Securing Your Cloudpanel Server UI and SSH/SFTP with ZeroTier: A Complete Guide 2024

hhf.technoloy · December 2, 2024, 12:23pm

Introduction

This guide will show you how to secure your CloudPanel server’s administrative interfaces using ZeroTier. By following this guide, you’ll restrict CloudPanel UI (port 8443) and SSH/SFTP access (port 22) to only be accessible through your ZeroTier network, while keeping HTTP/HTTPS (ports 80/443) open for public access.

Prerequisites

A server running CloudPanel
Root access to your server
A ZeroTier account (free tier is sufficient)
Your ZeroTier Network ID (create one at my.zerotier.com)

Security Benefits

Zero-Trust Security: Only authenticated ZeroTier devices can access sensitive ports
Reduced Attack Surface: Critical services are not exposed to the public internet
Simple Access Management: Easy to add or remove device access through ZeroTier Central
Encrypted Traffic: All traffic is automatically encrypted through the ZeroTier network
Public Web Access: Maintains public access to websites (ports 80/443)

Installation Steps

1. Download and Prepare the Script

wget https://git.hhf.technology/hhf/cloudpanel-zerotier/raw/branch/main/zerotier-setup.sh
chmod +x zerotier-setup.sh

2. Run the Script

sudo ./zerotier-setup.sh

3. Follow the Script Prompts

When prompted, enter your ZeroTier Network ID:
```
Please enter your ZeroTier Network ID: a1b2c3d4e5f67890
```
- This should be a 16-character hexadecimal string
- You can find this in your ZeroTier Central dashboard (my.zerotier.com)
The script will then:
- Install ZeroTier if not already installed
- Join your ZeroTier network
- Display debug information about the connection

4. Authorize Your Node

While the script is waiting for IP assignment:

Go to my.zerotier.com
Log into your account
Select your network
Find your server’s node in the “Members” section
Check the “Auth” checkbox to authorize it

The script will automatically detect when the authorization is complete and continue.

5. Confirm Configuration

When prompted “Would you like to proceed with the firewall and nginx configuration? (y/n)”, type ‘y’ to continue.

The script will then:

Create backups of your existing configuration
Update nginx to listen on your ZeroTier IP
Configure firewall rules
Restart necessary services

What the Script Does

The setup script performs the following actions:

Installs ZeroTier: If not already present, downloads and installs ZeroTier
Network Configuration: Joins your specified ZeroTier network
Backup Creation:
- Backs up your nginx configuration
- Creates a backup of your CloudPanel database
Security Updates:
- Configures nginx to listen only on ZeroTier IP for port 8443
- Updates firewall rules to restrict SSH and CloudPanel UI access
- Keeps HTTP/HTTPS (80/443) open for public access
Service Management: Restarts necessary services to apply changes

Verification

After the script completes, you’ll see:

Your ZeroTier IP address
Final status of your ZeroTier connection
Confirmation of service access points

Test your setup by:

Accessing CloudPanel UI: https://ZEROTIER_IP:8443
Testing SSH access: ssh user@ZEROTIER_IP
Verifying public website access still works

Troubleshooting

If you encounter issues:

Node Not Getting IP

Make sure you’ve authorized the node in ZeroTier Central
Check network status: sudo zerotier-cli status
Verify network membership: sudo zerotier-cli listnetworks

Cannot Access Services

Verify ZeroTier connection:

zerotier-cli status
zerotier-cli listnetworks

Check if the interface is up:
```
ip addr show zt0
```

Recovery

The script creates automatic backups with timestamps. To restore:

Nginx backups are at: /home/clp/services/nginx/sites-enabled/cloudpanel.conf.backup.*
Database backups are at: /home/clp/htdocs/app/data/db.sq3.backup.*

Security Best Practices

Access Management
- Only authorize known devices in ZeroTier Central
- Regularly audit and remove unused devices
- Keep your ZeroTier client software updated
Monitoring
- Regularly check authorized devices in ZeroTier Central
- Monitor access logs for unusual activity
- Keep CloudPanel and system packages updated

Support

If you encounter any issues:

Check the script’s debug output
Verify your ZeroTier network configuration
Ensure your node is authorized in ZeroTier Central
Review the backup files for any configuration issues

Conclusion

Your CloudPanel server is now secured with ZeroTier, allowing administrative access only through your private network while maintaining public access to web services. Regular monitoring of your ZeroTier network and authorized devices will help maintain security.

