Allow disabling ports instead of deleting, and disable Windows adapters and other interfaces

[zetix]

When reconnecting to the Zero Tier One network, windows creates additional adapter names instead of using the previous one. So with every reconnect, Zero Tier One's network adapter increments 1, such as Network 2, Network 3, Network 4... etc.

Only solution so far is to go into the registry and deleting the profiles created by Zero Tier to reset the number.

[laduke]

@iZetiX As far as we know, there's no way to prevent this.

Out of curiosity, why do you leave and join the network?

[zetix]

@laduke I don't really like having too much open connections up when i'm not actively using that connection, just doesn't seem to make much sense. But what confuses me is why it's creating a new network profile when reconnecting to the server again and doesn't default back to the original one?

[glimberg]

@iZetiX It's because we like to clean up after ourselves. When someone leaves a network, we take the assumption that you're leaving it and may never join it again. Therefore, we don't leave a virtual network adapter laying around on your system for it, as each ZeroTier network you join has it's own virtual network device in the OS. That would get very messy very quickly if you've joined a lot of different ZeroTier networks in the past.

[janjaapbos]

If you want Windows to be silent and just use any adapter without asking anything further, you can set a registry setting with the following powershell commands as Administrator:

Push-Location
Set-Location HKLM:
$regpath = ".\System\CurrentControlSet\Control\Network"
New-Item -Path $regpath -Name NewNetworkWindowOff -Force
Pop-Location

[zetix]

@glimberg That doesn't justify ZeroTier leaving a trial of network profiles never to be cleaned up again.

When I disconnect, I would assume ZeroTier would be able to delete the network profile associated with that connection, however this isn't the case here. It creates an addition network profile for EACH reconnect, leaving all the previous network profiles unavailable to be used, unless I delete them from the registry myself.

@janjaapbos This doesn't solve the actual problem going on as ZeroTier does not clean up the network profile after you disconnect from the network.

[Arffeh]

Part of this behaviour is not just ZeroTier. Windows does this annoying Network Profile duplication behaviour on its own just fine. For example, I can set my phone to hotspot and connect to it via WiFi, great. I remove the hotspot, turn my computer off, go to bed, eat, be productive, whatever. When I next do this, I fire up hotspot on my phone again, connect to it, lo and behold, its asking for public/private, blah blah blah. Treating it like its never seen the network, even though it automatically connected, knowing the SSID and password. Last I checked, i am up to profile 430. Not trying to knock the wind out of your sails and saying "Its not ZeroTier being the the asshole!". Far from it. Sure, ZeroTier could just as easily just purge its own entries. Please understand however that the additional entries are likely made in the first place, due to Windows not exactly being bright when it comes to a nonstandard config.

[zetix]

I understand that this is also an issue with windows as I’ve experienced this same issue of windows just incrementing the numbers if there are duplicates. This has occurred multiple times with plugging in devices to a different port. It is also why I said specifically in the beginning that windows is doing the increments of network profiles.

However, like you said, ZeroTier can easily purge its own entries, which was why I opened this issue in the first place. This is one of the first time I’ve actually experienced a network adapter incrementing itself over to Network 12 as other vpn connections doesn’t have this issue.

I really appreciate the effort that the devs took in providing a free vpn solution that offers 100 connections. This is one of the major reason why I started using ZeroTier. Which is why I’m trying to bring attention to this issue, as although the fault is with windows, it would honestly be a lot easier to convince ZeroTier devs to iron this issue out than Microsoft.

[adamierymenko]

This isn't a bug, but maybe we need a way to just disable a port instead of deleting it? Going to re-title. May not make it into 1.2.6 though.

[cwichura]

I'll add a justification use case for disabling/suspending but not deleting: if I take my laptop into work, even on the "employee personal devices" WiFi network, ZeroTier is blocked. Further, InfoSec shows up to tap me on the shoulder saying "Yo Bro, whatcha up to??" if I have left ZeroTier running. It would be really nice to have an easy way to suspend ZeroTier, but not have it delete and re-create the virtual network interface in the process, because then you have to deal with Windows thinking its a new network every time.

[ianmock]

+1 on disabling the adapter profile versus creating a new one. I'm currently using ZT on a private network and every time I disconnect and reconnect with the Windows client, my IP settings are wiped out.

[tusc]

I wrote a small PowerShell script that goes through all the network profiles in the registry and attempts to remove any that begin with "Network ". Must be run as admin. You need to remove the "-Whatif" parameter for the cmndlet to actually make changes. Be careful when running this.

