ZeroTier Configuration: Difference between revisions

From Teltonika Networks Wiki
No edit summary
 
(25 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.08.1'''] firmware version.</p>
<b>ZeroTier One</b> is an open source software which can establish Peer to Peer VPN (P2PVPN) connection between various devices running various operating systems. It also provides network management possibilities such as routing and creating firewall rules.
<b>ZeroTier One</b> is an open source software which can establish Peer to Peer VPN (P2PVPN) connection between various devices running various operating systems. It also provides network management possibilities such as routing and creating firewall rules.


==Introduction==
==Introduction==


This article contains step-by-step instructions on how to set up and manage a Zerotier network network using Teltonika-Networks devices alongs with other equipment.
This article contains step-by-step instructions on how to set up and manage a Zerotier network using Teltonika-Networks devices alongs with other equipment.


==Setting up a ZeroTier network==
==Setting up a ZeroTier network==
Line 9: Line 12:
<ul>
<ul>
     <li>Go to https://my.zerotier.com/login and log in or create an account if you haven't already.</li>
     <li>Go to https://my.zerotier.com/login and log in or create an account if you haven't already.</li>
     <li>Open the 'Networks' tab and click the 'Create a Network' button.<br>[[File:Zerotier_configuration_1.png|border|class=tlt-border]]</li>
     <li>Open the 'Networks' tab and click the 'Create a Network' button.<br>[[File:RutOS_ZeroTier_7.8_1_network.png|border|class=tlt-border|1000px]]</li>
     <li>Click the newly created network to begin configuration.<br>[[File:Zerotier_configuration_2.png|border|class=tlt-border]]</li>
     <li>Click the newly created network to begin configuration.<br>[[File:RutOS_ZeroTier_7.8_2.png|border|class=tlt-border|1000px]]</li>
     <li>Before configuring anything else, you may want to set up some basic settings.
     <li>Before configuring anything else, you may want to set up some basic settings.
         <ol>
         <ol>
Line 16: Line 19:
             <li>Optionally, set up a name and description for your network for easier management.</li>
             <li>Optionally, set up a name and description for your network for easier management.</li>
             <li>Select 'Private' access control type; <u>unless</u> you want nodes to connect freely, without authorization.</li>
             <li>Select 'Private' access control type; <u>unless</u> you want nodes to connect freely, without authorization.</li>
         </ol>[[File:Zerotier_configuration_3.png|border|class=tlt-border]]
         </ol>[[File:RutOS_ZeroTier_7.8_3.png|border|class=tlt-border]]
     </li>
     </li>
     <li>Scroll down to find the 'IPv4 Auto-Assign' section. Select one of the provided private IP ranges for your network or click 'Advanced' and set up the range manually. For this example we'll be using the <b>10.147.17.*</b> selection which means our network will be using the <b>10.147.17.0/24</b> IP range.<br>[[File:Zerotier_configuration_4.png|border|class=tlt-border]]</li>
     <li>Scroll down to find the 'IPv4 Auto-Assign' section. Select one of the provided private IP ranges for your network or click 'Advanced' and set up the range manually. For this example we'll be using the <b>10.147.17.*</b> selection which means our network will be using the <b>10.147.17.0/24</b> IP range.<br>[[File:RutOS_ZeroTier_7.8_4.png|border|class=tlt-border]]</li>
</ul>
</ul>


Line 25: Line 28:
The next step is configuring members (aka nodes) for our ZeroTier network.
The next step is configuring members (aka nodes) for our ZeroTier network.


==Node configuration==
==Node configuration ==


Zerotier <b>nodes</b> or <b>members</b> are clients that can connect to a ZeroTier network. This section provides information on how to configure ZeroTier nodes on different types of machines.
Zerotier <b>nodes</b> or <b>members</b> are clients that can connect to a ZeroTier network. This section provides information on how to configure ZeroTier nodes on different types of machines.
Line 31: Line 34:
Take note that if 'Private' access control type is selected, the nodes will only come online after they authorized by you from the ZeroTier Central dashboard. To learn how to authorize nodes, read the [[#Node_authorization|node authorization]] section of this article.
Take note that if 'Private' access control type is selected, the nodes will only come online after they authorized by you from the ZeroTier Central dashboard. To learn how to authorize nodes, read the [[#Node_authorization|node authorization]] section of this article.


