Zero Tier

[YeOldeStonecat]

So playing around with Zero Tier. I have a client who had their main LOB app moved to a hosted version, the software vendor hosts the server in a data center, only way in is to VPN in. And...the vendor only supports full time VPN tunnels, not mobile VPN clients. So they have an IPSec tunnel setup tween the data center, and their office. HUGE 5x alarm fire at a marina next door killed power and internet for the neighborhood last night. Client has to get to their LOB app, so...I played around with Zero Tier..thanks to Sky Knights suggestion. Cool app....need to learn it more.

First question I have, I was hoping it would allow access to the internal network, or at least the original IP of the host computer.
Say, the host computer has an IP of 10.1.1.10. And the Zero Tier managed virtual IP is 192.168.192.100. From a remote computer, connected to the Zero Tier network, I can of course get replies from 192.168.192.100 when I ping it, but...not from 10.1.1.10. I don't have the need yet, but wondering if it will allow a remote computer to access anything else on the 10.1.1.0/24 network?

The Zero Tier GUI that sits in the systray may not be easily understood by end users, hopefully it can just sit there 24x7 connected without having much/any impact on things.

 

[gpg]

Hey, I was going to try Zero Tier to solve an access issue. ZT free self hosted controller is not licensed for commercial use. So I went with Nebula Mesh VPN instead. Still trying to work out some kinks. There's an unsafe route setting in the config file that one can use to access an internal network. I keep running into an error that prevents the access to internal network.
FATA[0000] failed to set mtu 0 on route 192.168.14.0/24; file exists.

Links to Nebula:

Nebula: Open Source Overlay Networking | Nebula Docs

Nebula is an overlay networking tool designed to be fast, secure, and scalable. Connect any number of hosts with

nebula.defined.net

GitHub - slackhq/nebula: A scalable overlay networking tool with a focus on performance, simplicity and security

A scalable overlay networking tool with a focus on performance, simplicity and security - slackhq/nebula

github.com

Extend network access beyond overlay hosts | Nebula Docs

This guide explains how to configure Nebula to route traffic destined for a specific subnet through a specific overlay

nebula.defined.net

Unsafe routes with Nebula

Nebula is a great mesh network I recently deployed into my stack. For connecting nodes spread between networks, it’s great, much better than my previous WireGuard installation. An additional feature of nebula is unsafe_routes. Unsafe routes allow nodes which don’t have Nebula installed to be...

theorangeone.net

Unsafe routes with Nebula

Nebula is a great mesh network I recently deployed into my stack. For connecting nodes spread between networks, it’s great, much better than my previous WireGuard installation. An additional feature of nebula is unsafe_routes. Unsafe routes allow nodes which don’t have Nebula installed to be...

theorangeone.net

Just wanted to let you know of an alternative.

Thanks,
gpg

 

[YeOldeStonecat]

I'll be signing up with the MSP reseller package they have. I didn't do the self hosted, I did the free ZT hosted one which they do allow any use for, just to wet your whistle.

Pricing

ZeroTier Pricing. For teams with Commercial large-scale deployment needs, learn more about ZeroTier Business or ZeroTier Enterprise plans. Basic and ZeroTier Professional are designed for non-Commercial Use.

www.zerotier.com

I've heard of TailScale as a similar product to ZT, TS is based out of Canada. ZT based out of USA...CA.
Haven't heard of Nebula.

 

[jflitney]

Also Netmaker, Netbird

 

[Sky-Knight]

ZeroTier doesn't do that. https://zerotier.atlassian.net/wiki.../Route+between+ZeroTier+and+Physical+Networks

Note the above tutorial. What's happening is traffic is impacting on the local ZT interface, and the OS at the target is then routing to the LAN. So you could do RRAS as well, but the key here is the OS is doing the routing bit. ZT is just a software defined switch in the cloud that you can connect arbitrary things to.

This is why it's VERY common to have a small docker container that does this, or Linux on an rpi. The edge router just needs to be complex enough to push the ZT IP range route to the local "router" that does the VPN termination and POOF you have your "site-to-site" device.

Thought he concept is more compatible with the idea of the agent going on all devices, and then those devices just use the ZT IP range to communicate. But if you want to NAT or route into and out of an external network you need a router! ZT can't be the router too sadly.

@jflitney Netbird looks really good! Going to have to keep an eye on that one, it seems a little early in its dev cycle but I'm liking what I see.

 

[jflitney]

ZeroTier doesn't do that. https://zerotier.atlassian.net/wiki.../Route+between+ZeroTier+and+Physical+Networks

Note the above tutorial. What's happening is traffic is impacting on the local ZT interface, and the OS at the target is then routing to the LAN. So you could do RRAS as well, but the key here is the OS is doing the routing bit. ZT is just a software defined switch in the cloud that you can connect arbitrary things to.

This is why it's VERY common to have a small docker container that does this, or Linux on an rpi. The edge router just needs to be complex enough to push the ZT IP range route to the local "router" that does the VPN termination and POOF you have your "site-to-site" device.

Thought he concept is more compatible with the idea of the agent going on all devices, and then those devices just use the ZT IP range to communicate. But if you want to NAT or route into and out of an external network you need a router! ZT can't be the router too sadly.

@jflitney Netbird looks really good! Going to have to keep an eye on that one, it seems a little early in its dev cycle but I'm liking what I see.

https://github.com/cedrickchee/awesome-wireguard many wireguard projects