ZeroTier Review



  • I recently discovered a VPN-like service called ZeroTier (http://www.zerotier.com) that works similar to Hamachi or maybe Pertino (never used Pertino though!). Basically, it builds out a network within the internet... Each client would get an IP address in the IP space you specify (Private IPs, a la 192.168 or 172.16, et al). And each device in that network will be able to communicate with other devices that are connected and authorized.

    The Technical FAQ on their site (https://www.zerotier.com/tech_faq.shtml) does a better job of explaining the way the nodes communicate than I can off the top of my head. The way the connection setups and everything works kinda reminds me of a P2P type application.

    If you create an account on their web site and use their Controllers, the setup is quick and easy; their system provides networks that are free for up to 10 devices. You can also pay them a monthly fee of $4 per month per Network of more than 10 devices. There are currently clients for Windows (7 and up, including Server Editions), Mac, and Linux. It should also work on BSD based OSes as well, but you will have to compile it yourself. An Android version is in the works, but I am not sure about iDevices.

    The software itself is open source, and you can build your own controller and create networks as large or small as you want. However, they do not offer a GUI by which to do this yet for self-hosted controllers, so you are left using the REST API for configuring the networks.

    As an example, my current network runs on a hosted Linux VM as the controller, and it has my laptop, my office machine, and two other VMs connected to it. Each machine has an IP address of 192.168.y.z/24 The underlying OS sees those as actual network interfaces... IE: on my linux controller, it is listed as ztX, and in Windows, it shows up as another ethernet devie in Network & Sharing Center; I don't have a Mac to test on at the moment. You can also specify which subnet you want to use for your ZT Network, as long as it is not a publicly routable network, you should be fine.

    They do have a gateway capability built in, but I have not tested it yet. It appears that you can have one of your client VMs provide access to the subnet behind it (equivalent of site to site VPN).

    You can configure a network to be public or private. With the public, as the name suggests, no authorization is required and anybody that joins up will be granted an IP address. In a private network, each device that joins has to be manually authorized before it is issued an IP address on the network.

    Using my own controller at the moment, things seem rather snappy. I get an average 45 - 50 ms ping time between one node and another. (I get a similar ping time using the public IP addresses between the two networks). I Copied a 2 megabyte file from SystemA to SystemB in ~3 seconds (would have been faster...but Windows...).

    I did have to write my own PHP scripts for creating networks, deleting neteworks and authorizing devices (Not sure how to handle JSON in BASH / Shell scripting).

    So far, it looks to be a secure VPN package with some nice level of controls. They are laying the groundwork for allowing rules (ACLs, if you will) so you can specify which devices can communicate to where, and in a true security first setup, unless you have a specific accept (allow) rule, the traffic is dropped.

    The following screenshot is the admin dashboard on their site. Everything should be self explantory, but if you don't know what a setting is for ,the help menu along the right hand side provides a good enough bit of information to help.

    upload-274ea3eb-e13c-4ec9-a9c6-d289785b600d

    Edit: Posted the dashboard screenshot, and fixed a few typos.

    Update 8/31/2015 I got the Bridging feature that will let a ZeroTier Client become a bridge for the network that it sits in front of working. This effectively provides site-to-site or client-to-site VPN funcitonality. This feature has to be enabled for the devices using the server-side CLI if you are using your own controller.

    IE: My home Network has a ZeroTier IP of 192.168.251.250, and my internal IP addresses are 192.168.10.1-254... So on my client, I add a route to 192.168.10.0/24 via my client's ZeroTier IP address... On my Linksys at home, I add a route for 192.168.251.0 via 192.168.10.10 (the LAN IP address of the ZeroTier client inside of my home network).


  • Service Provider

    @dafyre said:

    However, they do not offer a GUI by which to do this yet, so you are left using the Rest (?) API for configuring the networks.

    REST API. All acronym.



  • @scottalanmiller Fixed. :-)



  • Thanks for writing this up, I just learned about them this week myself and have been trying to think of a good project to test it out with! Glad to hear it seems to work as well as they say it does.



  • @WingCreative If you are just going to use it for you or if you are certain it won't go over 10 devices, use their website... Unless you really just want to tinker.


  • Service Provider

    It's amazing how quickly you can go over ten devices!


  • Service Provider

    What end point platforms does it work on?



  • To connect as devices, it runs on Windows, Mac, and Linux. There's an Android device in the works.

    For the controllers, I'm not sure. You do have to compile it yourself if you want to run a controller, so I know that the controller bits work at least on Ubuntu 14.04.


  • Service Provider

    No FreeBSD? No Solaris?



  • Packages are available for Windows 7 , Mac OS, and Linux .

    If you want to use FreeBSD, then you'll need to compile it yourself. I see nothing about Solaris on their site, though.


  • Service Provider

    Not even Windows servers or the last three versions? Is the project still current?



  • @scottalanmiller lol. Windows 7 and up. :-) (Keep commenting, and I'll keep editing the post, lol).


  • Service Provider

    Oh that is a bit better.



