/sites-available/ztncui.conf /etc/nginx/sites-enabled/
sudo service nginx restart

That's it, now you can access your ZeroTier (GAN) network controller web interface through your (sub)domain.

7. Removing unnecessary redundancies

If you were try custom port solution but want to use reverse proxy. After successfully publishing it with nginx (or apache, caddy etc) it is always better make some cleaning.

Remove HTTPS_PORT definition from ztncui's environment variables. We do not need it anymore.

sudo rm /opt/key-networks/ztncui/.env
sudo touch /opt/key-networks/ztncui/.env
sudo systemctl restart ztncui

And also we have to remove custom port's firewall rule. Extravagance is never good.

sudo /sbin/iptables -L INPUT --line-numbers

That's all. I hope you are happy with your ZeroTier network controller.