Setting Up a VPN Network Using Zerotier-One
Zerotier-One is an established VPN multiple peer-to-peer system provided by a company based in California, USA, who distribute and maintain the Zerotier VPN software.
The basic Zerotier-One VPN service is free and can support a high number of node computers. The company provides added-value services but the free service is adequate for many smaller businesses, organizations and domestic users.
How Zerotier Works
Zerotier run so-called Zerotier “root servers” known as “planets” which provide the functionality for the network.
The system is easier to configure than for example OpenVPN or Wireguard. Zerotier provides a Web-based dashboard for managing your VPN, as well as a command-line interface.
Unlike conventional VPN proxy services. Zerotier can’t see your network traffic. As with OpenVPN, you are responsible for creating and operating your own VPN servers. Zerotier uses a peer-to-peer model which means there are no conventional-style “VPN servers” for Zeritier.
All participants in your Zerotier VPN are equal nodes.
The only drawback with Zerotier is that VPN network access is managed via my.zerotier.com. If this server should get hacked or suffer an outage then your VPN network could potentially be accessible to an intruder or VPN could be adversely affected or unreachable.
You can set up multiple VPN networks with Zerotier should you wish to run different WANs for specific purposes. The web-based dashboard makes it easy to manage your VPN/s from anywhere.
Zerotier divides the virtual connection into two parts:
The first is Virtual Layer 1 or VL1. This is the p2p component that manages encryption and direct communication. I is a virtualization of the physical layer in the OSI Networking System.
The second is Virtual Layer 2 or VL2 – the virtual Ethernet component that handles machine authorization, access control, network rules, etc.
VL1 is designed to operate with no configuration. Instead it relies on the existence of the Zerotier “planet” or root server system. This layer is what creates the actual virtual network.
It also deploys UDP “Hole Punching” to circumvent any NAT configurations where they are found.
VL2 is a Virtualized LAN protocol with Software-Defined Network (SDN) management features. It deploys secure VLAN boundaries, multicasting, and capability-based security, and certificate-based access control mechanisms.
This is the layer that takes care of the data packet transmission across the VPN.
Zerotier currently provide a network of 12 root servers or “planets” located in different global regions to operate VL1 functionality for all the hosted VPNs on the system.
If you wish, you can also set up your own replica “root servers” on your own VPN – these are known as “moons”. These help reduce the network overhead on the Zerotier root servers, and can also help increase network speeds and reduce latency. However in most individual cases this is not necessary.
Once the VL1 connection has been established, Zerotier clients then contact the network controller.
Every Zerotier VPN has a network controller. This is a node tasked with admitting members to the VPN, issuing certificates, and providing default configuration information when required.
The network controller distributes network configurations for VL2 participation among the client nodes and deploys cryptographic methods for authenticating the members.
Setting up a Zerotier VPN is simple and the system will generally work straight “out of the box” with minimal configuration.
For detailed instructions see https://zerotier.atlassian.net/wiki/spaces/SD/pages/8454145/Getting+Started+with+ZeroTier
The Zerotier Knowledge Base is at: https://zerotier.atlassian.net/wiki/spaces/SD/overview
Installation and Configuration of Zerotier VPN
First of all create an account with Zerotier. The basic account is free. Go to https://my.zerotier.com/
Next, while logged into the ZeroTier service at https://my.zerotier.com/, navigate to the Networks tab.
“Create New Network”
Your Network ID will be listed in the interface.
Click on your network and you will then be presented with the dashboard page for your Zerotier VPN network.
Make sure you set your access control to PRIVATE!
Install the Zerotier client on all machines:
on ubuntu machines you can now use the apt command:
apt install zerotier
The official Zerotier Download page is at https://www.zerotier.com/download/
Alternatively, you can use the following piped Zerotier installation command as follows:
curl -s ‘https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61’ | gpg –import && if z=$(curl -s ‘https://install.zerotier.com/’ | gpg); then echo “$z” | sudo bash; fi
This uses a GPG-signed script which ensures the code you download is verified as published by ZeroTier.
the curl command imports the ZeroTier public key from MIT.
curl -s ‘https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61’
This section of the piped command adds the ZeroTier public key to your local keychain of authorities to trust for packages you install.
The next section will execute provided the GPG import completes successfully:
if z=$(curl -s ‘https://install.zerotier.com/’ | gpg); then echo “$z”
Basically this says: “Provided the cryptographically-signed install script downloaded from ZeroTier.com successfully passes the GPG test – and is not rejected as unsigned by ZeroTier, then output that information on the screen.”
sudo bash; fi – This executes the newly-validated installer script.
Admit a machine to your Zerotier VPN:
You do this using the zerotier join command:
on the machine you want to join to your VPN network, execute:
sudo zerotier-cli join YourNetworkID
You should then receive a 200 join OK message, confirming the ZeroTier service on your machine has understood the command.
You then need to approve the machine in your My Zerotier dashboard at https://my.zerotier.com/
IMPORTANT: Until you complete these two actions your machine will not be able to participate in your VPN network!
Choose Public or Private Access
This is important for security:
There are two ways to configure access to your VPN: Public or Private
Public Network: This means anyone who knows the Network ID can connect. This is the most insecure option and not generally recommended if you don’t need to provide public access.
Private Network: This is the most secure option and generally the default you will be wanting to use. This requires all connecting machines to first be approved through the ZeroTier interface before they are permitted to connect.
Set a name for your network. This can be anything, it is just a label character string.
In the Auth section, you click on the boxes to approve each machine you want to give access to.
If you then do an ifconfig you should then see your virtual ethernet device listed for your Zerotier VPN:
ztppizdp4o: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
inet 10.147.18.14 netmask 255.255.255.0 broadcast 10.147.18.255
inet6 fe80::908b:6eff:fe55:e7ab prefixlen 64 scopeid 0x20<link>
ether 92:8b:6e:55:e7:ab txqueuelen 1000 (Ethernet)
RX packets 842271 bytes 2196053299 (2.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 454784 bytes 62851965 (62.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
You can then define /etc/hosts machine name entries for your VPN virtual interface IPs as the virtual IPs for Zerotier always remain the same for each node.