Zerotier Tutorial: Delivering the Capabilities of VPN, SDN, and SD-WAN via an Open Source System
HTML-код
- Опубликовано: 4 авг 2024
- Amazon Affiliate Store
➡️ www.amazon.com/shop/lawrences...
Gear we used on Kit (affiliate Links)
➡️ kit.co/lawrencesystems
Try ITProTV free of charge and get 30% off!
➡️ go.itpro.tv/lts
Use OfferCode LTSERVICES to get 5% off your order at
➡️ lawrence.video/techsupplydirect
Tesla Referral Program Offer
🚘 www.tesla.com/referral/thomas...
Lawrence Systems Shirts and Swag
👕 teespring.com/stores/lawrence...
Digital Ocean Offer Code
➡️ m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
➡️ hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
➡️ www.privateinternetaccess.com...
Google Fi Service Referral Code
📱g.co/fi/r/TA02XR
More Of Our Affiliates that help us out and can get you discounts!
➡️ www.lawrencesystems.com/partn...
Twitter
🐦 / tomlawrencetech
Patreon
🔗 / lawrencesystems
Our Forums
🔗 forums.lawrencesystems.com/
GitHub
🔗 github.com/lawrencesystems/
Discord
🔗 / discord
Our Web Site
🔗 www.lawrencesystems.com/
PIA Internet Access Affiliates Link
www.privateinternetaccess.com...
www.zerotier.com/
Diagrams were done with
www.yworks.com/products/yed
My Command Prompt setup is on GitHub
github.com/lawrencesystems/do... Наука
This was wonderful. As a regular user I had tried several times to understand what ZT actually was with no luck. Your way of teaching this was awesome.
Just when I thought I had reached the end of the internet, Tom shows up with open source SD-WAN - BRILLIANT!
ZeroTier is really awesome. I use it to backup data from my main synology nas to an offsite synology nas. It runns now without any issue for about six or seven months.
This video was fantastic. An excellent overview of the product that really helped to ease any fear I had of implementing this at work. Keep up the great work!
I did install ZeroTier on both my two PCs and RDP'ed the "server" (one of the PCs I designated as a server), and it worked flawlessly.
Very very very good stuff. Huge fan of the depth-level of this video. Very accessible.
Great information! I cant believe this service has gone under my radar for so long!
Informative, concise and straightforward.
Omg! Ty!! Installed on my servers :D now can watch my videos from anywhere
Wow! Like you, Tom.... I cannot believe I did not see this before now. I am anxious to see if this will solve my problems of needing stuff from my desktop when I am not in the same room or even the same house
I'd love to see a review/setup with the pfsense package! Your channel is so informative and I've been sparked by innovation in my homelab and at work by your videos. Thanks!
pfsense is a nightmare IMO, from a newly firewall guy, currently on sonicwall trying to find a replacement, we feel pfsense is not a drop in replacement.
Hi Tom, another great video thank you! A follow up, or perhaps one for the how they got hacked series...securing this, and preventing backdoors using zero tier. Guess as long as endpoint security is tight, but what about BYOD networks? Best explanation that I’ve seen of exact benefits of SD-WAN though!
This video helped me understand sdwan so much better.
Thanks for all the info! Excellent video.
That's another awesome video here. Thanks for sharing!
Very nice video. Looks awesome and also open source. Thanks for sharing.
Thanks for your videos Tom. I learn a lot from it and I wish I can start a company like yours.
Damn... I never heared of that and it is awesome! Thanks for sharing this!
Thank you. Very nice review here . I was looking for a replacement of Hamachi and I have found it with some very well detailed explanations .
This is really excellent software that I hadn't heard of before, thank you for bringing attention to it as I really have some great use cases for this.
Thanks a lot for this video. This will help me a lot.
Thanks for sharing this pretty cool.
great clear video! awesome product from zerotier
Freaking awesome tutorial. Thank you as always for sharing your knowledge with us all 😀
My pleasure!
