Introduction
This guide will show you how to secure your CloudPanel server’s administrative interfaces using ZeroTier. By following this guide, you’ll restrict CloudPanel UI (port 8443) and SSH/SFTP access (port 22) to only be accessible through your ZeroTier network, while keeping HTTP/HTTPS (ports 80/443) open for public access.
Prerequisites
- A server running CloudPanel
- Root access to your server
- A ZeroTier account (free tier is sufficient)
- Your ZeroTier Network ID (create one at my.zerotier.com)
Security Benefits
- Zero-Trust Security: Only authenticated ZeroTier devices can access sensitive ports
- Reduced Attack Surface: Critical services are not exposed to the public internet
- Simple Access Management: Easy to add or remove device access through ZeroTier Central
- Encrypted Traffic: All traffic is automatically encrypted through the ZeroTier network
- Public Web Access: Maintains public access to websites (ports 80/443)
Installation Steps
1. Download and Prepare the Script
wget https://git.hhf.technology/hhf/cloudpanel-zerotier/raw/branch/main/zerotier-setup.sh
chmod +x zerotier-setup.sh
2. Run the Script
sudo ./zerotier-setup.sh
3. Follow the Script Prompts
-
When prompted, enter your ZeroTier Network ID:
Please enter your ZeroTier Network ID: a1b2c3d4e5f67890
- This should be a 16-character hexadecimal string
- You can find this in your ZeroTier Central dashboard (my.zerotier.com)
-
The script will then:
- Install ZeroTier if not already installed
- Join your ZeroTier network
- Display debug information about the connection
4. Authorize Your Node
While the script is waiting for IP assignment:
- Go to my.zerotier.com
- Log into your account
- Select your network
- Find your server’s node in the “Members” section
- Check the “Auth” checkbox to authorize it
The script will automatically detect when the authorization is complete and continue.
5. Confirm Configuration
When prompted “Would you like to proceed with the firewall and nginx configuration? (y/n)”, type ‘y’ to continue.
The script will then:
- Create backups of your existing configuration
- Update nginx to listen on your ZeroTier IP
- Configure firewall rules
- Restart necessary services
What the Script Does
The setup script performs the following actions:
- Installs ZeroTier: If not already present, downloads and installs ZeroTier
- Network Configuration: Joins your specified ZeroTier network
- Backup Creation:
- Backs up your nginx configuration
- Creates a backup of your CloudPanel database
- Security Updates:
- Configures nginx to listen only on ZeroTier IP for port 8443
- Updates firewall rules to restrict SSH and CloudPanel UI access
- Keeps HTTP/HTTPS (80/443) open for public access
- Service Management: Restarts necessary services to apply changes
Verification
After the script completes, you’ll see:
- Your ZeroTier IP address
- Final status of your ZeroTier connection
- Confirmation of service access points
Test your setup by:
- Accessing CloudPanel UI:
https://ZEROTIER_IP:8443
- Testing SSH access:
ssh user@ZEROTIER_IP
- Verifying public website access still works
Troubleshooting
If you encounter issues:
Node Not Getting IP
- Make sure you’ve authorized the node in ZeroTier Central
- Check network status:
sudo zerotier-cli status
- Verify network membership:
sudo zerotier-cli listnetworks
Cannot Access Services
- Verify ZeroTier connection:
zerotier-cli status zerotier-cli listnetworks
- Check if the interface is up:
ip addr show zt0
Recovery
The script creates automatic backups with timestamps. To restore:
- Nginx backups are at:
/home/clp/services/nginx/sites-enabled/cloudpanel.conf.backup.*
- Database backups are at:
/home/clp/htdocs/app/data/db.sq3.backup.*
Security Best Practices
-
Access Management
- Only authorize known devices in ZeroTier Central
- Regularly audit and remove unused devices
- Keep your ZeroTier client software updated
-
Monitoring
- Regularly check authorized devices in ZeroTier Central
- Monitor access logs for unusual activity
- Keep CloudPanel and system packages updated
Support
If you encounter any issues:
- Check the script’s debug output
- Verify your ZeroTier network configuration
- Ensure your node is authorized in ZeroTier Central
- Review the backup files for any configuration issues
Conclusion
Your CloudPanel server is now secured with ZeroTier, allowing administrative access only through your private network while maintaining public access to web services. Regular monitoring of your ZeroTier network and authorized devices will help maintain security.