Guide to Access CloudPanel via ZeroTier

This guide will help you set up ZeroTier on your local machine to access CloudPanel securely. Follow the steps for your operating system.

Prerequisites

Your ZeroTier Network ID (16-character string)
CloudPanel server’s ZeroTier IP address
Access to ZeroTier Central (admin.zerotier.com)

Step 1: Install ZeroTier Client

Windows Installation

Download ZeroTier from Download - ZeroTier
Run the installer (ZeroTier_x.x.x.exe)
During installation, check “Launch ZeroTier One”
The ZeroTier icon will appear in your system tray

macOS Installation

Download ZeroTier from Download - ZeroTier
Open the downloaded .pkg file
Follow the installation wizard
Allow the system extension in Security & Privacy preferences if prompted
ZeroTier will appear in your menu bar

Linux Desktop Installation

# Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash

# Fedora/RHEL
sudo dnf install zerotier-one

# Arch Linux
yay -S zerotier-one
sudo systemctl enable --now zerotier-one

Step 2: Join Your ZeroTier Network

Windows

Right-click the ZeroTier icon in system tray
Select “Join Network”
Enter your Network ID
Click Join

macOS

Click the ZeroTier icon in menu bar
Click “Join Network”
Enter your Network ID
Click Join

Linux Desktop

# Join network
sudo zerotier-cli join YOUR_NETWORK_ID

# Check status
sudo zerotier-cli status
sudo zerotier-cli listnetworks

Step 3: Authorize Your Client

Log in to ZeroTier Central (https://admin.zerotier.com)
Select your network
Find your device in the “Members” section
Check the “Auth” checkbox to authorize it
Give your device a name (optional)

Step 4: Verify Connection

For All Operating Systems:

Wait about 30 seconds for authorization to take effect
You should see a “Connected” status in your client
Your device will receive a ZeroTier IP address

To verify connection:

Windows: Right-click tray icon → Show Networks
macOS: Click menu bar icon → Network Status
Linux: Run sudo zerotier-cli listnetworks

Step 5: Access CloudPanel

Open your web browser
Navigate to https://ZEROTIER_IP:8443
Replace ZEROTIER_IP with your CloudPanel server’s ZeroTier IP
Accept the SSL certificate warning (if any)
Log in to CloudPanel

Step 6: SSH Access (Optional)

You can now SSH to your server using the ZeroTier IP:

ssh username@ZEROTIER_IP

Troubleshooting

Can’t Connect to Network:
- Verify Network ID is correct
- Check authorization in ZeroTier Central
- Ensure no firewall is blocking ZeroTier
Can’t Access CloudPanel:
- Verify you’re using https:// not http://
- Check if server’s firewall rules are correct
- Ensure you’re using the correct ZeroTier IP
Certificate Warnings:
- This is normal when accessing via IP
- You can safely proceed for CloudPanel access
Still Having Issues:
- Check ZeroTier connection status
- Verify both client and server are authorized
- Try restarting the ZeroTier service

Security Notes

Keep your Network ID private
Regularly review authorized devices
Use strong passwords for CloudPanel
Consider setting up proper SSL certificates

Additional Tips

Bookmark the CloudPanel ZeroTier URL
Save your SSH config for easier access
Consider setting up DNS for the ZeroTier IP
ZeroTier can be configured to auto-start:
- Windows: Already configured on install
- macOS: System Preferences → Users → Login Items
- Linux: Already enabled if installed via package manager