Securing Your Cloudpanel Server UI and SSH/SFTP with ZeroTier: A Complete Guide 2024

Introduction

This guide will show you how to secure your CloudPanel server’s administrative interfaces using ZeroTier. By following this guide, you’ll restrict CloudPanel UI (port 8443) and SSH/SFTP access (port 22) to only be accessible through your ZeroTier network, while keeping HTTP/HTTPS (ports 80/443) open for public access.

Prerequisites

  • A server running CloudPanel
  • Root access to your server
  • A ZeroTier account (free tier is sufficient)
  • Your ZeroTier Network ID (create one at my.zerotier.com)

Security Benefits

  1. Zero-Trust Security: Only authenticated ZeroTier devices can access sensitive ports
  2. Reduced Attack Surface: Critical services are not exposed to the public internet
  3. Simple Access Management: Easy to add or remove device access through ZeroTier Central
  4. Encrypted Traffic: All traffic is automatically encrypted through the ZeroTier network
  5. Public Web Access: Maintains public access to websites (ports 80/443)

Installation Steps

1. Download and Prepare the Script

wget https://git.hhf.technology/hhf/cloudpanel-zerotier/raw/branch/main/zerotier-setup.sh
chmod +x zerotier-setup.sh

2. Run the Script

sudo ./zerotier-setup.sh

3. Follow the Script Prompts

  1. When prompted, enter your ZeroTier Network ID:

    Please enter your ZeroTier Network ID: a1b2c3d4e5f67890
    
    • This should be a 16-character hexadecimal string
    • You can find this in your ZeroTier Central dashboard (my.zerotier.com)
  2. The script will then:

    • Install ZeroTier if not already installed
    • Join your ZeroTier network
    • Display debug information about the connection

4. Authorize Your Node

While the script is waiting for IP assignment:

  1. Go to my.zerotier.com
  2. Log into your account
  3. Select your network
  4. Find your server’s node in the “Members” section
  5. Check the “Auth” checkbox to authorize it

The script will automatically detect when the authorization is complete and continue.

5. Confirm Configuration

When prompted “Would you like to proceed with the firewall and nginx configuration? (y/n)”, type ‘y’ to continue.

The script will then:

  • Create backups of your existing configuration
  • Update nginx to listen on your ZeroTier IP
  • Configure firewall rules
  • Restart necessary services

What the Script Does

The setup script performs the following actions:

  1. Installs ZeroTier: If not already present, downloads and installs ZeroTier
  2. Network Configuration: Joins your specified ZeroTier network
  3. Backup Creation:
    • Backs up your nginx configuration
    • Creates a backup of your CloudPanel database
  4. Security Updates:
    • Configures nginx to listen only on ZeroTier IP for port 8443
    • Updates firewall rules to restrict SSH and CloudPanel UI access
    • Keeps HTTP/HTTPS (80/443) open for public access
  5. Service Management: Restarts necessary services to apply changes

Verification

After the script completes, you’ll see:

  1. Your ZeroTier IP address
  2. Final status of your ZeroTier connection
  3. Confirmation of service access points

Test your setup by:

  1. Accessing CloudPanel UI: https://ZEROTIER_IP:8443
  2. Testing SSH access: ssh user@ZEROTIER_IP
  3. Verifying public website access still works

Troubleshooting

If you encounter issues:

Node Not Getting IP

  • Make sure you’ve authorized the node in ZeroTier Central
  • Check network status: sudo zerotier-cli status
  • Verify network membership: sudo zerotier-cli listnetworks

Cannot Access Services

  1. Verify ZeroTier connection:
    zerotier-cli status
    zerotier-cli listnetworks
    
  2. Check if the interface is up:
    ip addr show zt0
    

Recovery

The script creates automatic backups with timestamps. To restore:

  • Nginx backups are at: /home/clp/services/nginx/sites-enabled/cloudpanel.conf.backup.*
  • Database backups are at: /home/clp/htdocs/app/data/db.sq3.backup.*

Security Best Practices

  1. Access Management

    • Only authorize known devices in ZeroTier Central
    • Regularly audit and remove unused devices
    • Keep your ZeroTier client software updated
  2. Monitoring

    • Regularly check authorized devices in ZeroTier Central
    • Monitor access logs for unusual activity
    • Keep CloudPanel and system packages updated

Support

If you encounter any issues:

  1. Check the script’s debug output
  2. Verify your ZeroTier network configuration
  3. Ensure your node is authorized in ZeroTier Central
  4. Review the backup files for any configuration issues

Conclusion

Your CloudPanel server is now secured with ZeroTier, allowing administrative access only through your private network while maintaining public access to web services. Regular monitoring of your ZeroTier network and authorized devices will help maintain security.