Guide to Access CloudPanel via ZeroTier
This guide will help you set up ZeroTier on your local machine to access CloudPanel securely. Follow the steps for your operating system.
Prerequisites
- Your ZeroTier Network ID (16-character string)
- CloudPanel server’s ZeroTier IP address
- Access to ZeroTier Central (admin.zerotier.com)
Step 1: Install ZeroTier Client
Windows Installation
- Download ZeroTier from Download - ZeroTier
- Run the installer (ZeroTier_x.x.x.exe)
- During installation, check “Launch ZeroTier One”
- The ZeroTier icon will appear in your system tray
macOS Installation
- Download ZeroTier from Download - ZeroTier
- Open the downloaded .pkg file
- Follow the installation wizard
- Allow the system extension in Security & Privacy preferences if prompted
- ZeroTier will appear in your menu bar
Linux Desktop Installation
# Ubuntu/Debian
curl -s https://install.zerotier.com | sudo bash
# Fedora/RHEL
sudo dnf install zerotier-one
# Arch Linux
yay -S zerotier-one
sudo systemctl enable --now zerotier-one
Step 2: Join Your ZeroTier Network
Windows
- Right-click the ZeroTier icon in system tray
- Select “Join Network”
- Enter your Network ID
- Click Join
macOS
- Click the ZeroTier icon in menu bar
- Click “Join Network”
- Enter your Network ID
- Click Join
Linux Desktop
# Join network
sudo zerotier-cli join YOUR_NETWORK_ID
# Check status
sudo zerotier-cli status
sudo zerotier-cli listnetworks
Step 3: Authorize Your Client
- Log in to ZeroTier Central (https://admin.zerotier.com)
- Select your network
- Find your device in the “Members” section
- Check the “Auth” checkbox to authorize it
- Give your device a name (optional)
Step 4: Verify Connection
For All Operating Systems:
- Wait about 30 seconds for authorization to take effect
- You should see a “Connected” status in your client
- Your device will receive a ZeroTier IP address
To verify connection:
- Windows: Right-click tray icon → Show Networks
- macOS: Click menu bar icon → Network Status
- Linux: Run
sudo zerotier-cli listnetworks
Step 5: Access CloudPanel
- Open your web browser
- Navigate to https://ZEROTIER_IP:8443
Replace ZEROTIER_IP with your CloudPanel server’s ZeroTier IP - Accept the SSL certificate warning (if any)
- Log in to CloudPanel
Step 6: SSH Access (Optional)
You can now SSH to your server using the ZeroTier IP:
ssh username@ZEROTIER_IP
Troubleshooting
-
Can’t Connect to Network:
- Verify Network ID is correct
- Check authorization in ZeroTier Central
- Ensure no firewall is blocking ZeroTier
-
Can’t Access CloudPanel:
- Verify you’re using https:// not http://
- Check if server’s firewall rules are correct
- Ensure you’re using the correct ZeroTier IP
-
Certificate Warnings:
- This is normal when accessing via IP
- You can safely proceed for CloudPanel access
-
Still Having Issues:
- Check ZeroTier connection status
- Verify both client and server are authorized
- Try restarting the ZeroTier service
Security Notes
- Keep your Network ID private
- Regularly review authorized devices
- Use strong passwords for CloudPanel
- Consider setting up proper SSL certificates
Additional Tips
- Bookmark the CloudPanel ZeroTier URL
- Save your SSH config for easier access
- Consider setting up DNS for the ZeroTier IP
- ZeroTier can be configured to auto-start:
- Windows: Already configured on install
- macOS: System Preferences → Users → Login Items
- Linux: Already enabled if installed via package manager