Powered by ZeroTier. A practical guide to building virtual networks. Part 1

Continuing the ZeroTier story, from the theory outlined in the article "Smart Ethernet Switch for Planet Earth”, I turn to practice in which:

• Create and configure a private network controller
• Let's create a virtual network
• Set up and connect nodes to it
• Let's check the network connectivity between them
• Let's close access to the GUI of the network controller from the outside

Network Controller

As mentioned earlier, to create virtual networks, manage them, and connect nodes, the user needs a network controller, a graphical interface (GUI) for which exists in two forms:

ZeroTier GUI options

• One from developer ZeroTier, available as a SaaS public cloud solution with four subscription plans, including free, but limited in managed devices and support level
• The second is from an independent developer, somewhat simplified in terms of functionality, but available as a private open source solution, for on-premise use or on cloud resources.

In my practice, I used both and as a result, I settled on the second one. The reason for this was the developer's warnings.

“Network Controllers serve as certificate authorities for ZeroTier virtual networks. Files containing the controller's secret keys must be carefully guarded and securely archived. Their compromise allows unauthorized attackers to create fraudulent network configurations, and their loss leads to the loss of the ability to control and manage the network, effectively making it unusable.

→ Link to documentation

And also, signs of their own IS-paranoia 🙂 

• Even if Cheburnet comes, I should still have access to my network controller;
• Only I should use the network controller. If necessary, granting access to their authorized persons;
• It should be possible to restrict access to the network controller from the outside.

I don’t see much point in dwelling separately on how to deploy a network controller and a GUI for it on on-premise physical or virtual resources. I don’t see much point in this article. And there are 3 reasons for this: 

• there will be more letters than planned
• about it already told on GitHab GUI Developer
• topic of an article about another

Therefore, choosing the path of less resistance, I will use in this story a network controller with a GUI based on VDS created by from template, kindly developed by my colleagues at RuVDS.

Initial setup

After creating a server from the specified template, the user gets access to the Web-GUI of the controller through the browser by accessing https:// :3443

By default, the server already contains a pre-generated self-signed TLS/SSL certificate. For me, this is enough, since I close access to it from the outside. For those who wish to use other types of certificates, there is installation instructions on the GUI developer's GitHab.

The first time a user logs in Login with default username and password admin и Password:

It suggests changing the default password to a custom one.

I act a little differently - I don’t change the password for an existing user, but create a new one - Create User.

Set the name of the new user - Username:
Set a new password - Enter new password: 
Confirm new password - Re-enter password:

Entered characters are case sensitive - be careful!

Checkbox to confirm password change at next login — Change password on next login: I don't mark. 

To confirm the entered data, press Set password:

Then: I log in - Logout / Login, already under the credentials of the new user:

Next, go to the users tab - Users and delete the user adminby clicking on the trash can icon to the left of his name.

In the future, you can change the user's password by clicking either on his name or on set password.

Create a virtual network

To create a virtual network, the user needs to go to the tab Add network. From paragraph User this can be done through the page Home - the main page of the Web-GUI, which displays the ZeroTier address of the given network controller and contains a link to the list page of networks created through it.

On page Add network the user assigns the name of the newly created network.

When applying input data - Create Network the user is taken to a page with a list of networks, which shows: 

network name - the name of the network in the form of a link, when you click on which you can change it 
Network ID - network ID
detail — link to the page with detailed network parameters
easy setup - link to the page for easy setup
members - link to the node management page

For further settings follow the link easy setup. On the page that opens, the user sets the range of IPv4 addresses for the network being created. This can be done automatically by pressing the button Generate network address or manually by entering the netmask of the network in the appropriate field CIDR.

Upon confirmation of successful data entry, you must return to the page with the list of networks using the Back button. This completes the basic network setup.

Connecting hosts

1. To begin with, on the node that the user wants to connect to the network, you need to install the ZeroTier One service.

   What is Zero Tier One?Zero Tier One is a service that runs on laptops, desktops, servers, virtual machines, and containers that provides connections to a virtual network through a virtual network port, similar to a VPN client. 

   Once the service is installed and running, you can connect to virtual networks using their 16-character addresses. Each network appears as a virtual network port on the system that behaves just like a regular Ethernet port.
   Links to distributions, as well as installation commands can be found on the manufacturer's page.

   You can manage the installed service through the command line terminal (CLI) with admin/root rights. On Windows/MacOS still using the graphical interface. On Android/iOS only via GUI.

2. Checking if the service installation was successful:

   CLI:

   zerotier-cli status

   Result: 

   200 info ebf416fac1 1.4.6 ONLINE
   GUI:

   The very fact of its operation of the application and the presence in it of a line with Node ID with the address of the node.