Thank you so much I’ve been wanting something like this so bad but don’t remember what for now
Awesome! I’m going to have to try this 😀
Great explanation and demo of Zerotier. Been meaning to look into this. Full-mesh network any-to-any, the possibility of setting up your own planet server, can create multiple Zerotier interfaces (perhaps we can use 'ZTI)' to connect to multiple networks, central console, and the possibility to control flows. Need to find out if it is possible to route other networks through a single ZTI, my guess is it would be.
це магія!!! дякую!
Would you consider creating a video to set this up for a site-to-site between two PfSense or Opnsense routers? Thanks.
awesome dea , nice explanation
This is awesome!
It looks a lot like VoIP "hairpinning", in regards to connecting clients directly together. I currently use OpenVPN, and don't really "need" this, but from a network maintenance perspective it could be useful to have an "always on" SSL encrypted path back to the office. Definitely worth a look, thanks!
ZeroTier is absolutely fantastic, 50 endpoint's configured with access rule's, traffic inspection setup using TEE, run your own moon using a Docker command in about 30 seconds, it's speed limit seems to be around 500MPBS which is more than enough, stable, can jump around on IP's, and OPEN SOURCE!
@Steve - what is this TEE tool you talk about?
@Manuel Ludwig my comment keeps getting deleted my friend im not sure why, search Google for advanced zerotier network rule set on github, in the rules it shows you the tee rule. This copies all traffic for all and sends it to whoever you specify...great for IDS and packet capturing.
From the perspective of an MSP I think this would be amazing. Right now we have to setup a VPN on a lot of different devices and types of devices. It seems like this would allow us to manage those connections from a single user interface and save a lot of resources if clients want to connect. A level 1 help desk could do this instead of a level 3 at the request of a client. I agree with comments about personal devices though. Those devices would have to pass a security audit before being able to join and the client would have to sign a waiver.
Have your thoughts on this matter matured? I just watched the video and I was thinking the same thing, it's almost too good to be true.
This is so cool!!!
Hi Tom,
Started using open tier for 2 customers and I have to say it been fantastic. Thanks buddy.
I use the hell out of this.
Even have it installed on my OPNsense router
so I don't have to have the client on all my devices behind LAN
Bridged :)
شكراً لكم
awsome,thank you
looks amazing
Great video! thanks didnt know about this:)
Tom, how did you manage to get the nested PFsense to work with OneTier? I've tried this on my home lab and production network. It works with all my devices, but not really that great with my clients behind my second pfsense firewall. The second firewall is connected to the first PFsense which is the internet facing firewall. Everything works well for clients who are on public spaces or inside my production network. Only my lab environment will not connect great (ping loss).
Ohhh so it's basically a free open source version of Hamachi! Wow... Remember Hamachi?
Exactly! Hope it won't go the same way Hamachi did 😜
Dang, it was so long ago the last time I ever used or even heard of that thing, now I kinda want someone to make a GUI for Zerotier similar to the one old Hamachi had, mainly just for the nostalgia, that'd be nice.
No, this is a SAN layered over the internet, punching holes where you need it to. You define routing, gateways and everything of a SAN through it
Hamachi was okay at times, even after Logmein took them over. But in the situations where I've tried them both, Zerotier has been able to make direct connections where Hamachi had to relay.
This was my first thought when he started to explain this.
thx for the video :-)
This system would be perfect for off-site back-up systems!
Fantastic ...
Hi Tom, Nice presentation. Since you made Digitalocean a host in Zerotier network, can you manage your UniFi APs telling them that their Digitalocean Controller is now reachable and can be adopted using Zerotier lan ip address instead ? Thanks for your reply.
Hi Tom, excellent video. Thumps up. Your work is great indeed.
I have a small query. Will zerotier works on Freenas as well. I wanted to have backup freenas on a different location to replicate my office Freenas.
What about using rsync over the ZeroTier virtual interface???
Great info relayed in an easy understandable format, keep up the good work, it's very much appreciated. I like the idea of the simplicity of Zerotier but there is no mention of the complexity of introducing multiple gateways on a client and then the extra routing required for applications etc ?...you don't have this issue with a straight forward VPN. ?