===Teltonika-Networks device===
=== Teltonika-Networks device===
----
----
<ul>
<ul>
Line 40: Line 43:
             <li>Enter a custom name for the configuration.</li>
             <li>Enter a custom name for the configuration.</li>
             <li>Click 'Add'.</li>
             <li>Click 'Add'.</li>
            <li>Click the 'Edit' button next to the newly created configuration.</li>
         </ol>[[File:RutOS_ZeroTier_7.8_5.png|border|class=tlt-border|1000px]]
         </ol>[[File:Zerotier_configuration_5.png|border|class=tlt-border]]
     </li>
     </li>
     <li>Complete the configuration.
     <li>Complete the configuration.
         <ol>
         <ol>
             <li>Turn the instance on.</li>
             <li>Turn the instance on.</li>
             <li>Paste the ZeroTier Network ID into the 'Networks' field.</li>
            <li>Add custom instance name.</li>
             <li>Click 'Save & Apply'.</li>
            <li>Click 'Add'.</li>
         </ol>[[File:Zerotier_configuration_6.png|border|class=tlt-border]]
        </ol>[[File:RutOS_ZeroTier_7.8_6fix.png|border|class=tlt-border|1000px]]
    </li>
    <li>Complete the configuration.
        <ol>
            <li>Enable '''instance''' on.</li>
             <li>Paste the ZeroTier Network ID into the '''Network ID''' field.</li>
             <li>Enable '''Allow managed IP'''.</li>
         </ol>[[File:RutOS_ZeroTier_7.8_9.png|border|class=tlt-border|1000px]]
     </li>
     </li>
     <li>Go to the ZeroTier Central dashboard and [[#Node_authorization|authorize]] this node.</li>
     <li>Go to the ZeroTier Central dashboard and [[#Node_authorization|authorize]] this node.</li>
     <li>To check the status of the connection from your device, go to the Services → CLI page and [[Command Line Interfaces|log in]].<br><br>Check connection status with this command:<pre>zerotier-cli info</pre>Check ZeroTier interface IP address with this command (<u>replacing <i><network></i> with the ZeroTier Network ID</u>):<pre>zerotier-cli get <network> ip</pre>[[File:Zerotier_configuration_15.png|border|class=tlt-border]]</li>
     <li>To check the status of the connection from your device, go to the '''System → Maintenance → CLI''' page and [[Command Line Interfaces|log in]].<br><br>Check connection status with this command:<pre>zerotier-cli info</pre>Check ZeroTier interface IP address with this command (<u>replacing <i><network></i> with the ZeroTier Network ID</u>):<pre>zerotier-cli get <network> ip</pre>[[File:RutOS_ZeroTier_7.8_8.png|border|class=tlt-border]]</li>
</ul>
</ul>


Line 71: Line 80:
</ul>
</ul>


===Android/Apple iOS device===
=== Android/Apple iOS device===
----
----
<ul>
<ul>
Line 99: Line 108:
</ol>
</ol>


[[File:Zerotier_configuration_10.png|border|class=tlt-border]]
[[File:RutOS_ZeroTier_7.8_7.png|border|class=tlt-border]]


==Private network access==
==Private network access==
Line 105: Line 114:
This section provides instructions on how to set up remote access to private networks behind ZeroTier nodes. For the following instruction, we'll use an example ZeroTier network that consists of three members: a Teltonika-Networks device, a computer and a phone.
This section provides instructions on how to set up remote access to private networks behind ZeroTier nodes. For the following instruction, we'll use an example ZeroTier network that consists of three members: a Teltonika-Networks device, a computer and a phone.


For the purpose of this example, let's assume we want to provide remote access for the computer and the phone to the 192.168.1.0/24 network behind the Teltonika-Networks device.
For the purposes of this example, let's assume we want to provide remote access for the computer and the phone to the 192.168.1.0/24 network behind the Teltonika-Networks device.


