ZeroTier / Software VPN question
-
@jaredbusch said in ZeroTier / Software VPN question:
@scottalanmiller is, as usual, taking this to the extreme and telling you to rip it all out and redesign your network LAN-less.
Didn't even start to do that. Instead, I pointed out that he was applying a LANless technique to a LAN-based network, which doesn't make sense.
-
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
Software Defined Network (aka SD-LAN). A virtualization layer on top of your network. That's what ZeroTier is for. It is not a VPN replacement. While it IS a VPN, it does not serve the purpose of LAN extension, which is what you are trying to do.
Basically, your need is that you are a LAN based business and you want to extend the LAN. This is the traditional use of a VPN as people think of it (it's what people mean when they say VPN, but true VPN is much broader.)
ZT is not a LAN extension, but a LAN virtualization technology. It is not meant to be used in LAN based networks, but in LANless. So doesn't apply well to you. It also uses VPN technology, but with a totally different intent.
-
@joel said in ZeroTier / Software VPN question:
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?
If you wanted to use ZT as intended, in a LANless way, then yes. Because your LAN IPs are LAN dependent, your ZT ones are not.
-
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
-
The free version of ZeroTier, can only connect up to 100 devices to unlimited networks
-
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
-
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
This tells us that you don't want AD at all.
You are talking about a LAN-less design entirely.
We have a few tagged topics on this subject.
https://mangolassi.it/tags/lanless -
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
This tells us that you don't want AD at all.
You are talking about a LAN-less design entirely.
We have a few tagged topics on this subject.
https://mangolassi.it/tags/lanlessNo, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.
-
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
This tells us that you don't want AD at all.
You are talking about a LAN-less design entirely.
We have a few tagged topics on this subject.
https://mangolassi.it/tags/lanlessNo, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.
Why do you want that though? If you can do syncing - you could, for example, move to O365, have your Windows 10 machines all authenticate with O365, sync files in ODfB and Sharepoint and skip having servers on site at all. If you want GPOs you'll have to buy that addon for your users (advanced AD I think it might be called).
-
@joel - I was able to make this work in a lab setting.
Here is what I did:
- Install ZeroTier on a Linux box or vm in your office. You don't have to install ZT on your Windows Servers as the Linux system is going to act as Bridge to the entire local network.
- Setup your ZeroTier network to handout IP addresses in the same subnet as your local network. Just don't overlap DHCP addresses on your local network.
- Set the Linux machine into bridge mode - read this post about bridge mode setup https://mangolassi.it/topic/8566/zerotier-bridging-configuration/2
- Install ZeroTier on your laptops and join the network
- On the laptops, edit the dns on the ZT network adapter to your domain controller(s).
I did this a year ago so there may be a setting or two I am overlooking. There is a possibility that if you set your laptop's ZT adapter to obtain automatically they will pull from their IP from the local DHCP server and you may not need to set addresses from ZT.
-
Just another note with ZeroTier. On your Windows clients make sure you change the ZeroTier One Service Recovery options to restart the service on failures. Sometimes on Windows 10 it doesn't start when the computer boots up so the recovery option will hopefully restart the service if needed.
-
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.
-
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
This tells us that you don't want AD at all.
You are talking about a LAN-less design entirely.
We have a few tagged topics on this subject.
https://mangolassi.it/tags/lanlessNo, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.
That's not a want. That's a how. You never "want" AD, ever. That's not a possible thing from IT. IT's "wants" are always business solutions. AD might be how you provide that solution, but it's impossible for someone truly wearing an IT hat to "want" Active Directory itself.
What's the GOAL here. AD is how you are imagining getting to the goal, but we don't know exactly what your goal is and it can't be what is stated.
A goal would be like "needing strong user password management and user mobility." AD might be how you do that, but there is nothing AD does that only AD does.
-
Your stated design is LAN-less. AD is jsut your specified centralized auth mechanism.
That has nothing to do with the network design.
-
@scottalanmiller said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
@jaredbusch said in ZeroTier / Software VPN question:
@joel said in ZeroTier / Software VPN question:
Forgive me, whats an SDN?
When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.
A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.
Then you setup all the laptops with ZT.
Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.
Okay thanks.
So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.
What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.
You can use ZT to bridge it's IP space and the corporate LAN space... basically, the DHCP server on your internal LAN will give out IP addresses for the devices directly connected...
IE: Corporate Lan 10.0.0.0/19
Corporate DHCP Server goes 10.0.0.100 - 250
ZT Range is 10.0.1.100-250.
(The Full Subnet range is 10.0.0.1 to 10.0.31.254)When doing it this way, there's no need to install ZT on Desktops and Servers. Only the travelling devices need it.
You don't have to worry about AD getting mucked up with a bunch of unnecessary ZT entries and such.
-
Any objections with setting up OpenVPN instead of using ZeroTier?
-
@black3dynamite said in ZeroTier / Software VPN question:
Any objections with setting up OpenVPN instead of using ZeroTier?
I dislike how OpenVPN is a pain in the ass inside Windows.
But it does work well.
I prefer to use L2TP/IPSEC.