Category Archives: ZeroTier

Part 5: Bonus! Use ZeroTier as mobile VPN.

Here is a bonus post. I am not going to go into deep details but should be enough to give a good idea on how to do this.

First thing I would suggest creating a second zerotier network from the routed LAN for all the mobile devices.  I would make sure the IP subnet is different than anything else, so following example, 10.10.0.0/24 for example.  Next set the range to .10-250 of the last octet under advanced.  The reason for this is we are going to set a bit on the routervms and turn them into nat routers on their own IPs.  Also use one of the higher ips (say .254 perhaps?) as floating IP between the VMs.  This way when we route, we route to the .254 and if something having problems, just move the .254 to another host and count to 30 and things should work again.

Now what will make this work for the clients.  You need to add routes in the zerotier network.  You can do two options and I will give comments on each.

  1. Add
    • 0.0.0.0/0 via 10.10.0.254
    • This is the most common most people would use.  It is a simple common route to push for default route to send everything.  The problem I ran into is not everything can take a default route like this out of the box.  So I gamed the system with the next one.
  2. Or Add
    • 0.0.0.0/1 via 10.10.0.254
    • 0.0.0.0/128 via 10.10.0.254
    • The reason this works is we can push two routes and neither is technically default.  The reason why this works is that they are more specific.  This means these routes would be picked over the default in most cases.

At this point it is time to edit all the routervms to enable nat routing and put the IPs on them.

      1. Join the routervms to the new VPN network
      2. Run the following to disable routes pushing to the routervms (that would cause some problems for routing).
        • sudo zerotier-cli set <network> allowManaged=false
          sudo zerotier-cli set <network> allowGlobal=false
          sudo zerotier-cli set <network> allowDefault=false
      3. Edit /etc/sysctl.conf and add the following to the bottom
        • net.ipv4.ip_forward = 1
      4. Edit /etc/sysconfig/iptables
        • *nat
          :PREROUTING ACCEPT [0:0]
          :INPUT ACCEPT [0:0]
          :OUTPUT ACCEPT [0:0]
          :POSTROUTING ACCEPT [0:0]
          -A POSTROUTING -o eth0 -s 10.10.0.0/24 -j SNAT --to-source eth.ip.goes.here
          COMMIT
          *filter
          :INPUT ACCEPT [0:0]
          :FORWARD DROP [0:0]
          -A FORWARD -i zt+ -s 10.10.0.0/24 -d 0.0.0.0/0 -j ACCEPT
          -A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.10.0.0/24 -j ACCEPT
          :OUTPUT ACCEPT [0:0]
          COMMIT
      5. Now add .1-? to the routervms network configs.  So one gets .1 and another gets .2 and so on.  This way when they get rebooted they at least show up on the network.
      6. Now add .254 to only one of the routervms via,
        • ip addr add 10.10.0.254/24 dev <gobblygook network interface>

If everything was done right (and I did not skip a step) you should now be able to join a new device and approve it for your network.  It should then start sending all its traffic to the designated routervm and hopefully have interent connectivity.

Now the real reason for sending all traffic to the .254 and having it as a secondary ip.  I have yet to try to configure this but it should be possible to setup heartbeat or pacemaker to control the .254 address.  So that it auto moves for you between the hosts as the fail on the network.  Thus ensuring you will always have access across the “VPN”.

Part 4: Test everything including breaking it!

At this point if everything works you should be able to ping between the networks.  If that isn’t working then you need to troubleshoot what is breaking down communication wise.  This could be anything from the two local routers not sharing routes to the routers not talking over zerotier.  The point I am trying to push across is that there is no simple gotchas I can offer troubleshooting steps for.

Once connectivity across the LANs is working, the next good thing you want to do is break it of course.  First simple break I would suggest is just reboot the router vms.  Ideally if everything is setup right and once they are booted back up and the services start, routing should be restored and everything should work again.  Again if things do not work the next thing to do is troubleshoot and solve, as there are to many possibilities to mention.  I would even suggest break the routing demons and make sure you can repair them as needed.

At the end of this now you have a working multi-site lan that each site has its own working IP subnet.

Final comment: People have asked me is it possible to bridge LANs?  The answer is yes but that is an entirely different process and one I would not recommend.

Part 3: Setup router to use the routing VM(s)

With the VM building out of the way, on to configuring the VMs.

First a little more software install/prep work

yum install quagga
systemctl enable zebra
systemctl enable ospfd
systemctl disable firewalld
cp /usr/share/doc/quagga-*/zebra.conf.sample /etc/quagga/zebra.conf
cp /usr/share/doc/quagga-*/ospfd.conf.sample /etc/quagga/ospfd.conf
chown quagga.quagga /etc/quagga/*.conf
setsebool -P zebra_write_config 1
systemctl start zebra
systemctl start ospfd
systemctl stop firewalld
vtysh

Basically, install quagga, a routing daemon that works similar to cisco ios. From there enabling the two services we need for ipv4 connectivity. Zebra is the main quagga daemon, the ospfd is the daemon to run this as an OSPF router. There is an ospf6d daemon that I have yet to mess with to route the fd00::/8 ipv6 network.
In the process of setting this up, I found the default firewall is pointless and causes problems with the routing daemons unless you open the right ports and subnets. I chose to disable the firewall as these VMs are not directly exposed to the internet and are behind firewalls already.
The last two odd commands that may not be familiar:
The setsebool, allows the quagga daemon to modify the /etc/quaga/*.conf files.
The vtysh, this is how you get into the quagga software. Thus into the next bit.

