TBA
BACKGROUND
- We have a machine connected to a physical network, its IP address is not relevant here. We will refer to this machine as the server.
- We wish to be able to connect to and use the resources of the physical network attached to the server from a remote location.
- The network that the server is connected to is 23.128.16.0/32, regardless of it's IP address, it knows how to get to the 23. network through it's gateway.
- The address of the virtual network on the server is 192.168.192.10
- Zerotier will be installed on the server and any clients wishing to use these resources on the 23. network.
INSTALL
Configuration of the virtual network on the zerotier website, is not covered here* TODO - Add additional static route.
Once the virtual network is configured on the zerotier website, we need to install the daemon on the clients.
Windows/Linux install, see here
Starting/stopping with windows needs no further comment, with RedHat is as simple as sudo systemctl start[stop] zero tier-one (check with Debian). For Slackware, see specific section below.
INSTALL - Slackware
Slackware took slightly more work. TBA
Get source from GitHub https://github.com/zerotier/ZeroTierOne
git clone https://github.com/zerotier/ZeroTierOne.git
On the Slackware client, the following will enable or disable the static routes;
sudo ip route add 23.128.16.0/20 via 192.168.192.10
sudo ip route del 23.128.16.0/20 via 192.168.192.10
we would also need to add any other networks that would normally be routed on the remote side, for example, if 192.168.8.0/23 would normally be reachable from the remote server, then an additional route should also be added, for example;
sudo ip route add 192.168.8.0/23 via 192.168.192.10
but this will be done using the Slackware startup script from here TBA
To start the demean, do sudo /etc/rc.d/rc.zerotier start [stop/status/info]
CONFIGURATION - client
Once installed, we need to add each machine to the virtual network, on the Mac and Windows machines, this is straightforward, on linux, once the daemon is running, we simply do;
zerotier-cli join networkID (networkID from the zerotier website).
To enable additional/special routing configuration outwith the virtual network, we need to set allowGlobal, this is done via the dropdown on Windows and Mac clients but for linux we use;
zerotier-cli set network_id allowGroup=1
TBA
CONFIGURATION - server
First we setup some variables, this should include the physical network interface, eth1 and the virtual interface xxx1xxx2 for example;
PHY_IFACE=eth1
ZT_IFACE=xxx1xxx2
We can then check the above by doing echo $PHY_IFACE for example.
We then need to do the following;
sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
Running sudo iptables -S should show that this has been done, with 2 additional entries.
Finally, we need to enable Forward Routing and this can be enabled/disabled as below;
sudo sysctl -w net.ipv4.ip_forward=1
or
sudo sysctl -w net.ipv4.ip_forward=0
This can be checked with sudo sysctl net.ipv4.ip_forward
The changes to iptables can be made permanent (otherwise we lose it on reboot) by installing iptables-persistent as below (on Debian);
sudo apt install iptables-persistent
The above offered me the ability to save current iptables configuration which I accepted, if not, the below does that.
sudo bash -c iptables-save > /etc/iptables/rules.v4 (untested)
The routing table route -n will not be changed on the server apart from the single entry for the virtual network.
[source]
No comments:
Post a Comment
Note: only a member of this blog may post a comment.