ZeroTier / Software VPN question



  • Guys can you please shed some light and see if this is possible....

    So, we have a client with a Domain Controller and FileServer (\fs01) on site.
    There are some GPO's setup to push mapped drives to the computers and we have folder re-direction setup for desktop and documents.

    Some users work from laptops and when they are in the office, of course can connect to resources and contact the DC and the GPO's push down and apply correctly.

    However, when outside of the office, when the use their laptops (also domain joined) it wont map the drives.
    It does however show the desktop/document items and is working in an offline version.

    I was hoping I could install ZeroTier VPN and be able to get those GPO's applied so users can simply use their laptops in the same way those on desktops do.ie with group policies working and always mapping drives.

    However, having tested this and installed ZT, whilst i can browse to the File server by going to \fs01 its not showing all the shares (it does show the redirected folder share though) but not those we map drives to.
    If I browse to the zerotier IP address i can then see the shares but I dont want to map the drives using the ZT IP - I just want them to map automatically using the internal IP.

    Any ideas how i do this? Is this possible? Or do i just need to map the drives using the ZT IP address? But if I do that, when they take the laptops into the office, they will be using the ZT IP and not the internal lan ip of the FS!

    Help please.



  • @joel said in ZeroTier / Software VPN question:

    I was hoping I could install ZeroTier VPN and be able to get those GPO's applied so users can simply use their laptops in the same way those on desktops do.ie with group policies working and always mapping drives.

    The GPOs are applied either way, it's not being able to see the shares that's the issue. And yes, a VPN will solve that. This is the LAN-based, 1990s approach to remote drive mapping.



  • @joel said in ZeroTier / Software VPN question:

    If I browse to the zerotier IP address i can then see the shares but I dont want to map the drives using the ZT IP - I just want them to map automatically using the internal IP.

    Mapping should be done by hostname, not IP address. Trying to use IP addresses will cause issues.



  • @joel said in ZeroTier / Software VPN question:

    Any ideas how i do this? Is this possible? Or do i just need to map the drives using the ZT IP address? But if I do that, when they take the laptops into the office, they will be using the ZT IP and not the internal lan ip of the FS!

    If you want to use any IP address that isn't the ZeroTier IP address, you are attempting to misuse ZT. ZT is a SDN and by using it the idea is that you no longer use the underlying LAN IPs any longer. You are trying to shoehorn in two different approaches that aren't meant to work together into one thing.



  • @scottalanmiller said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Any ideas how i do this? Is this possible? Or do i just need to map the drives using the ZT IP address? But if I do that, when they take the laptops into the office, they will be using the ZT IP and not the internal lan ip of the FS!

    If you want to use any IP address that isn't the ZeroTier IP address, you are attempting to misuse ZT. ZT is a SDN and by using it the idea is that you no longer use the underlying LAN IPs any longer. You are trying to shoehorn in two different approaches that aren't meant to work together into one thing.

    Yeah. Set your DNS records for your ZT addresses and point everything to those. On site they will use the local LAN. Off-site they will use whatever routes they need to.



  • Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?



  • @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    Here is the short answer. You are going to break shit.

    You have no idea what anything is. You don't want to do any of this.

    Stick with you LAN design and add user VPN. It is built into Windows 10 and any other OS out there and it is what your current system is designed to do.

    @scottalanmiller is, as usual, taking this to the extreme and telling you to rip it all out and redesign your network LAN-less.



  • @jaredbusch said in ZeroTier / Software VPN question:

    @scottalanmiller is, as usual, taking this to the extreme and telling you to rip it all out and redesign your network LAN-less.

    Didn't even start to do that. Instead, I pointed out that he was applying a LANless technique to a LAN-based network, which doesn't make sense.



  • @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?

    Software Defined Network (aka SD-LAN). A virtualization layer on top of your network. That's what ZeroTier is for. It is not a VPN replacement. While it IS a VPN, it does not serve the purpose of LAN extension, which is what you are trying to do.

    Basically, your need is that you are a LAN based business and you want to extend the LAN. This is the traditional use of a VPN as people think of it (it's what people mean when they say VPN, but true VPN is much broader.)

    ZT is not a LAN extension, but a LAN virtualization technology. It is not meant to be used in LAN based networks, but in LANless. So doesn't apply well to you. It also uses VPN technology, but with a totally different intent.



  • @joel said in ZeroTier / Software VPN question:

    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    If you wanted to use ZT as intended, in a LANless way, then yes. Because your LAN IPs are LAN dependent, your ZT ones are not.



  • @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.



  • The free version of ZeroTier, can only connect up to 100 devices to unlimited networks
    0_1533156884055_73DA9F0D-A0CC-493C-8113-7E4F3A74FB17.jpeg



  • @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.



  • @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    This tells us that you don't want AD at all.

    You are talking about a LAN-less design entirely.

    We have a few tagged topics on this subject.
    https://mangolassi.it/tags/lanless



  • @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    This tells us that you don't want AD at all.

    You are talking about a LAN-less design entirely.