[[File:Zerotier_configuration_access_scheme.png]]
[[File:Zerotier_configuration_access_scheme.png]]


===ZeroTier routing===
=== ZeroTier routing===
----
----
<ul>
<ul>
     <li>Go ZeroTier Central and find the <b>'Managed Routes'</b> box in the 'Advanced' section.</li>
     <li>Go ZeroTier Central and find the <b><nowiki/>'Managed Routes'</b> box in the 'Advanced' section.</li>
     <li>Add the following route.
     <li>Add the following route.
         <ol>
         <ol>
Line 123: Line 132:
</ul>
</ul>


===Port forwarding===
=== Port forwarding===
----
----
<ul>
<ul>
Line 130: Line 139:
         <ol>
         <ol>
             <li>Enter a custom name for the rule.</li>
             <li>Enter a custom name for the rule.</li>
            <li>Select <i>zerotier</i> as the external zone.</li>
             <li>Enter an external port number for listening for incoming connections.</li>
             <li>Enter an external port number for listening for incoming connections.</li>
            <li>Select <i>lan</i> as the internal zone.</li>
             <li>Enter a device's IP in the local network.</li>
             <li>Enter a device's IP in the local network.</li>
             <li>Enter a device's listening port number.</li>
             <li>Enter a device's listening port number.</li>
             <li>Click 'Add'.</li>
             <li>Click 'Add'.</li>
         </ol>[[File:Zerotier_configuration_13.png|border|class=tlt-border]]
         </ol>[[File:RutOS_ZeroTier_7.8_10.png|border|class=tlt-border|1000px]]
     </li>
     </li>
     <li>Since this configuration concerns port 80, the default HTTP port, configuring it like this would eliminate WebUI access to the Teltonika device over the ZeroTier network. To maintain that access, consider using a different external port:<br>[[File:Zerotier_configuration_14.png|border|class=tlt-border]]</li>
     <li>Since this configuration concerns port 80, the default HTTP port, configuring it like this would eliminate WebUI access to the Teltonika device over the ZeroTier network. To maintain that access, consider using a different external port:<br>[[File:RutOS_ZeroTier_7.8_11.png|border|class=tlt-border|1000px]]</li>
    <li>Then you will be prompted to the configuration window:
    <ol>
            <li>'''Enable the port forward'''.</li>
            <li>Click on the '''Save & Apply''' button.</li>
        </ol>[[File:RutOS_ZeroTier_7.8_12.png|border|class=tlt-border|]]
    </li>
</ul>
</ul>
==Bridge Configuration ==
ZeroTier bridge configuration will allow two (or more) LAN's in the same ZeroTier network to be interconnected. For this example, we will use two RUTX routers. Both of these routers should already have the ZeroTier package installed and be connected to the ZeroTier Portal.
===First router===
----
*Navigate to '''''Services → VPN → ZeroTier'''''  and access the ZeroTier Instance created previously to edit it for the bridging of LAN’s.
[[File:RutOS_ZeroTier_7.8_14.png|border|class=tlt-border|1050x1050px]]
*From the '''''Bridge to''''' dropdown menu, select '''''LAN'''''. This option bridges The ZeroTier interface with the device's LAN interface, which extends the network and allows for Layer 2 communication via ZeroTier. Bridges operate at the data link layer and facilitate seamless communication between devices on different LAN segments
*Save & Apply settings
===Second Router===
----
*Navigate to '''''Services → VPN → Zerotier''''' → and access the ZeroTier instance, configuring it the same way as the '''first router'''.
* Navigate to '''''Network → LAN → Edit instance settings''''' and change the '''IPv4 address''' to an IP that is in the same subnet as the first router (We will use 192.168.1.2 for this example)
*Disable DHCPv4 & DHCPv6
*Save & Apply settings
[[File:RutOS_ZeroTier_7.8_13.png|border|class=tlt-border]]
=== ZeroTier Portal===
----
*Open your ZeroTier Portal (https://my.zerotier.com/) and navigate to your ZeroTier Network.
*Scroll down to Members and enable '''"Allow Ethernet Bridging"''' option on both devices
[[File:ZeroTier Portal Bridging v1.3.png|500×200px]][[File:ZeroTier Portal Bridging v1.2.png|500x200px]]
*Make sure to turn off '''Auto-Assign from Range''' in the '''advanced section'''. Since this is a Layer 2 bridge configuration, there is no need for IP addresses on the ZeroTier Interfaces and managed IPs. With Layer 2 bridging, devices communicate directly using their local MAC addresses, eliminating the necessity for IP address management.
*'''NOTE: Make sure to remove any Managed IPs that might have stayed when the Auto-assigned feature was turned on (by default, ZeroTier keeps it on).'''
*In the '''Advanced section → Managed Routes,''' add the LAN network route (in this case, 192.168.1.0/24), which ensures communication within the bridge. This allows devices in the ZeroTier network to communicate with devices on the LAN.
[[File:Managed Routes.png|500×200px]]
*To ensure convenience and avoid any IP or routing conflicts, it is recommended to remove any other automatically assigned routes in ZeroTier. By doing so, you can prevent routing issues and ensure smoother communication within the LAN bridge network of 192.168.1.0/24 over the ZeroTier Network.
If everything was done correctly, you should be able to ping devices connected to separate routers. Let us test this by pinging a laptop connected to the second router (192.168.1.163) from a laptop connected to the first router (192.168.1.220):
[[File:Zerotier configuration testing v1.png]]
'''Note:''' If you wish to add more routers to the bridged network, you should configure them according to the second router configuration.
[[Category:VPN]]

