ZeroTier Review
-
Yeah, I never did get that part to work using the shell... so I cheated a little and did it with PHP for creating the network, and I did get a bash script written for authorizing the clients. These scripts need to be in /var/lib/zerotierone.
Sadly, it won't let me upload text files, so here's a link to the PHP Script (it is a text file, so my server won't execute it, lol)
https://beta.wellston.biz/ztCreateNetwork.txt
After you get that done, it will create a network. In the ZeroTier client, copy and paste the network ID (it will show it to you after the network is created, or you can get the Network's ID by:
root@yourserver:~#zerotier-cli /controller/networkAfter you successfully join a client to the network, you will need to authorize the client before it is issued an IP address (Shell Script here): https://beta.wellston.biz/ztAuth.txt
The first is the Network ID (the full 16 digit network id), and the second is the client id. (You can locate the client id in the bottom left of the interface if you are using the gui). If you are trying to connect from a non-gui Linux install, you can run zerotier-cli info again, and it will return your client's ID...
root@yourclient:~#zerotier-cli info 200 info <your id here> ONLINE 1.0.5To authorize the client it would be:
root@yourserver:/var/lib/zerotier-one# ./ztAuth <networkid> <client id>It should spit out a blurb of text. Just check and make sure Authorized=true, and you should be good to go. I would recommend getting a couple of clients working from within the ZeroTier IP addresses before trying to get them to do Client-To-Site.
-
That's awesome. Thanks so much! I'll give this a shot when I get some time today. I'm glad it wasn't just me that couldn't get it through the cli, I think their ReadMe's need some more direction.
-
@johnhooks Very much so, lol. I think they have an admin bit in the works, but I'm not sure if it will be part of the client package or a separate download or what they are going to do with it yet.
-
How did you allow bridging? Just using their hosted account, I checked the box but I can't see any other devices on the network.
-
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
-
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
-
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Did you create a bridge before you set up the routes or did you just use the actual interface?
-
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
-
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
-
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
So site to peers?
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
@johnhooks said:
@dafyre said:
I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.
And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.
Clear as mud?
Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.
I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.
Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?
You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.
I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.
So site to peers?
Yes. I was planning on having a peer at the office in bridge mode which forwards requests to the office and out of the office. Then just have clients at the billing office join and disconnect from the network as needed.
I managed to get everything working in a test environment, but I'm leaning more towards an edgerouter now.
-
@johnhooks said:
Yes. I was planning on having a peer at the office in bridge mode which forwards requests to the office and out of the office.
That works. So the problem is that the one side can't be connected to the other. A A can see all of B, but B can't see all of A?
-
@scottalanmiller said:
@johnhooks said:
Yes. I was planning on having a peer at the office in bridge mode which forwards requests to the office and out of the office.
That works. So the problem is that the one side can't be connected to the other. A A can see all of B, but B can't see all of A?
Well I'm not even sure if that's a stipulation. In my experience with this hospital before, I believe it's just because they don't want to do anything on their end. I had set up a client to connect to his existing Cisco router. It works everywhere outside of the hospital's network but they essentially wouldn't attempt to figure out why. That's when I asked if we could do a site to site tunnel and they said "that's not going to happen." So I needed a client/server set up. This will work and is east to connect to but I think the edgerouter will be nicer.
-
@johnhooks said:
Well I'm not even sure if that's a stipulation. In my experience with this hospital before, I believe it's just because they don't want to do anything on their end.
Isn't site to site the "least to do on their end" solution?
-
@scottalanmiller said:
@johnhooks said:
Well I'm not even sure if that's a stipulation. In my experience with this hospital before, I believe it's just because they don't want to do anything on their end.
Isn't site to site the "least to do on their end" solution?
You would think. So we will have to install the client on each billing computer and then they will have to manually connect and disconnect.
This is a hospital that is still using the records system they wrote in DOS and I'm willing to bet dollars to donuts that it's sent via HTTP over the internet from the offices to the hospital. The doctors just run this small application that sends all of the info to the hospital address. I never inspected, but Ive set it up and never had to create or install any certificates.
-
@johnhooks said:
You would think. So we will have to install the client on each billing computer and then they will have to manually connect and disconnect.
Seems their required solution is the opposite of their stated goals.
I need a car but you must only buy a boat.
-
@johnhooks said:
This is a hospital that is still using the records system they wrote in DOS and I'm willing to bet dollars to donuts that it's sent via HTTP over the internet from the offices to the hospital.
Seems unlikely. The gap between DOS was a viable OS and when HTTP was a viable transfer protocol was pretty huge. I suspect they are using something far, far older.
-
@scottalanmiller said:
@johnhooks said:
This is a hospital that is still using the records system they wrote in DOS and I'm willing to bet dollars to donuts that it's sent via HTTP over the internet from the offices to the hospital.
Seems unlikely. The gap between DOS was a viable OS and when HTTP was a viable transfer protocol was pretty huge. I suspect they are using something far, far older.
Well that's even worse then. They are supposed to switch over to the system that this doctors office uses. So I'm sure I'll be in for some fun when the switch happens.
-
That will be a big shock coming from DOS! What OS are they running the app on now? XP, I assume?
-
@scottalanmiller said:
That will be a big shock coming from DOS! What OS are they running the app on now? XP, I assume?
Well I'm not sure about in the hospital itself. They send out discs with updates to the doctors offices so it does run on 7 in the doctors office.