  • And very much a current project, lol. I got help with an issue via the Github Issue tracker, lol. And got emails from them about screenshotting for the write up. :-)



  • See updates above... Client-To-Site VPN is now working... sadly, I don't have a second site that I could hijack ^W use for testing... Yet. I feel a visit to family coming on, lol.



  • I must be dense. To set up the controller you compile the same zerotierone package but pass make ZT_ENABLE_NETWORK_CONTROLLER=1 first?



  • @johnhooks Yeah. When you build it with the controller enabled, it also builds the client too, so there's just one install to manage... I just discovered a shortcut to the rigamarole I went through before to initially get the installer...

    cd /path/to/ztsource
    make ZT_ENABLE_NETWORK_CONTROLLER=1 installer
    

    Will correctly build the controller bits in, as well as generate the installer script.

    sudo ./ZeroTierOneInstaller-linux-x64-1_0_5
    

    Will install it in /var/lib/zerotier-one, and install the init.d files (or the systemd files, whatever the going rate is these days)...

    You can check to see if you have the controller in stalled correctly by doing this:

    [email protected]:~# zerotier-cli /controller
    {
            "controller": true,
            "apiVersion": 1,
            "clock": 1441048250252,
            "instanceId": "#####################"
    }
    

    If it is installed correctly with the controller bits enabled, it should look like that.

    If it did not install with the controller bits, then you'll get a 404 error.



  • @dafyre Thanks!



  • Hey @johnhooks ,

    Havae you tried to get the Site-To-Site working yet?



  • @dafyre said:

    Hey @johnhooks ,

    Havae you tried to get the Site-To-Site working yet?

    I got everything installed, but I got stuck at creating a network haha.



  • Yeah, I never did get that part to work using the shell... so I cheated a little and did it with PHP for creating the network, and I did get a bash script written for authorizing the clients. These scripts need to be in /var/lib/zerotierone.

    Sadly, it won't let me upload text files, so here's a link to the PHP Script (it is a text file, so my server won't execute it, lol)

    https://beta.wellston.biz/ztCreateNetwork.txt

    After you get that done, it will create a network. In the ZeroTier client, copy and paste the network ID (it will show it to you after the network is created, or you can get the Network's ID by:

    [email protected]:~#zerotier-cli /controller/network
    

    After you successfully join a client to the network, you will need to authorize the client before it is issued an IP address (Shell Script here): https://beta.wellston.biz/ztAuth.txt

    The first is the Network ID (the full 16 digit network id), and the second is the client id. (You can locate the client id in the bottom left of the interface if you are using the gui). If you are trying to connect from a non-gui Linux install, you can run zerotier-cli info again, and it will return your client's ID...

    [email protected]:~#zerotier-cli info
    200 info <your id here> ONLINE 1.0.5
    

    To authorize the client it would be:

    [email protected]:/var/lib/zerotier-one# ./ztAuth <networkid> <client id>
    

    It should spit out a blurb of text. Just check and make sure Authorized=true, and you should be good to go. I would recommend getting a couple of clients working from within the ZeroTier IP addresses before trying to get them to do Client-To-Site.



  • That's awesome. Thanks so much! I'll give this a shot when I get some time today. I'm glad it wasn't just me that couldn't get it through the cli, I think their ReadMe's need some more direction.



  • @johnhooks Very much so, lol. I think they have an admin bit in the works, but I'm not sure if it will be part of the client package or a separate download or what they are going to do with it yet.



  • How did you allow bridging? Just using their hosted account, I checked the box but I can't see any other devices on the network.



  • I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?



  • @dafyre said:

    I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?

    Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.

    I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.



  • @dafyre said:

    I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?

    Did you create a bridge before you set up the routes or did you just use the actual interface?


  • Service Provider

    @johnhooks said:

    @dafyre said:

    I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?

    Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.

    I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.

    Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?



  • @scottalanmiller said:

    @johnhooks said:

    @dafyre said:

    I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?

    Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.

    I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.

    Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?

    You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.

    I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.


  • Service Provider

    @johnhooks said:

    @scottalanmiller said:

    @johnhooks said:

    @dafyre said:

    I treated it as a routed network. So I built a Fedora 22 VM, enabled IP Forwarding and set up the routes on my remote client to my home network via the ztRouter's zt ip addeess.

    And then on my home router, I added a route to my Zerotier ip range via the LAN address of my Zerotier router.

    Clear as mud?

    Ha :-P. I just figured they had the function built in since there was an option for it. I'll give it a shot.

    I was thinking of setting this up at a doctors office because they need a new VPN between the hospital billing and their office. The hospital said a site to site VPN isn't an option, so I figured this might be easier.

    Why is a Site to Site VPN not an option? If you use this site to site VPN, you would have a site to site VPN. Do you see my confusion? If the hospital thinks that this is not an option, why would this be an option?

    You can do this without site to site. Just have peers connect. All the controller does is allow connections. If you set this up and delete the controller, everything still works.

    I don't understand why a site to site is not an option. It would make all of this easier, but that's what I was told. So I was thinking either this or set up an edgerouter with L2TP. He should probably have a new router anyway.

    So site to peers?


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.