Latest revision as of 12:46, 8 August 2024

Main Page > General Information > Configuration Examples > VPN > ZeroTier Configuration

The information in this page is updated in accordance with 00.07.08.1 firmware version.

ZeroTier One is an open source software which can establish Peer to Peer VPN (P2PVPN) connection between various devices running various operating systems. It also provides network management possibilities such as routing and creating firewall rules.


Introduction

This article contains step-by-step instructions on how to set up and manage a Zerotier network using Teltonika-Networks devices alongs with other equipment.

Setting up a ZeroTier network

  • Go to https://my.zerotier.com/login and log in or create an account if you haven't already.
  • Open the 'Networks' tab and click the 'Create a Network' button.
  • Click the newly created network to begin configuration.
  • Before configuring anything else, you may want to set up some basic settings.
    1. Copy the Network ID; you will need it later for ZeroTier node configuration.
    2. Optionally, set up a name and description for your network for easier management.
    3. Select 'Private' access control type; unless you want nodes to connect freely, without authorization.
  • Scroll down to find the 'IPv4 Auto-Assign' section. Select one of the provided private IP ranges for your network or click 'Advanced' and set up the range manually. For this example we'll be using the 10.147.17.* selection which means our network will be using the 10.147.17.0/24 IP range.

The last step concludes the ZeroTier network configuration. However, you may want to modify to the settings based on your specific requirements, but this particular network will function without any additional settings.

The next step is configuring members (aka nodes) for our ZeroTier network.

Node configuration

Zerotier nodes or members are clients that can connect to a ZeroTier network. This section provides information on how to configure ZeroTier nodes on different types of machines.

Take note that if 'Private' access control type is selected, the nodes will only come online after they authorized by you from the ZeroTier Central dashboard. To learn how to authorize nodes, read the node authorization section of this article.

Teltonika-Networks device


  • Log in to your device's WebUI, and navigate to the Services → Package Manager page.
  • Find the ZeroTier package in the list and install it.
  • Navigate to the Services → VPN → ZeroTier page and create a new ZeroTier configuration.
    1. Enter a custom name for the configuration.
    2. Click 'Add'.
  • Complete the configuration.
    1. Turn the instance on.
    2. Add custom instance name.
    3. Click 'Add'.
  • Complete the configuration.
    1. Enable instance on.
    2. Paste the ZeroTier Network ID into the Network ID field.
    3. Enable Allow managed IP.
  • Go to the ZeroTier Central dashboard and authorize this node.
  • To check the status of the connection from your device, go to the System → Maintenance → CLI page and log in.

    Check connection status with this command:
    zerotier-cli info
    Check ZeroTier interface IP address with this command (replacing <network> with the ZeroTier Network ID):
    zerotier-cli get <network> ip

Windows device


  • Download and install ZeroTier for Windows from https://www.zerotier.com/download/.
  • Look to the right side of the Windows taskbar and perform these actions:
    1. Click 'Show hidden icons'.
    2. Right-click the ZeroTier icon.
    3. Click 'Join Network...'
    4. Paste the ZeroTier Network ID.
    5. Click 'Join'.
  • Go to the ZeroTier Central dashboard and authorize this node.
  • To check the status of the connection, click 'Show hidden icons' again and click 'Show Networks...'

Android/Apple iOS device


  • Open the 'Google Play Store' or the 'App Store' depending on your mobile device.
  • Find the 'ZeroTier One' app and install it.
  • Open the application and configure it as follows.
    1. Click the plus symbol.
    2. Enter the ZeroTier Network ID.
    3. Click 'Add Network'.
    4. Enable the connection to this network by moving the slider next to it.
    5. In the 'Connection request' pop-up click 'OK' to confirm the connection.
    6. After you have authorized the new member (your phone), the status indication at the bottom of the screen should turn to 'Online'.