Guide to Access CloudPanel via ZeroTier

This guide will help you set up ZeroTier on your local machine to access CloudPanel securely. Follow the steps for your operating system.

Prerequisites

  • Your ZeroTier Network ID (16-character string)
  • CloudPanel server’s ZeroTier IP address
  • Access to ZeroTier Central (admin.zerotier.com)

Step 1: Install ZeroTier Client

Windows Installation

  1. Download ZeroTier from Download - ZeroTier
  2. Run the installer (ZeroTier_x.x.x.exe)
  3. During installation, check “Launch ZeroTier One”
  4. The ZeroTier icon will appear in your system tray

macOS Installation

  1. Download ZeroTier from Download - ZeroTier
  2. Open the downloaded .pkg file
  3. Follow the installation wizard
  4. Allow the system extension in Security & Privacy preferences if prompted
  5. ZeroTier will appear in your menu bar

Linux Desktop Installation

# Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash

# Fedora/RHEL
sudo dnf install zerotier-one

# Arch Linux
yay -S zerotier-one
sudo systemctl enable --now zerotier-one

Step 2: Join Your ZeroTier Network

Windows

  1. Right-click the ZeroTier icon in system tray
  2. Select “Join Network”
  3. Enter your Network ID
  4. Click Join

macOS

  1. Click the ZeroTier icon in menu bar
  2. Click “Join Network”
  3. Enter your Network ID
  4. Click Join

Linux Desktop

# Join network
sudo zerotier-cli join YOUR_NETWORK_ID

# Check status
sudo zerotier-cli status
sudo zerotier-cli listnetworks

Step 3: Authorize Your Client

  1. Log in to ZeroTier Central (https://admin.zerotier.com)
  2. Select your network
  3. Find your device in the “Members” section
  4. Check the “Auth” checkbox to authorize it
  5. Give your device a name (optional)

Step 4: Verify Connection

For All Operating Systems:

  1. Wait about 30 seconds for authorization to take effect
  2. You should see a “Connected” status in your client
  3. Your device will receive a ZeroTier IP address

To verify connection:

  • Windows: Right-click tray icon → Show Networks
  • macOS: Click menu bar icon → Network Status
  • Linux: Run sudo zerotier-cli listnetworks

Step 5: Access CloudPanel

  1. Open your web browser
  2. Navigate to https://ZEROTIER_IP:8443
    Replace ZEROTIER_IP with your CloudPanel server’s ZeroTier IP
  3. Accept the SSL certificate warning (if any)
  4. Log in to CloudPanel

Step 6: SSH Access (Optional)

You can now SSH to your server using the ZeroTier IP:

ssh username@ZEROTIER_IP

Troubleshooting

  1. Can’t Connect to Network:

    • Verify Network ID is correct
    • Check authorization in ZeroTier Central
    • Ensure no firewall is blocking ZeroTier
  2. Can’t Access CloudPanel:

    • Verify you’re using https:// not http://
    • Check if server’s firewall rules are correct
    • Ensure you’re using the correct ZeroTier IP
  3. Certificate Warnings:

    • This is normal when accessing via IP
    • You can safely proceed for CloudPanel access
  4. Still Having Issues:

    • Check ZeroTier connection status
    • Verify both client and server are authorized
    • Try restarting the ZeroTier service

Security Notes

  1. Keep your Network ID private
  2. Regularly review authorized devices
  3. Use strong passwords for CloudPanel
  4. Consider setting up proper SSL certificates

Additional Tips

  1. Bookmark the CloudPanel ZeroTier URL
  2. Save your SSH config for easier access
  3. Consider setting up DNS for the ZeroTier IP
  4. ZeroTier can be configured to auto-start:
    • Windows: Already configured on install
    • macOS: System Preferences → Users → Login Items
    • Linux: Already enabled if installed via package manager