ZeroTier and WLANPi – Keeping profiles and keys for re-imaging

In 2018 the WLANPi (Twitter: @Wlanpi and Web: wlanpi.com) made its debut at WLPC Phoenix thanks to the hard work of Jerry Olla (Twitter: @jolla) and his team of volunteers. I am a BIG advocate of low cost tools to get things done in my job and this is one powerful little tool. If you haven’t checked out their website and videos yet, give a click on the link above.

Go ahead, I’ll wait…

Now that you’ve seen some about this little guy and what they can do you can understand why I would not only want to use it on a local network but also as a possible remote sensor as well – where it is on a different network than the one I am on, potentially even across the nation or on the other side of the world! The challenge here is how to get a headless machine to communicate in a secure fashion upon boot without having to set up, manage, and control your own internal VPN server – especially when you aren’t that familiar with Linux? (Hey, give me a break, I am learning!) Enter ZeroTier, a SDN VPN service with free hosting of up to 100 devices. Check them out here: zerotier.com and on Twitter: @ZeroTier. They have a really simple to follow setup and are OS agnostic, which is prefect for a person with new and really limited skill with Linux. Their installation script for the Debian based WLANPi was easy to run and, with a couple of configuration steps on the ZeroTier Central website, I had a device that was auto-configured to “call home” to a central location once it booted and was connected to the Internet.

DISCLAIMER: NEVER under any circumstances place a device on someone’s network without their consent! Also, this device, setup and following instructions can be a security risk if proper precautions are not taken. By using ZeroTier, the WLANPi and any information within the post, you are assuming full responsibility and accountability for your actions! USE AT YOUR OWN RISK! YOU HAVE BEEN WARNED!

I haven’t been able to get the GPG instructions to work yet so I took the risk and used the ” careless lazy brave” method described in ZeroTier’s directions. It is your discretion to do so and while it is easy to get set up, one thing that bothered me is that every time I would have to re-image my WLANPi, I would have to run the ZeroTier script again, reconfigure it for the Network ID and get the new identity code from the script, then delete the old entry for the WLANPi in Central and re-add the WLANPi with its new key as well as manually re-configuring its IP and Alias in Central. It began to be a monotonous task. Maybe someone can figure out an automated process and let me know how its done but for now I’ve been able to remove the whole Central reconfiguration by doing the following steps. Keep in mind this is AFTER you have already set up ZeroTier on your WLANPi once and now have to re-image it to upgrade. (Side Note: Jerry and crew are reportedly working on a way to make the WLANPi software a package but until that is figured out we do a re-image of the SD card to upgrade).

For the method I describe to work, I use the following:

  • WLANPi
  • ZeroTier
  • MobaXterm – it has SSH and SFTP capability built-in and is designed for Windows

For those experienced folks who don’t want to read through the step-by-step, here’s the jist – the files we are looking for are located in the /var/lib/zerotier-one directory. The individual identity key files are identity.public and identity.secret. The other 2 files we need are for the network identity found one more level down in the networks.d directory. Then I do the following:

  • Since we don’t own them with our current user, I change the owner of the /var/lib/zerotier-one directory recursively to my WLANPi user – by default this is wlanpi
  • SFTP / copy the two identity files off the WLANPi along with the networks.d directory.
  • Re-image the WLANPi
  • Run the ZeroTier script on the new image ignoring the rest of the instructions
  • Change ownership of the new /var/lib/zerotier-one directory to my current user
  • SFTP the identity files and the networks.d directory back into the /var/lib/zerotier-one directory.
  • Change ownership of the /var/lib/zerotier-one directory back to root.
  • Reboot your WLANPi

So, you have ZeroTier installed and have to re-image. Before you re-image the SD card, SSH into your WLANPi with MobaXterm.

On the left is a pane for the built-in SFTP server and what’s cool is that the WLANPi natively supports it if you don’t have it blocked by the firewall (ufw comes on the WLANPi now). The right hand pane is your SSH session. I don’t mind having to enter the path name to the directory I am looking for or using the Windows “point-and-click” method to open the tree in the SFTP pane to find the file I want so I will leave that to you to experiment with. Unfortunately we can’t just copy / download the files we need since they aren’t owned by the user, they are owned by root. Therefore we have to issue the following command in our SSH session:

chown -R wlanpi: /var/lib/zerotier-one

The -R is the recursive command, which changes the ownership of all files, folders, and sub files/folders within the directory. At this point, we use the SFTP pane to select and copy (download) the files and folder we want and save them for later. If you are like me and have multiple WLANPi units, be sure you don’t inadvertently save them all in the same place which can overwrite files.

After you have the copies saved, flash your WLANPi SDcard with the new image and begin setup like normal. Once you have the WLANPi connected to the Internet again, follow the installation instructions for Zerotier for Linux to download and install the newest version. Once you have the installation part completed, you do not need to continue with the set up of installing the network ID since we will do that and overwrite the identity the installation script just created.

SSH back into your WLANPi with MobaXterm as you did before, change the ownership of the /var/lib/zerotier-one directory to your user again, SFTP the two identity files and networks.d directory back into the WLANPi, change the ownership of /var/lib/zerotier-one back to root, and reboot your WLANPi.

When your WLANPi comes back online, it should just reconnect to your Zerotier network with it’s old name, IP and other configurations!

Not the cleanest I know, but once you get the hang of the steps it does become easier to follow and do. I can reconfigure my 6 units with a few other customizations I do fairly quickly and while it is a manual process to perform, it isn’t as bad as it seems.

Have fun!