Get-ChildItem ’HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\’ |
ForEach-Object{
$profilename = $.GetValue('ProfileName')
if($profilename.StartsWith("Network ")){
Write-Host "Removing item: $profilename" -ForegroundColor green
Remove-Item $.PSPath -Whatif
}else{
Write-Host "Skipping item:$profilename" -Fore blue -Back white
}
}

[laduke]

Hey,

A point in favor of disabling instead of deleting.

From a user:

I'm using ZTO in place of a more traditional VPN system to allow business users RDP access to their office computers. I'm deploying the ZTO .msi silently and running a simple script to make the endpoint machine join one or more networks. This gets me part way to where I need to be but, I'm having trouble with management of the Windows Firewall as it pertains to ZeroTier. Each time a ZT network is toggled off/on Windows sees the network as a new network and applies the most restrictive Public network profile unless the user catches the prompt asking a YES/NO question. It's not reasonable for me to expect users to manage this aspect and I need a way to control the behavior remotely and programmatically and reliably.

[snadam]

I think it's important to be clear about what's happening and why and then from that understanding identify possible solutions that can be explored and ultimately implemented.

I'm not an expert on the matter and hope those with more knowledge will correct me where needed.

I don't believe that the root cause / issue is one of ZeroTier One failing to clean up after itself. Rather, I believe the issue is that ZeroTier One functions in such a way that Windows Network Location Awareness (NLA), is unable to 'fingerprint' ZeroTier One connections properly. Each time a ZeroTier One connection gets toggled off / on Windows NLA tries to ID the connection, fails, and ultimately creates a new profile entry.
If ZeroTier One were able to satisfy the basic requirements of NLA the creation of multiple network connections and associated profiles would cease. This would also allow administrators to set security profiles (Public / Private and firewall settings) against a connection and the settings would stick.
The Windows NLA service uses a number of factors to identify a network when a network link state changes. In particular NLA looks for the details of the default gateway including IP and MAC address. Since these don't exist on most ZeroTier One networks NLA is not able to conclusively ID the network and starts fresh.

I'm sure there are multiple ways to deal with this but, I don't know enough about the pros and cons to really have a confident opinion. My gut tells me that there's probably a way to deal with the adapter state such that Windows doesn't trigger a new NLA investigation. For example, instead of changing the link layer (Layer 1) state to down maybe there's a way for ZeroTier One to disable or shutdown the connection at Layer 2 like when a switch puts a port into a non-forwarding state but keeps Ethernet carrier (voltage) high and POE active.
Another way this could be dealt with is to have a 'helper' service on the ZeroTier Central portal that would work with NLA to allow for network identification.

I'd like to hear other's thoughts on the matter and be corrected where necessary.

Thanks

[ndo360]

Greetings, I really hope a disabling option gets chosen.

My friends and I have discovered, and fell in love with using ZeroTier to allow us to play old games through the LAN option. (As the online counterpart was shutdown.)

The issue is that we have to set the metric, every single time, before we play so we can see each others games. It would really help out if there was such an option so we didn't have to constantly do that to play.

[wizzard0]

One more vote for disabling. 1.4.6 removes the adapter on disconnect (not leave, but disconnect), which destroys network bridges and they have to be manually re-created upon reconnection. Makes bridging unusable.

[lahsreh]

I wrote a small PowerShell script that goes through all the network profiles in the registry and attempts to remove any that begin with "Network ". Must be run as admin. You need to remove the "-Whatif" parameter for the cmndlet to actually make changes. Be careful when running this.

Get-ChildItem ’HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\’ |
ForEach-Object{
$profilename = $.GetValue('ProfileName') if($profilename.StartsWith("Network ")){ Write-Host "Removing item: $profilename" -ForegroundColor green Remove-Item $.PSPath -Whatif
}else{
Write-Host "Skipping item:$profilename" -Fore blue -Back white
}
}

I liked this solution. It works perfectly but I had to modify the code a bit to get it working. Github's formatting is hiding the underscores in the variable names and making them italic instead. Here's a reformatted version that should work. Also, don't forget to remove the -Whatif once you are sure you want to make the changes.

Get-ChildItem ’HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\’ |
ForEach-Object{
$profilename = $_.GetValue('ProfileName')
if($profilename.StartsWith("Network ")){
Write-Host "Removing item: $profilename" -ForegroundColor green
Remove-Item $_.PSPath -Whatif
}else{
Write-Host "Skipping item:$profilename" -Fore blue -Back white
}
}

[zhchan]

I wrote a small PowerShell script that goes through all the network profiles in the registry and attempts to remove any that begin with "Network ". Must be run as admin. You need to remove the "-Whatif" parameter for the cmndlet to actually make changes. Be careful when running this.
Get-ChildItem ’HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\’ |
ForEach-Object{
$profilename = $.GetValue('ProfileName') if($profilename.StartsWith("Network ")){ Write-Host "Removing item: $profilename" -ForegroundColor green Remove-Item $.PSPath -Whatif
}else{
Write-Host "Skipping item:$profilename" -Fore blue -Back white
}
}

I liked this solution. It works perfectly but I had to modify the code a bit to get it working. Github's formatting is hiding the underscores in the variable names and making them italic instead. Here's a reformatted version that should work. Also, don't forget to remove the -Whatif once you are sure you want to make the changes.