Zerotier is designed to install on each node you want connected therefore routing would not be needed. But it is supported and can do routing and they have work instructions on how to do that.
I've tried zerotier and it is rather slick, especially being essentially zero config. There are some issues though:
1. Constant Chatter. Due to using UDP whole punching to traverse NAT, keepalive packets are always sent. About 22MB a day which could be a problem for IOT LTE devices. It also means poor battery life on mobile.
2. Connections get dropped. Around 20%of my ping packets get dropped.
3. Constant background connections to root servers. Stopping the Mac menubar app doesn't shut down the interface. These connections exist to keep it warm.
3. VPN is simple. If you just need to log in to your network from the road, I'd recommend VPN for now.
4. Zerotier is really good if you don't have access or control over the router/NAT or you want to connect two mobile devices.
Curious if you have used Tailscale, or have an update on Zerotier since posting this comment? I was looking into implementing Zerotier in my home network, and came across tailscale and it sounds very interesting to me.
@@gtn1994 Have used tailscale and many wireguard tools. Right now I exclusively use ZeroTier mainly because it is the simplest. Tailscale didn't perform as well last time I used it. I don't push a lot of data through the links nor use mesh VPNs on Android/iOS devices. I hope to evaluate the different options when I find the time. I'll just say stay away from Nebula for now, it doesn't handle complex NATs yet.
Nice video! can you make a video showing how to set rules ?
as I have no clue about the technicality of this, jz wondering..can I use this to make the game connection faster. I always did wonder what the things to look at when configuring my network.
Excellent tutorial, I learned about this product here first.
Since this "service" passes some or even all traffic thru the "planet" mothership...how can you be assured that the content is secure? Also since you mention "SDWAN" how resilient are their planet server(s)? And if I wanted to deploy my own MOON server is there a dependency on the planet or is the moon server strictly part of a self contained constellation?
how does zerotier integrate network logins and file shares?
I've been wanting to setup some OPNSense boxes with Zerotier clients and then run OSPF between them to setup a DMVPN type of alternative and see how the performance is. Has anyone had any experience with this?
is there any way to bridge to local network adapter to zero tier adapter so we can access our local resources just like vpn?
Powerful, but also scary. OMG, this creates a huge security hole for any networks as soon as any devices (with Internet access) behind the periphery fence have this installed and connected to that external network. I don't know what to think of this.
it sounds like it would, but it would be just as hard as cracking into a site-to-site. theoretically possible but you need to be insanely precise
Agreed. Although i could see this as a great tool for me / what if an end user sets this up between home and his work computer? And the home computer is not secure?
well, a personal computer connected to a business network in general is a no-no. especially in this config, since it is an actual SD-WAN, not just a VPN. meaning EVERY site has the potential to be connected. I wouldn't be too happy to find a personal computer connected to our VPN, neither would our vendors (:
Nebula which Slack open sourced is worth looking at as well
Tom, can't thank you enough for this video. Nearly locked myself into a 2 year SDWAN contract for management of my network. Is there somewhere we can donate to your channel? Can't sit in my chair right now!
You can throw 💸money 💸 at me here www.paypal.me/lawrencesystems
I wish to preconfigure a UDP-PRO for my brother's home network so it can be as much plug and play as it can be. Then I want to remotely configure it. I also need to put a copy of the existing (on a PC at his location) Unifi config on it. Can ZeroTier be used to accomplish this?
Can you please make a tutorial on how to make a ZeroTier Moon Root Sever on Linux or FreeNAS.
Well is there a way to get a client or a subnet attached to a router (lan side) which is on my ZT network to be forwarded through ZT to another router (client router to server router) which is also on my ZT network, and then out the internet of the server router. I am trying to mimmick what I do through wireguard. Same concept (wireguard not on the client PC itself) . Then if possible want to compare the speed/throughput between them.
I wish pfsense would already have this part of their package.
