ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier / Software VPN question

    Scheduled Pinned Locked Moved IT Discussion
    24 Posts 8 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JoelJ
      Joel @JaredBusch
      last edited by

      @jaredbusch said in ZeroTier / Software VPN question:

      @joel said in ZeroTier / Software VPN question:

      Forgive me, whats an SDN?
      When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

      For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

      A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

      Then you setup all the laptops with ZT.

      Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

      Okay thanks.
      So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

      I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

      JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
      • JaredBuschJ
        JaredBusch @Joel
        last edited by

        @joel said in ZeroTier / Software VPN question:

        @jaredbusch said in ZeroTier / Software VPN question:

        @joel said in ZeroTier / Software VPN question:

        Forgive me, whats an SDN?
        When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

        For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

        A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

        Then you setup all the laptops with ZT.

        Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

        Okay thanks.
        So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

        I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

        This tells us that you don't want AD at all.

        You are talking about a LAN-less design entirely.

        We have a few tagged topics on this subject.
        https://mangolassi.it/tags/lanless

        JoelJ 1 Reply Last reply Reply Quote 4
        • JoelJ
          Joel @JaredBusch
          last edited by

          @jaredbusch said in ZeroTier / Software VPN question:

          @joel said in ZeroTier / Software VPN question:

          @jaredbusch said in ZeroTier / Software VPN question:

          @joel said in ZeroTier / Software VPN question:

          Forgive me, whats an SDN?
          When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

          For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

          A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

          Then you setup all the laptops with ZT.

          Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

          Okay thanks.
          So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

          I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

          This tells us that you don't want AD at all.

          You are talking about a LAN-less design entirely.

          We have a few tagged topics on this subject.
          https://mangolassi.it/tags/lanless

          No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

          DashrenderD syko24S scottalanmillerS 3 Replies Last reply Reply Quote 0
          • DashrenderD
            Dashrender @Joel
            last edited by

            @joel said in ZeroTier / Software VPN question:

            @jaredbusch said in ZeroTier / Software VPN question:

            @joel said in ZeroTier / Software VPN question:

            @jaredbusch said in ZeroTier / Software VPN question:

            @joel said in ZeroTier / Software VPN question:

            Forgive me, whats an SDN?
            When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

            For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

            A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

            Then you setup all the laptops with ZT.

            Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

            Okay thanks.
            So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

            I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

            This tells us that you don't want AD at all.

            You are talking about a LAN-less design entirely.

            We have a few tagged topics on this subject.
            https://mangolassi.it/tags/lanless

            No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

            Why do you want that though? If you can do syncing - you could, for example, move to O365, have your Windows 10 machines all authenticate with O365, sync files in ODfB and Sharepoint and skip having servers on site at all. If you want GPOs you'll have to buy that addon for your users (advanced AD I think it might be called).

            1 Reply Last reply Reply Quote 2
            • syko24S
              syko24 @Joel
              last edited by syko24

              @joel - I was able to make this work in a lab setting.

              Here is what I did:

              1. Install ZeroTier on a Linux box or vm in your office. You don't have to install ZT on your Windows Servers as the Linux system is going to act as Bridge to the entire local network.
              2. Setup your ZeroTier network to handout IP addresses in the same subnet as your local network. Just don't overlap DHCP addresses on your local network.
              3. Set the Linux machine into bridge mode - read this post about bridge mode setup https://mangolassi.it/topic/8566/zerotier-bridging-configuration/2
              4. Install ZeroTier on your laptops and join the network
              5. On the laptops, edit the dns on the ZT network adapter to your domain controller(s).

              I did this a year ago so there may be a setting or two I am overlooking. There is a possibility that if you set your laptop's ZT adapter to obtain automatically they will pull from their IP from the local DHCP server and you may not need to set addresses from ZT.

              1 Reply Last reply Reply Quote 0
              • syko24S
                syko24
                last edited by

                Just another note with ZeroTier. On your Windows clients make sure you change the ZeroTier One Service Recovery options to restart the service on failures. Sometimes on Windows 10 it doesn't start when the computer boots up so the recovery option will hopefully restart the service if needed.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Joel
                  last edited by

                  @joel said in ZeroTier / Software VPN question:

                  @jaredbusch said in ZeroTier / Software VPN question:

                  @joel said in ZeroTier / Software VPN question:

                  Forgive me, whats an SDN?
                  When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                  For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                  A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                  Then you setup all the laptops with ZT.

                  Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                  Okay thanks.
                  So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                  I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                  What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.

                  dafyreD 1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Joel
                    last edited by

                    @joel said in ZeroTier / Software VPN question:

                    @jaredbusch said in ZeroTier / Software VPN question:

                    @joel said in ZeroTier / Software VPN question:

                    @jaredbusch said in ZeroTier / Software VPN question:

                    @joel said in ZeroTier / Software VPN question:

                    Forgive me, whats an SDN?
                    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                    Then you setup all the laptops with ZT.

                    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                    Okay thanks.
                    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                    This tells us that you don't want AD at all.

                    You are talking about a LAN-less design entirely.

                    We have a few tagged topics on this subject.
                    https://mangolassi.it/tags/lanless

                    No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

                    That's not a want. That's a how. You never "want" AD, ever. That's not a possible thing from IT. IT's "wants" are always business solutions. AD might be how you provide that solution, but it's impossible for someone truly wearing an IT hat to "want" Active Directory itself.

                    What's the GOAL here. AD is how you are imagining getting to the goal, but we don't know exactly what your goal is and it can't be what is stated.

                    A goal would be like "needing strong user password management and user mobility." AD might be how you do that, but there is nothing AD does that only AD does.

                    1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch
                      last edited by

                      Your stated design is LAN-less. AD is jsut your specified centralized auth mechanism.

                      That has nothing to do with the network design.

                      1 Reply Last reply Reply Quote 1
                      • dafyreD
                        dafyre @scottalanmiller
                        last edited by

                        @scottalanmiller said in ZeroTier / Software VPN question:

                        @joel said in ZeroTier / Software VPN question:

                        @jaredbusch said in ZeroTier / Software VPN question:

                        @joel said in ZeroTier / Software VPN question:

                        Forgive me, whats an SDN?
                        When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

                        For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

                        A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

                        Then you setup all the laptops with ZT.

                        Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

                        Okay thanks.
                        So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

                        I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

                        What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.

                        You can use ZT to bridge it's IP space and the corporate LAN space... basically, the DHCP server on your internal LAN will give out IP addresses for the devices directly connected...

                        IE: Corporate Lan 10.0.0.0/19

                        Corporate DHCP Server goes 10.0.0.100 - 250
                        ZT Range is 10.0.1.100-250.
                        (The Full Subnet range is 10.0.0.1 to 10.0.31.254)

                        When doing it this way, there's no need to install ZT on Desktops and Servers. Only the travelling devices need it.

                        You don't have to worry about AD getting mucked up with a bunch of unnecessary ZT entries and such.

                        1 Reply Last reply Reply Quote 0
                        • black3dynamiteB
                          black3dynamite
                          last edited by

                          Any objections with setting up OpenVPN instead of using ZeroTier?

                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @black3dynamite
                            last edited by

                            @black3dynamite said in ZeroTier / Software VPN question:

                            Any objections with setting up OpenVPN instead of using ZeroTier?

                            I dislike how OpenVPN is a pain in the ass inside Windows.

                            But it does work well.

                            I prefer to use L2TP/IPSEC.

                            1 Reply Last reply Reply Quote 1
                            • 1
                            • 2
                            • 2 / 2
                            • First post
                              Last post