Node authorization

When Access Control is set to 'Private', you will have to approve new nodes manually from the ZeroTier dashboard before they can become members of the network.

To do this, simply scroll down to the 'Members' section.

  1. Place check marks next to nodes that you wish to authorize.
  2. Additionally, you may want to add names and descriptions for your nodes to make it easier to differentiate between them.

Private network access

This section provides instructions on how to set up remote access to private networks behind ZeroTier nodes. For the following instruction, we'll use an example ZeroTier network that consists of three members: a Teltonika-Networks device, a computer and a phone.

For the purposes of this example, let's assume we want to provide remote access for the computer and the phone to the 192.168.1.0/24 network behind the Teltonika-Networks device.

ZeroTier routing


  • Go ZeroTier Central and find the 'Managed Routes' box in the 'Advanced' section.
  • Add the following route.
    1. Specify 192.168.1.0/24 as the destination.
    2. Specify 10.147.17.23 (Teltonika device ZeroTier IP) in the 'via' field.
    3. Click 'Submit'.
  • Configuring it like this will make the entire 192.168.1.0/24 network accessible to other ZeroTier nodes via the Teltonika device's ZeroTier IP address. To configure a route to a single IP address instead, you can specify the address with a /32 netmask:

Port forwarding


  • Enter your Teltonika device's WebUI and navigate to the Network → Firewall → Port Forwards page.
  • Find the 'Add New Port Forward' section and add rule such as this:
    1. Enter a custom name for the rule.
    2. Enter an external port number for listening for incoming connections.
    3. Enter a device's IP in the local network.
    4. Enter a device's listening port number.
    5. Click 'Add'.
  • Since this configuration concerns port 80, the default HTTP port, configuring it like this would eliminate WebUI access to the Teltonika device over the ZeroTier network. To maintain that access, consider using a different external port:
  • Then you will be prompted to the configuration window:
    1. Enable the port forward.
    2. Click on the Save & Apply button.

Bridge Configuration

ZeroTier bridge configuration will allow two (or more) LAN's in the same ZeroTier network to be interconnected. For this example, we will use two RUTX routers. Both of these routers should already have the ZeroTier package installed and be connected to the ZeroTier Portal.

First router


  • Navigate to Services → VPN → ZeroTier and access the ZeroTier Instance created previously to edit it for the bridging of LAN’s.

  • From the Bridge to dropdown menu, select LAN. This option bridges The ZeroTier interface with the device's LAN interface, which extends the network and allows for Layer 2 communication via ZeroTier. Bridges operate at the data link layer and facilitate seamless communication between devices on different LAN segments
  • Save & Apply settings

Second Router


  • Navigate to Services → VPN → Zerotier → and access the ZeroTier instance, configuring it the same way as the first router.
  • Navigate to Network → LAN → Edit instance settings and change the IPv4 address to an IP that is in the same subnet as the first router (We will use 192.168.1.2 for this example)
  • Disable DHCPv4 & DHCPv6
  • Save & Apply settings

ZeroTier Portal


  • Open your ZeroTier Portal (https://my.zerotier.com/) and navigate to your ZeroTier Network.
  • Scroll down to Members and enable "Allow Ethernet Bridging" option on both devices

500×200px

  • Make sure to turn off Auto-Assign from Range in the advanced section. Since this is a Layer 2 bridge configuration, there is no need for IP addresses on the ZeroTier Interfaces and managed IPs. With Layer 2 bridging, devices communicate directly using their local MAC addresses, eliminating the necessity for IP address management.
  • NOTE: Make sure to remove any Managed IPs that might have stayed when the Auto-assigned feature was turned on (by default, ZeroTier keeps it on).
  • In the Advanced section → Managed Routes, add the LAN network route (in this case, 192.168.1.0/24), which ensures communication within the bridge. This allows devices in the ZeroTier network to communicate with devices on the LAN.

500×200px

  • To ensure convenience and avoid any IP or routing conflicts, it is recommended to remove any other automatically assigned routes in ZeroTier. By doing so, you can prevent routing issues and ensure smoother communication within the LAN bridge network of 192.168.1.0/24 over the ZeroTier Network.

If everything was done correctly, you should be able to ping devices connected to separate routers. Let us test this by pinging a laptop connected to the second router (192.168.1.163) from a laptop connected to the first router (192.168.1.220):


Note: If you wish to add more routers to the bridged network, you should configure them according to the second router configuration.