Sir, where is the plug-in located?
does anyone know if this will work behind a CGNAT ISP
OPNsense have a plugin for Zerotier.
also you can install on unifi edgerouter X but it's quite slow, has a redundant site-to-site vpn with ospf is a good setup, although with upgrades it will unistall zerotier.
any help setting one up for free i looked at source code but not sure what to do there is no you tube videos on this any help would be appreciated
Hello, thanks for the video, I didn't know about Zerotier and I'm going to try it out. But I was curious about the software you used for network diagramming. What is the name of the software?
ruclips.net/video/mpF1i9sfEJ0/видео.html
is it possible to link win 10 pc to unraid server ( different networs (
Architecture like DNS pinhole poked as and when with the clients doing the heartbeat back to the planet to map and handshake? This seem simple but brilliant. Like a shadow network anywhere with pretty much idiot proof config. Is it really this easy?
Sounds cool what program do you use to make that visual example?
Lucidchart
Installed last night on a couple ubuntu machines (two on LAN, one at DO). Really high latency, ssh session appeared unresponsive many times. Is this where my own moon server would come in handy? I didn't forward udp/9993 on any routers.
I know this doesn’t fix your underlying issue and this is a very very late response but for future issues like this, I would suggest trying the mosh terminal. It works far better for intermittent or high latency ssh interaction.
What software are you using for the network map? Been looking for something like that!
ruclips.net/video/P3ieXjI7ZSk/видео.html
Why would I want to share my data with with some untrusted third party with this software, when I can just run ospf over openvpn, wireguard or IPSec?
damn, they used to offer 10 clients for free, fast forward to 2023 and it's only 25 now, still plenty for home users tho.
Thanks for another great video Tom and it seems like a great project! However, I checked out the release notes and after a flurry of point releases the last activity was in July 2018. The pre-order for the Edge points to an expired Indegogo campaign and the Synology packages are only for DSM 6.1. I'm wondering what your thoughts are of Zerotier being supported enough that it can actually be used outside of lab experiments or for a home network? I can think of numerous use cases for production environments so I'm hoping this project has legs.
The slow down in mass changes is what makes it desirable for business. The code reached a stable point and no one wants to deploy a project that is still adding lots of features and making too many changes. They have a lot of companies using this in production. Also, there is still a lot happening in their dev channel github.com/zerotier/ZeroTierOne/commits/dev
Got it. I wouldn't want to see continuous updates either but when I saw the windows reference to Win7 and Synology to 6.1 on their website it made me wonder. I hadn't heard of it until your video and it seems like it fills/simplifies a needed void in site to site networking. Thanks again!
Thanks to you, I now have a nice SDN toy to play with.
I saw the tweet from #freenas who loved the video. I tested it on 2 linux distros and a win64 machine
Is this also how synology’s Quickconnect works?
i was wandering about what to do about auto connecting Linux clients after reboots for persistence like cron job or does it have built in auto run options
It installs as a service and by default runs on startup
@@LAWRENCESYSTEMS thanks
Had to open UDP port 8384 to make it work.
You ve mentioned that one of the services that zerotier would be good would be for server apps. If that app runs on the server with an ip address for instance 192.168.1.100 and all clients joined together with a virtual ip of a different subnet like 10.10.1.0/24 then none of the clients would be able to run that server app.
Also if you configure in the zerotier network the ip assigment to be in the 192.168.1.0/24 scope then how wouldnt there be a conflict if that server hosting the app would be a DHCP server also and giving ip's to the clients of the same 192.168.1.0/24 ???? Weird question i know
PS I think that for the above to work a solution (at least I didnt find any other way) would be to define to the server-app side an automated DHCP scope 192.168.1.50 - 99 for the clients at the office leaving for example the scope 192.168.1.10 - 49 for the remote clients in order to avoid the conflict. Of course in zerotier situation you dont make the server-app oc a zerotier server but you add that pc also to the network which is different from other solutions ........ but still if the virtual segment is different from the local one I dont get how the remote clients going to access the server app.
Loving zerotier except on one point, puching DNS servers is still not an optionmakes it quite hard to work with AD.