    We have a few tagged topics on this subject.
    https://mangolassi.it/tags/lanless

    No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.



  • @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    This tells us that you don't want AD at all.

    You are talking about a LAN-less design entirely.

    We have a few tagged topics on this subject.
    https://mangolassi.it/tags/lanless

    No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

    Why do you want that though? If you can do syncing - you could, for example, move to O365, have your Windows 10 machines all authenticate with O365, sync files in ODfB and Sharepoint and skip having servers on site at all. If you want GPOs you'll have to buy that addon for your users (advanced AD I think it might be called).



  • @joel - I was able to make this work in a lab setting.

    Here is what I did:

    1. Install ZeroTier on a Linux box or vm in your office. You don't have to install ZT on your Windows Servers as the Linux system is going to act as Bridge to the entire local network.
    2. Setup your ZeroTier network to handout IP addresses in the same subnet as your local network. Just don't overlap DHCP addresses on your local network.
    3. Set the Linux machine into bridge mode - read this post about bridge mode setup https://mangolassi.it/topic/8566/zerotier-bridging-configuration/2
    4. Install ZeroTier on your laptops and join the network
    5. On the laptops, edit the dns on the ZT network adapter to your domain controller(s).

    I did this a year ago so there may be a setting or two I am overlooking. There is a possibility that if you set your laptop's ZT adapter to obtain automatically they will pull from their IP from the local DHCP server and you may not need to set addresses from ZT.



  • Just another note with ZeroTier. On your Windows clients make sure you change the ZeroTier One Service Recovery options to restart the service on failures. Sometimes on Windows 10 it doesn't start when the computer boots up so the recovery option will hopefully restart the service if needed.



  • @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.



  • @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    This tells us that you don't want AD at all.

    You are talking about a LAN-less design entirely.

    We have a few tagged topics on this subject.
    https://mangolassi.it/tags/lanless

    No, I do want AD....I wasnt users to authenticate to a local server. 80% of the time, they will be in the office, but then the 20% will be outside the office. But whilst outside I want them to log in and access the servers resources and sync folders back to the local server. I guess i'm looking for the most efficient way of doing this hybrid scenario.

    That's not a want. That's a how. You never "want" AD, ever. That's not a possible thing from IT. IT's "wants" are always business solutions. AD might be how you provide that solution, but it's impossible for someone truly wearing an IT hat to "want" Active Directory itself.

    What's the GOAL here. AD is how you are imagining getting to the goal, but we don't know exactly what your goal is and it can't be what is stated.

    A goal would be like "needing strong user password management and user mobility." AD might be how you do that, but there is nothing AD does that only AD does.



  • Your stated design is LAN-less. AD is jsut your specified centralized auth mechanism.

    That has nothing to do with the network design.



  • @scottalanmiller said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    @jaredbusch said in ZeroTier / Software VPN question:

    @joel said in ZeroTier / Software VPN question:

    Forgive me, whats an SDN?
    When you say set my DNS records to ZT addresses, do you mean on my DNS server (my DC) set the DNS for the FS01 to point to ZT IP?

    For a more positive answer, you can hybrid the approach, but things get very complicated as you need to be very certain of connectivity and DNS settings for everything.

    A hybrid approach means putting ZT on all your servers that devices will need to reach over the ZT subnet.

    Then you setup all the laptops with ZT.

    Then you need to setup DNS to handle it. In my case I do not want to fuck with AD's normal functionality, so I hardcode some settings in the hosts file of the laptops that need it.

    Okay thanks.
    So if we have all users moving onto a laptop (no more office based desktops). They want to be able to work inside and outside the office and access all the same resources, have all group policies working etc regardless of where they are. In this scenario would the hybrid be best option then? eg. install ZT on my DC and FS, then change DNS to point to ZT IP's and then install ZT on all laptops?

    I'm looking for the best way to do this. Its a small network so if i have to edit host files on laptops i can but what do you think is best way to have everything running with full access regardless of where users are.

    What's the goal in using any LAN IPs here? I don't see any reason to avoid ZT's virtualized IP space.

    You can use ZT to bridge it's IP space and the corporate LAN space... basically, the DHCP server on your internal LAN will give out IP addresses for the devices directly connected...

    IE: Corporate Lan 10.0.0.0/19

    Corporate DHCP Server goes 10.0.0.100 - 250
    ZT Range is 10.0.1.100-250.
    (The Full Subnet range is 10.0.0.1 to 10.0.31.254)

    When doing it this way, there's no need to install ZT on Desktops and Servers. Only the travelling devices need it.

    You don't have to worry about AD getting mucked up with a bunch of unnecessary ZT entries and such.



  • Any objections with setting up OpenVPN instead of using ZeroTier?



  • @black3dynamite said in ZeroTier / Software VPN question:

    Any objections with setting up OpenVPN instead of using ZeroTier?

    I dislike how OpenVPN is a pain in the ass inside Windows.

    But it does work well.

    I prefer to use L2TP/IPSEC.


Log in to reply