ZeroTier + Active Directory Authentication
-
@scottalanmiller said:
@Dashrender said:
At this point, due to my very small mobile workforce compared to non mobile - I know I need to consider if this solution, as good as it maybe, might not be what I need.
Or just accept that the minor problem of deploying everywhere isn't really a problem worth actually considering. What does a full environment roll out take? Some effort, sure. But a lot? I doubt that it takes enough to really be worried about it. I have been rolling it out with servers recently and the big effort is just logging into the console.
It's not the effort itself, as I said, I could walk around and get it done in two days. At this point, considering you're telling me that if I use a different VPN solution I'll probably get what I want ( pre logon VPN connections).
A concern is if the complexity is worth it considering my end goal.
-
Something to consider is that the effort to learn and deploy a solution like OpenVPN will likely be several times more time consuming and difficult than rolling ZT out to nodes that don't absolutely require a VPN connection. It's a trade off... do you care about your time, effort and flexibility or do you care about deploying the software to more nodes? Depends on your total network, of course, it's not that simple. But we moved to this model because deploying to every node was a fraction of the effort of OpenVPN to some nodes.
-
@Dashrender said:
A concern is if the complexity is worth it considering my end goal.
In this case, it's hard to know which is more complex. Setting up a VPN solution that does what you need might be more complex to you than ZT. We have ZT running and it is super simple.
-
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
I know this is a huge topic - one that I've even participated in. But how realistic is it that you'll want printer access while not onsite? At that point won't the local IP scheme solve the issue?
I suppose if the goal is to never worry about a local network, live purely in the ZT LAN, then this is worthwhile.
-
@Dashrender said:
I know this is a huge topic - one that I've even participated in. But how realistic is it that you'll want printer access while not onsite? At that point won't the local IP scheme solve the issue?
Right, in most cases, the ZT model does not get complex. Things that can't talk on ZT generally don't need ZT.
-
@scottalanmiller said:
@Dashrender said:
A concern is if the complexity is worth it considering my end goal.
In this case, it's hard to know which is more complex. Setting up a VPN solution that does what you need might be more complex to you than ZT. We have ZT running and it is super simple.
Are you using ZT in a Windows based network with AD, DNS etc? How's that working for you if you are? Though in a full on mesh network, I would expect it to work OK or even better than OK.
it's only the half installed situation that it becomes a problem with ZT IP's showing up in DNS for clients that aren't on the ZT network.
-
@Dashrender said:
Are you using ZT in a Windows based network with AD, DNS etc? How's that working for you if you are? Though in a full on mesh network, I would expect it to work OK or even better than OK.
No AD right now on ZT, although that is in the works. No Windows on it right now, just Linux. But in full mesh experience, no issues with AD at all.
-
@Dashrender said:
it's only the half installed situation that it becomes a problem with ZT IP's showing up in DNS for clients that aren't on the ZT network.
Right, the only scenario I would pretty much not entertain is this one. A partial deployment means all of the complexity of the SDN with all of the complexity of managing a VPN in the traditional way along with quite a few additional complications from the lack of intention in design. This introduces problems that neither full mesh nor hub and spoke face.
-
@scottalanmiller If you try AD feel free to update this thread and/or https://www.zerotier.com/community/topic/22/the-big-zerotier-active-directory-lan-virtualization-thread-retitled/2 -- would be helpful
-
LOL - the problem is - that thread is JB's. Where he's trying to deploy ZT but not to every endpoint.
-
Yeah, my tests would not be useful there. He already knows that it works in the modes that we would use it in.
-
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
Where is this bridge everyone keeps talking about?
-
@FATeknollogee said:
@adam.ierymenko said:
@scottalanmiller You could also bridge it to a physical network if you have old boxes, printers, fax machines, etc. A Raspberry Pi makes a great bridge for $30.
Where is this bridge everyone keeps talking about?
It's just software. install it on whatever you want to install it on.
-
@Dashrender You have a "how to" instruction set?
-
Would you say that the biggest difference between ZT and Pertino in terms of logistics is that Pertino routes traffic across its network, whereas ZT just performs the initial connection and the "clients" then communicate with each other until a loss of connectivity occurs?
Pertino does have smartzones that allows you to tell it when it should just route traffic locally/across the non pertino interface but I don't think it would be encrypted.
-
@FATeknollogee
I don't, but I think @BRRABill was working on it.https://www.zerotier.com/community/topic/5/bridging-ethernet-to-zerotier-virtual-networks-on-linux
This thread talks about it.
The gist is that you make a router out of a device that you can install ZT onto.
-
@FATeknollogee said:
@Dashrender You have a "how to" instruction set?
I think @dafyre created a script for it. I am pretty sure you can only install the bridge on a connector, which has to be a Linux box.
-
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
-
@wrx7m said:
@FATeknollogee said:
@Dashrender You have a "how to" instruction set?
I think @dafyre created a script for it. I am pretty sure you can only install the bridge on a connector, which has to be a Linux box.
Doh! you're right it was @dafyre
-
@Dashrender said:
I just had a thought.
This is just a wacky solution to the multi IP's for a single host problem that @dafyre was able to solve by telling a NIC to not register with DNS, but I couldn't get to work.
What if you install a bridge on the network, and make your default gateway aware of that network? then if your PC gets a ZT IP from DNS, it can still communicate, only it will be through the bridge.
It's ugly.. but provides a path.
Why does the gateway need to be aware of it?