Get-ChildItem ’HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\’ |
ForEach-Object{
$profilename = $.GetValue('ProfileName')
if($profilename.StartsWith("Network ")){
Write-Host "Removing item: $profilename" -ForegroundColor green
Remove-Item $.PSPath -Whatif
}else{
Write-Host "Skipping item:$profilename" -Fore blue -Back white
}
}

It works fine on English system but it will have issue when the system language is not English.
Kinda expect zerotier will provide the option in next updates. It's a wanted new feature though.

[zhchan]

It's been a year since last update of zerotier, so we should confidently expect next update will include this right =)

[GermanCoding]

Because I was also in desperate need of this feature, I added it myself in my fork of ZeroTier (see GermanCoding@7d9bbf6). The work is based on mostly clean ZeroTier 1.4.6 (not the current 1.5/1.6 beta that's on master). I might consider merging this into 1.6/2.0 once it's a bit more stable - I tested the beta yesterday and it seemed pretty unstable, which is why my fix is based on 1.4.6 instead.

If the devs want to merge this, I might file a PR, but I have a feeling that the code may not be up to standards for the devs, so I will refrain from doing a PR unless I explicitly hear (positive) feedback from the developers.

Edit: I do rebase my work from time to time to new ZeroTier releases. Therefore this comment may not be up to date, if you're interested in this check out my releases page (also see my comments below).

[xsrf]

I'm also for disabling the adapter. I regularly toggle networks because they have conflicting IP addresses and/or route ALL traffic. Toggling a network also deletes all settings I've done to the network adapter (like metric, used protocols etc.).
Cisco VPN, Forcepoint, OpenVPN, Hamachi, all either disable the network adapter or (virtually) remove the network cable so windows is still aware of the network adapter but knows it is not available for the moment.

[piterq]

+1 for disabling adapters. Currently managing firewall rules is very difficult because of this. The workaround that I've found is to manually disable ZT adapter in "network connections" but it's not very good solution, because it gets automatically enabled after each PC reboot.

[myfingerhurt]

#659 (comment)
Why not try to quote the code with markdown

<#
# Don't forget to remove the -Whatif once you are sure you want to make the changes.
# By @tusc & @lahsreh 
#>

Get-ChildItem 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\' |
ForEach-Object{
    $profilename = $_.GetValue('ProfileName')
    if($profilename.StartsWith("Network ")){
        Write-Host "Removing item: $profilename" -ForegroundColor green
        Remove-Item $_.PSPath -Whatif
    }else{
        Write-Host "Skipping item:$profilename" -Fore blue -Back white
    }
}

[Tarrowren]

What's the progress now? 😣

[LuciferSam86]

Yeah, for people without technical background deleting network profiles with the script is not the best way and they feel safer if they turn off the network.

[LuciferSam86]

@GermanCoding would be nice to see it as a PR. It would solve some a few problems :)

[tymondouglas]

@GermanCoding do you provide binaries? I would love to use your solution

[GermanCoding]

@GermanCoding do you provide binaries? I would love to use your solution

@tymondouglas I did just setup a build pipeline with GitHub Actions. Binaries can be found on the releases tab now. Binaries are directly build on GitHub Actions, on GitHubs runners, so full transparency.

For installation:

The resulting binary zerotier-one_x64.exe (or x86 for 32-bit OS) needs to replace the existing one at %ProgramData%\ZeroTier\One. You probably need to stop the ZeroTier service first, before replacing the binary. Also ensure that you have installed a recent version of ZeroTier prior to doing this, because we're only replacing the service itself - ZeroTier also ships a driver, which we really don't want to compile/manage ourselves (that's a real mess). So we need to ensure that we already have this driver installed (it gets auto-installed from the .msi downloaded on zerotier.com)

@LuciferSam86 Please see my earlier comment here. I don't currently have plans to make this a PR, especially with 2.0 just ahead - 2.0 is likely going to require a lot of changes to the existing code. Once 2.0 is out and stable, I might reconsider it.

