ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier / Software VPN question

    Scheduled Pinned Locked Moved IT Discussion
    24 Posts 8 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Joel
      last edited by

      @joel said in ZeroTier / Software VPN question:

      Any ideas how i do this? Is this possible? Or do i just need to map the drives using the ZT IP address? But if I do that, when they take the laptops into the office, they will be using the ZT IP and not the internal lan ip of the FS!

      If you want to use any IP address that isn't the ZeroTier IP address, you are attempting to misuse ZT. ZT is a SDN and by using it the idea is that you no longer use the underlying LAN IPs any longer. You are trying to shoehorn in two different approaches that aren't meant to work together into one thing.

      stacksofplatesS 1 Reply Last reply Reply Quote 1
      • stacksofplatesS
        stacksofplates @scottalanmiller
        last edited by

        @scottalanmiller said in ZeroTier / Software VPN question:

        @joel said in ZeroTier / Software VPN question:

        Any ideas how i do this? Is this possible? Or do i just need to map the drives using the ZT IP address? But if I do that, when they take the laptops into the office, they will be using the ZT IP and not the internal lan ip of the FS!

        If you want to use any IP address that isn't the ZeroTier IP address, you are attempting to misuse ZT. ZT is a SDN and by using it the idea is that you no longer use the underlying LAN IPs any longer. You are trying to shoehorn in two different approaches that aren't meant to work together into one thing.

        Yeah. Set your DNS records for your ZT addresses and point everything to those. On site they will use the local LAN. Off-site they will use whatever routes they need to.

        1 Reply Last reply Reply Quote 1
        • JoelJ
          Joel
          last edited by

          Forgive me, whats an SDN?
          When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

          JaredBuschJ scottalanmillerS 4 Replies Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Joel
            last edited by

            @joel said in ZeroTier / Software VPN question:

            Forgive me, whats an SDN?
            When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

            Here is the short answer. You are going to break shit.

            You have no idea what anything is. You don't want to do any of this.

            Stick with you LAN design and add user VPN. It is built into Windows 10 and any other OS out there and it is what your current system is designed to do.

            @scottalanmiller is, as usual, taking this to the extreme and telling you to rip it all out and redesign your network LAN-less.

            scottalanmillerS 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @jaredbusch said in ZeroTier / Software VPN question:

              @scottalanmiller is, as usual, taking this to the extreme and telling you to rip it all out and redesign your network LAN-less.

              Didn't even start to do that. Instead, I pointed out that he was applying a LANless technique to a LAN-based network, which doesn't make sense.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Joel
                last edited by

                @joel said in ZeroTier / Software VPN question:

                Forgive me, whats an SDN?

                Software Defined Network (aka SD-LAN). A virtualization layer on top of your network. That's what ZeroTier is for. It is not a VPN replacement. While it IS a VPN, it does not serve the purpose of LAN extension, which is what you are trying to do.

                Basically, your need is that you are a LAN based business and you want to extend the LAN. This is the traditional use of a VPN as people think of it (it's what people mean when they say VPN, but true VPN is much broader.)

                ZT is not a LAN extension, but a LAN virtualization technology. It is not meant to be used in LAN based networks, but in LANless. So doesn't apply well to you. It also uses VPN technology, but with a totally different intent.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Joel
                  last edited by

                  @joel said in ZeroTier / Software VPN question:

                  When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                  If you wanted to use ZT as intended, in a LANless way, then yes. Because your LAN IPs are LAN dependent, your ZT ones are not.

                  1 Reply Last reply Reply Quote 0
                  • JaredBuschJ
                    JaredBusch @Joel
                    last edited by

                    @joel said in ZeroTier / Software VPN question:

                    Forgive me, whats an SDN?
                    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                    Then you setup all the laptops with ZT.

                    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                    JoelJ 1 Reply Last reply Reply Quote 1
                    • black3dynamiteB
                      black3dynamite
                      last edited by

                      The free version of ZeroTier, can only connect up to 100 devices to unlimited networks
                      0_1533156884055_73DA9F0D-A0CC-493C-8113-7E4F3A74FB17.jpeg

                      1 Reply Last reply Reply Quote 1
                      • JoelJ
                        Joel @JaredBusch
                        last edited by

                        @jaredbusch said in ZeroTier / Software VPN question:

                        @joel said in ZeroTier / Software VPN question:

                        Forgive me, whats an SDN?
                        When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                        For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                        A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                        Then you setup all the laptops with ZT.

                        Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                        Okay thanks.
                        So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                        I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                        JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @Joel
                          last edited by

                          @joel said in ZeroTier / Software VPN question:

                          @jaredbusch said in ZeroTier / Software VPN question:

                          @joel said in ZeroTier / Software VPN question:

                          Forgive me, whats an SDN?
                          When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                          For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                          A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                          Then you setup all the laptops with ZT.

                          Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                          Okay thanks.
                          So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                          I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                          This tells us that you don't want AD at all.

                          You are talking about a LAN-less design entirely.

                          We have a few tagged topics on this subject.
                          https://mangolassi.it/tags/lanless

                          JoelJ 1 Reply Last reply Reply Quote 4
                          • JoelJ
                            Joel @JaredBusch
                            last edited by

                            @jaredbusch said in ZeroTier / Software VPN question:

                            @joel said in ZeroTier / Software VPN question:

                            @jaredbusch said in ZeroTier / Software VPN question:

                            @joel said in ZeroTier / Software VPN question:

                            Forgive me, whats an SDN?
                            When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                            For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                            A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                            Then you setup all the laptops with ZT.

                            Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                            Okay thanks.
                            So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                            I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                            This tells us that you don't want AD at all.

                            You are talking about a LAN-less design entirely.

