ZeroTier Review
-
Oh that is a bit better.
-
And very much a current project, lol. I got help with an issue via the Github Issue tracker, lol. And got emails from them about screenshotting for the write up.
-
See updates above... Client-To-Site VPN is now working... sadly, I don't have a second site that I could hijack ^W use for testing... Yet. I feel a visit to family coming on, lol.
-
I must be dense. To set up the controller you compile the same zerotierone package but pass make ZT_ENABLE_NETWORK_CONTROLLER=1 first?
-
@johnhooks Yeah. When you build it with the controller enabled, it also builds the client too, so there's just one install to manage... I just discovered a shortcut to the rigamarole I went through before to initially get the installer...
cd /path/to/ztsource make ZT_ENABLE_NETWORK_CONTROLLER=1 installer
Will correctly build the controller bits in, as well as generate the installer script.
sudo ./ZeroTierOneInstaller-linux-x64-1_0_5
Will install it in /var/lib/zerotier-one, and install the init.d files (or the systemd files, whatever the going rate is these days)...
You can check to see if you have the controller in stalled correctly by doing this:
root@yourserver:~# zerotier-cli /controller { "controller": true, "apiVersion": 1, "clock": 1441048250252, "instanceId": "#####################" }
If it is installed correctly with the controller bits enabled, it should look like that.
If it did not install with the controller bits, then you'll get a 404 error.
-
@dafyre Thanks!
-
Hey @johnhooks ,
Havae you tried to get the Site-To-Site working yet?
-
@dafyre said:
Hey @johnhooks ,
Havae you tried to get the Site-To-Site working yet?
I got everything installed, but I got stuck at creating a network haha.
-
Yeah, I never did get that part to work using the shell... so I cheated a little and did it with PHP for creating the network, and I did get a bash script written for authorizing the clients. These scripts need to be in /var/lib/zerotierone.
Sadly, it won't let me upload text files, so here's a link to the PHP Script (it is a text file, so my server won't execute it, lol)
https://beta.wellston.biz/ztCreateNetwork.txt
After you get that done, it will create a network. In the ZeroTier client, copy and paste the network ID (it will show it to you after the network is created, or you can get the Network's ID by:
root@yourserver:~#zerotier-cli /controller/network
After you successfully join a client to the network, you will need to authorize the client before it is issued an IP address (Shell Script here): https://beta.wellston.biz/ztAuth.txt
The first is the Network ID (the full 16 digit network id), and the second is the client id. (You can locate the client id in the bottom left of the interface if you are using the gui). If you are trying to connect from a non-gui Linux install, you can run zerotier-cli info again, and it will return your client's ID...
root@yourclient:~#zerotier-cli info 200 info <your id here> ONLINE 1.0.5
To authorize the client it would be:
root@yourserver:/var/lib/zerotier-one# ./ztAuth <networkid> <client id>
It should spit out a blurb of text. Just check and make sure Authorized=true, and you should be good to go. I would recommend getting a couple of clients working from within the ZeroTier IP addresses before trying to get them to do Client-To-Site.
-
That's awesome. Thanks so much! I'll give this a shot when I get some time today. I'm glad it wasn't just me that couldn't get it through the cli, I think their ReadMe's need some more direction.
-
@johnhooks Very much so, lol. I think they have an admin bit in the works, but I'm not sure if it will be part of the client package or a separate download or what they are going to do with it yet.
-
How did you allow bridging? Just using their hosted account, I checked the box but I can't see any other devices on the network.
-
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
-
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
-
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Did you create a bridge before you set up the routes or did you just use the actual interface?
-
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
-
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
So site to peers?
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
So site to peers?
Yes. I was planning on having a peer at the office in bridge mode which forwards requests to the office and out of the office. Then just have clients at the billing office join and disconnect from the network as needed.
I managed to get everything working in a test environment, but I'm leaning more towards an edgerouter now.
-
@johnhooks said:
Yes. I was planning on having a peer at the office in bridge mode which forwards requests to the office and out of the office.
That works. So the problem is that the one side can't be connected to the other. A A can see all of B, but B can't see all of A?