routervm-site1# conf t
routervm-site1(config)# int eth0
routervm-site1(config-if)# ip address 10.10.9.2/29
routervm-site1(config-if)# ip ospf authentication message-digest
routervm-site1(config-if)# ip ospf message-digest-key 1 md5 quagga
routervm-site1(config-if)# exit
routervm-site1(config)# int zt-interfacename
routervm-site1(config-if)# ip address 10.10.10.251/24
routervm-site1(config-if)# ip ospf authentication message-digest
routervm-site1(config-if)# ip ospf message-digest-key 1 md5 quagga
routervm-site1(config-if)# exit
routervm-site1(config)# router ospf
routervm-site1(config-router)# ospf router-id 10.10.10.251
routervm-site1(config-router)# network 10.10.10.251/24 area 0.0.0.0
routervm-site1(config-router)# network 10.10.9.2/29 area 0.0.0.1
routervm-site1(config-router)# area 0.0.0.0 authentication message-digest
routervm-site1(config-router)# neighbor 10.10.10.252
routervm-site1(config-router)# neighbor 10.10.10.253
routervm-site1(config-router)# exit
routervm-site1(config)# ip forwarding
routervm-site1(config)# ipv6 forwarding
routervm-site1(config)# exit
routervm-site1# write

To sum this up:

    • Enter configuration terminal
    • interface eth0, (may need to change this to match, silly eno2345 names now days are possible.
    • Configure the IP address
    • Setup MD5 authentication and defines the key “quagga”
    • Drops back to config terminal, and then into the ZeroTier interface
    • A repeat of the eth0 interface, just different IP
    • Drops back to config terminal, and into the OSPF routing bit
    • Defines the OSPF router ID, I chose the ZeroTier IP.
    • Defines the networks OSPF is to run on and in what area
      • I went with the backbone area, as I don’t really want to get to complex
    • Defines the area to use MD5 authentication
    • Defines the OSPF neighbors,
      • In this case the other two VMs in the ZeroTier network.
    • Drops back and sets IP forwarding for IPv4 and IPv6
    • Drops back again and writes configs to disk

At each site where one of these VMs is set up, change the IP address as needed.  (network interfaces, neighbors, and router-id)

Continue reading

Part 2: Build the router VM(s)

To bring us into part 2, the next thing is to create the routing VMs.

I simply did a simple CentOS 7 minimal install with one network interface configured.  At the router, I created network 10.10.9.0/29 on the same LAN segment.  During setup of the VM, I configured the VM to be 10.10.9.2/29 with a gateway of 10.10.9.1/29.  I also did the same with IPv6, fd00:10:10:9::2/64 and fd00:10:10:9::1/64 respectively.  Now when I get to other sites to deploy, the network will change to be 10.10.9.8/29 & 10.10.9.16/29.  The reason I chose to go with a /29 here is simply due to I plan to layer in a “services” into these subnets.  This particular set of VMs I plan to layer on a Pi-Hole and Chrony NTP server.

If you have trouble installing CentOS 7 at a minimal install, then this series is not for you.

Once you have the VM created, the first thing to do is install ZeroTier.  Thankfully they make this dead simple.

If you want to verify things:
curl -s 'https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61' | gpg --import && if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi

If you like to live risky:
curl -s https://install.zerotier.com/ | sudo bash

Run either as root and it is installed.

Other small things I have found that are needed after install,
In /etc/sysconfig/network-scripts/ifcfg-eth0, add the following: NM_CONTROLLED=”no”
In /etc/sysconfig/network, add the following: NETWORKING=yes
In /etc/selinux/config, change SELINUX to be permissive, SELINUX=permissive
Reboot a couple of times, make sure that default gateway and DNS servers show up in their respective places.

At this point, the next thing to do is create the ZeroTier network.  Simply log in and go the networks page and create a new network.  Once that is done, the next thing is to join the network.

zerotier-cli join abcd1234abcd1234

Finally, go authorize the new clients and label them in the “My Networks”.

Part 1: ZeroTier and making a multi-site LAN (MAN?)

Recently I have come across an interesting little software tech that lets me do some fun things that normally one would only see in the data center or large companies.  That software is called ZeroTier.

When I first started playing with this I was doing some really bad things abusing networks to get a nice simple method to access all my remote servers and devices without hassle.  Let’s just say all of what I did was horrible and was burned to the ground in favor of this. My goal was to set up a small network that would span 3 LANs and allow me to connect them together either in a routed or one big bridge.  I do not recommend the bridge but it can be done.

So the first step I took was to draw out what the network should look like. Then I took a little time and thought about it and had to modify it a little more.

Rough hand drawn what I wanted it to look like.

After a little thinking.

In the picture on the left, I identified I would need to use 4 subnets, 3 for the LANs and one for the inter LAN routing.  I then saw a flaw with this initial diagram, how do I route to ZeroTier?  My routers of choice are MikroTik, there is no built-in ZeroTier package for them.  It is then I thought of doing a router on a stick at each site to handle doing the handoff to ZeroTier.  Granted I drew a device with traffic routing through it; not to and from it on the same interface.  This will take you to I need more subnets.  So finally I had what needed to complete this task. 3 LAN subnets, 3 point to point subnets, and 1 ZeroTier subnet.

Now, why did I want to go this way?  Sure one could set up an IPsec tunnel or any various other VPN tunnels and send traffic over them.  This software offered the opportunity to let me make a MAN like network across the internet that is very little configuration and almost zero NAT hole punching.  At work, I have seen what happens when VPNs suddenly die and it is due to someone/something doing something bad.

Continue reading

Reference URL: https://zerotier.com
Reference URL: https://mikrotik.com
Reference URL: https://www.google.com/search?q=router+on+a+stick