                            We have a few tagged topics on this subject.
                            https://mangolassi.it/tags/lanless

                            No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

                            DashrenderD syko24S scottalanmillerS 3 Replies Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @Joel
                              last edited by

                              @joel said in ZeroTier / Software VPN question:

                              @jaredbusch said in ZeroTier / Software VPN question:

                              @joel said in ZeroTier / Software VPN question:

                              @jaredbusch said in ZeroTier / Software VPN question:

                              @joel said in ZeroTier / Software VPN question:

                              Forgive me, whats an SDN?
                              When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                              For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                              A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                              Then you setup all the laptops with ZT.

                              Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                              Okay thanks.
                              So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                              I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                              This tells us that you don't want AD at all.

                              You are talking about a LAN-less design entirely.

                              We have a few tagged topics on this subject.
                              https://mangolassi.it/tags/lanless

                              No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

                              Why do you want that though? If you can do syncing - you could, for example, move to O365, have your Windows 10 machines all authenticate with O365, sync files in ODfB and Sharepoint and skip having servers on site at all. If you want GPOs you'll have to buy that addon for your users (advanced AD I think it might be called).

                              1 Reply Last reply Reply Quote 2
                              • syko24S
                                syko24 @Joel
                                last edited by syko24

                                @joel - I was able to make this work in a lab setting.

                                Here is what I did:

                                1. Install ZeroTier on a Linux box or vm in your office. You don't have to install ZT on your Windows Servers as the Linux system is going to act as Bridge to the entire local network.
                                2. Setup your ZeroTier network to handout IP addresses in the same subnet as your local network. Just don't overlap DHCP addresses on your local network.
                                3. Set the Linux machine into bridge mode - read this post about bridge mode setup https://mangolassi.it/topic/8566/zerotier-bridging-configuration/2
                                4. Install ZeroTier on your laptops and join the network
                                5. On the laptops, edit the dns on the ZT network adapter to your domain controller(s).

                                I did this a year ago so there may be a setting or two I am overlooking. There is a possibility that if you set your laptop's ZT adapter to obtain automatically they will pull from their IP from the local DHCP server and you may not need to set addresses from ZT.

                                1 Reply Last reply Reply Quote 0
                                • syko24S
                                  syko24
                                  last edited by

                                  Just another note with ZeroTier. On your Windows clients make sure you change the ZeroTier One Service Recovery options to restart the service on failures. Sometimes on Windows 10 it doesn't start when the computer boots up so the recovery option will hopefully restart the service if needed.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Joel
                                    last edited by

                                    @joel said in ZeroTier / Software VPN question:

                                    @jaredbusch said in ZeroTier / Software VPN question:

                                    @joel said in ZeroTier / Software VPN question:

                                    Forgive me, whats an SDN?
                                    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                                    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                                    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                                    Then you setup all the laptops with ZT.

                                    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                                    Okay thanks.
                                    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                                    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                                    What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.

                                    dafyreD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Joel
                                      last edited by

                                      @joel said in ZeroTier / Software VPN question:

                                      @jaredbusch said in ZeroTier / Software VPN question:

                                      @joel said in ZeroTier / Software VPN question:

                                      @jaredbusch said in ZeroTier / Software VPN question:

                                      @joel said in ZeroTier / Software VPN question:

                                      Forgive me, whats an SDN?
                                      When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                                      For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                                      A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                                      Then you setup all the laptops with ZT.

                                      Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                                      Okay thanks.
                                      So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                                      I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                                      This tells us that you don't want AD at all.

                                      You are talking about a LAN-less design entirely.

                                      We have a few tagged topics on this subject.
                                      https://mangolassi.it/tags/lanless

                                      No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

                                      That's not a want. That's a how. You never "want" AD, ever. That's not a possible thing from IT. IT's "wants" are always business solutions. AD might be how you provide that solution, but it's impossible for someone truly wearing an IT hat to "want" Active Directory itself.

                                      What's the GOAL here. AD is how you are imagining getting to the goal, but we don't know exactly what your goal is and it can't be what is stated.

                                      A goal would be like "needing strong user password management and user mobility." AD might be how you do that, but there is nothing AD does that only AD does.

                                      1 Reply Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch
                                        last edited by

                                        Your stated design is LAN-less. AD is jsut your specified centralized auth mechanism.

                                        That has nothing to do with the network design.

                                        1 Reply Last reply Reply Quote 1
                                        • dafyreD
                                          dafyre @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in ZeroTier / Software VPN question:

                                          @joel said in ZeroTier / Software VPN question:

                                          @jaredbusch said in ZeroTier / Software VPN question:

                                          @joel said in ZeroTier / Software VPN question:

                                          Forgive me, whats an SDN?
                                          When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                                          For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                                          A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                                          Then you setup all the laptops with ZT.

                                          Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                                          Okay thanks.
                                          So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                                          I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                                          What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.

                                          You can use ZT to bridge it's IP space and the corporate LAN space... basically, the DHCP server on your internal LAN will give out IP addresses for the devices directly connected...

                                          IE: Corporate Lan 10.0.0.0/19

                                          Corporate DHCP Server goes 10.0.0.100 - 250
                                          ZT Range is 10.0.1.100-250.
                                          (The Full Subnet range is 10.0.0.1 to 10.0.31.254)

                                          When doing it this way, there's no need to install ZT on Desktops and Servers. Only the travelling devices need it.

                                          You don't have to worry about AD getting mucked up with a bunch of unnecessary ZT entries and such.

                                          1 Reply Last reply Reply Quote 0
                                          • black3dynamiteB
                                            black3dynamite
                                            last edited by

                                            Any objections with setting up OpenVPN instead of using ZeroTier?

                                            JaredBuschJ 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post