Have you tried a direct integration into pfsense? Maybe use pfsense / ZeroTier DIY controller too?
I'm not really a code writer
I just noticed that there were some github pfsense integrations that might make some sense to you, as you are a bit if a pfs master 😁
@Etienne So what about something like a CCTV box, or some other IoT device that you have no access to install anything onto but want to include it on a Zerotier connection?
Opensense, a clone of pfSense has inbuilt addon... Try out! it works as expected.
I want to use Windows 10 vm (Unraid) with quickbooks database server (at my home) and have users be able to connect to it remotely just as if it were on the local network. Would zerotier be capable of that?
It should work
Anyone else having difficulty with this app on windows machines? Cuz I can connect them to the network no problem but trying to ping it or actually using it to play a LAN game doesn't work, I can use my main Linux machine to ping all other operating systems but Windows but the windows machine can ping to my linux and other devices and get something back I even allowed zerotier through the windows firewall but still does not work at all.
Hi I have OpenVPN running on Untangle, whilst I appreciate this is different, I am struggling to see what advantage it would have for a simple 'access home' scenario. I guess the point of this is to have multiple devices connecting from multiple locations? Is there any advantage to me installing it on a server rather than running openVPN? (the price is certainly right)
We have a client that is interested in this. They have 7 locations (and more coming) with servers and each server needs to talk to the other servers. This can be done with a lot of VPN rules and routing for each location back and forth , or just one Zerotier network.
@@LAWRENCESYSTEMS ohhh that makes sense so this is like a private LAN in the "Cloud". If I understand this correctly.... rather than routing a bunch of traffic through several VPNs this is advantageous because you'd connect your devices to a "private cloud"...
Yeah fair enough, as a home gamer though its occurred to me I might be able to get roon to work, a music player that wont work over VPN. I'll have a play!
I got this going and it works for my needs so thanks for the heads up, if nothing else I can listen to my entire music collection via roon at work, worth the entry effort alone!
You could also create a network between only mobile devices. There is no need to route everything through a single point which a VPN would require.
Can Zerotier work for Voip?
Never tried, but it should work.
Really wish PFSense would integrate seamlessly
It's here some chance run zerotier from FreeNAS jail? 😉
Which ports are needed on a fully locked down firewall?
none
@@LAWRENCESYSTEMS udp pinhole with heart beat to plant to poke the holes as and when
So you're connecting individual devices to an overlay network, and you have to install a 3rd party client on each device? This seems limited in usefulness. Can you not bridge entire networks? I don't see how this "delivers the capabilities of VPN" Am I missing something?
I wish pfSense implements this soon like OPNsense.
pfSense might will be adding this to version 2.5
Should I use this instead of OpenVPN?
You could. Totally
Can this be integrated into a PFSENSE box ?
With the right coding it's a Possibility
Opensense, a clone of pfSense has inbuilt addon... Try out! it works as expected.
One big thing i use with zerotier is bridge mode so i can have one server that bridge all my home network devices on that specific vlan. So not every device need to have a client installed. zerotier.atlassian.net/wiki/spaces/SD/pages/7471125/Layer+2+Bridging+of+Ethernet+and+ZeroTier+Networks+on+Linux
Like flexiwan SD WAN
Only was half listening and not watching as I'm at work (Shhh... Don't tell the boss!), But... How would this work as a 'replacement' for a OpenVPN setup for getting a remote user (Android phone) connected to a FreePBX server so it can make and receive calls?
Long story short, and I will ask in the forums, I'm looking for a way to connect my Android phone to my FreePBX server for calls, but don't really want *ALL* traffic from my phone to go through a VPN. I'm in an area with crappy DSL service and don't want to add a hurdle I don't need.
i just tried to set this up. but when i tried to join on by ubuntu server i got.... miss authentication token and authtoken.secrets
opps i got it
how do i auto start at boot in ubuntu
It's not opensource anymore :(
Yes it is, their source code is on GitHub
Free is now 25 devices not 100