[DannyyyOnGit]

@GermanCoding You seem to be experienced with this. I checked the registry myself and it seems like it re-creates a profile each time (delete old entry, create new one). Does the incremented network adapter name leave any trash behind that I'm not aware of?

Also pretty disappointing to see that such a basic feature that would help new users like me, has been on the back-burner for over 3 years. I really hope this isn't an indicator for how this business handles their work in general.
@adamierymenko Any comments about the progress of this feature? A potential PR seems to exist already.

[LuciferSam86]

If the next version of the client will be rewritten in Go, even for managing the part of the network interfaces in Windows, I think I could help it too.

[GermanCoding]

@DannyyyOnGit Well it's been over a year since I last checked the facts, but I believe Windows does leave some references regarding the virtual NIC and the network profile around in the registry, even after the interface has been destroyed by ZT. So when doing this too often, the registry gets trashed eventually.

Also, some third-party firewall software (this also includes the Windows Firewall to some extent) can associate settings with the network profile, so a creation of a new profile (which happens each time you (re-)join a ZT network, because ZT removes the virtual NIC) will reset firewall settings previously applied to that interface. This currently makes it really difficult to manage local firewall settings, unless you never leave the ZT network. (Yes, ZT has its own controller-managed rule engine, but in some cases you want or need to use local system firewalls).

Same thing applies when doing any local customization to the network adapter (metric or whatever) - all of this gets lost when the adapter is destroyed.

[LuciferSam86]

Well guys, the newest version 1.8.1 of the client can disconnect and forget the network.
If you "forget" the network it's the same behavior of 1.6.x version, otherwise you can disconnect keeping the network.

EDIT: yeah, nevermind. My error.

[glimberg]

AFAIK, nothing has changed in 1.8.1 re this. Normal designed use of ZeroTier doesn't involve a lot of leaving/rejoining networks. I believe someone mentioned they had a patch for this. If you submit a PR we can take a look and possibly merge it.

[Ridley-Rumpus]

@iZetiX It's because we like to clean up after ourselves. When someone leaves a network, we take the assumption that you're leaving it and may never join it again. Therefore, we don't leave a virtual network adapter laying around on your system for it, as each ZeroTier network you join has it's own virtual network device in the OS. That would get very messy very quickly if you've joined a lot of different ZeroTier networks in the past.

But the problem then is that the firewall in my AV (AVG) then finds a new network and automatically does not trust it and so I have to manually change settings every time I connect with ZT

[boboruml]

Hi guys. This problem still persists in version 1.8.8... anyone has solution? Its bug or not?

[boboruml]

I tried the procedure described here:
#659 (comment)
Situation is the same... :-/

[boboruml]

Minor change ... if I leave the VPN permanently connected and do not disconnect, the network is the same even after a restart 👍

[GermanCoding]

I tried the procedure described here: #659 (comment) Situation is the same... :-/

You have read GermanCoding@7d9bbf6 right? My builds do not change existing join/leave commands, but add new commands.

Minor change ... if I leave the VPN permanently connected and do not disconnect, the network is the same even after a restart 👍

If you do not leave the network the adapter/profile is kept even across reboots, yes. This has been the case for years. This issue was opened because ZeroTier deletes the network adapter when leaving networks, which may not be desired in every situation. Official ZeroTier builds currently do not offer a way to change this behaviour.

[boboruml]

Thanks 👍

[LuciferSam86]

Thanks 👍

For now I disable the Windows Service when I don't need to use ZeroTier. So the ethernet interfaces go down and keep eventual custom settings (like the metric).
When I need to use again ZT i re-enable the service and everything goes up and working.
Let's see if for 2.0 release things will change.

[Searinox]

Seconded. Really needing this. Not just to preserve interface zone but also network metric settings for the adapter.

[wangeris]

this is really annoying, there should just be a toggle in the GUI how the user wants to handle this, if networks should be deleted each time or removed.
Keeping the connection up at all times is not always an option.

[michaelh99]

Another user that would really like it if ZT would leave the network adapter available when disconnecting from the network.

It's not unusual for ZT or windows to get into a funny state after sleep such that the ZT connection doesn't work. Disconnecting and reconnecting is the only way I can reach my ZT devices when that happens.

[slopsjon]

Same here, I have to add my home DNS server IP to the connection every time it creates a new one, which is up to number 53 now.

[nn9dev]

I suppose I'll throw my hat into the ring on this, I'm using zerotier-cli to leave and re-join ZeroTier whenever I open and close my VPN (since the VPN messes with ZeroTier and puts it in a weird state, honestly my issue is more with Surfshark here than ZeroTier), and it increments the number and re-prompts me as to whether the new ZeroTier network is a Public or Private network.