3. Connecting the node to the network:

   CLI:

   zerotier-cli join <Network ID>

   Result: 

   200 join OK

   GUI:

   Windows: right click on the icon Zero Tier One in the system tray and selecting the item - Join Network.

   
   MacOS: Launch the application Zero Tier One in the bar menu, if not already running. Click on the ⏁ icon and select Join Network.

   Android/iOS: + (plus image) in app

   
   In the field that appears, enter the network controller specified in the GUI Network ID, and press Join/Add Network.

4. Assigning an IP address to a host
   Now we return to the network controller and on the page with the list of networks follow the link members. If you saw a picture similar to this one on the screen, it means that your network controller received a request to confirm the connection to the network from the connected node.

   
   On this page, we leave everything as it is for now and follow the link IP assignment go to the page for assigning an IP address to a node:

   
   After assigning the address, by clicking the button Back we return to the page of the list of connected nodes and set the name - member name and mark the checkbox for authorizing the node in the network - authorized. By the way, this checkbox is a very handy thing for disconnecting/connecting from the node's network in the future.

   
   Save changes with a button refresh.

5. Checking the network connection status of a node:
   To check the connection status on the node itself, run:
   CLI:

   zerotier-cli listnetworks

   Result:

   200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks 2da06088d9f863be My_1st_VLAN be:88:0c:cf:72:a1 OK PRIVATE ethernet_32774 10.10.10.2/24
   GUI:

   Network status should be OK

   To connect the remaining nodes, repeat operations 1-5 for each of them.

Checking network connectivity of nodes

I do it with the command ping on the networked device that I am currently managing.

In the screenshot of the Web-GUI controller, you can see three nodes connected to the network:

1. ZTNCUI-10.10.10.1 - my network controller with a GUI - VDS in one of the RuVDS DCs. For normal work, there is no need to add it to the network, but I did this because I want to block access to the web interface from the outside. More on this later. 
2. MyComp-10.10.10.2 - my work computer is a physical PC
3. Backup - 10.10.10.3 - VDS in another DC.

Therefore, from my work computer, I check the availability of other nodes with the commands:

ping 10.10.10.1

Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=14ms TTL=64
Reply from 10.10.10.1: bytes=32 time=4ms TTL=64
Reply from 10.10.10.1: bytes=32 time=7ms TTL=64
Reply from 10.10.10.1: bytes=32 time=2ms TTL=64

Ping statistics for 10.10.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 14ms, Average = 6ms

ping 10.10.10.3

Pinging 10.10.10.3 with 32 bytes of data:
Reply from 10.10.10.3: bytes=32 time=15ms TTL=64
Reply from 10.10.10.3: bytes=32 time=4ms TTL=64
Reply from 10.10.10.3: bytes=32 time=8ms TTL=64
Reply from 10.10.10.3: bytes=32 time=4ms TTL=64

Ping statistics for 10.10.10.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 15ms, Average = 7ms

The user has the right to use other tools for checking the availability of nodes in the network, both built into the OS, and such as NMAP, Advanced IP Scanner, etc.

We hide access to the GUI of the network controller from the outside.

In general, I can reduce the likelihood of unauthorized access to the VDS on which my network controller is located using the firewall in my RuVDS account. This topic is more for a separate article. Therefore, here I will show how to ensure access to the controller GUI only from the network that I created in this article.

To do this, connect via SSH to the VDS on which the controller is located, open the configuration file using the command:

nano /opt/key-networks/ztncui/.env

In the file that opens, after the line "HTTPS_PORT=3443" containing the port address on which the GUI is opened, you need to add an additional line with the address on which the GUI will open - in my case it is HTTPS_HOST=10.10.10.1. 

Next, save the file

Сtrl+C
Y
Enter 

and run the command:

systemctl restart ztncui

And that's it, now the GUI of my network controller is available only for network nodes 10.10.10.0.24.

Instead of a conclusion 

On this, I want to finish the first part of a practical guide to creating virtual networks based on ZeroTier. I look forward to your comments. 

In the meantime, to pass the time until the publication of the next part, in which I will tell you how to combine a virtual network with a physical one, how to organize a "road warrior" mode and something else, I suggest you try organizing your own virtual network using a private network controller with GUI based on VDS from the marketplace on Online RUVDS. Moreover, for all new customers there is a free trial period - 3 days!

PS Yes! I almost forgot! You can remove a node from the network with a command in the CLI of this node.

zerotier-cli leave <Network ID>

200 leave OK

or the Delete command in the client GUI on the node.

-> Introduction. Theoretical part. Smart Ethernet Switch for Planet Earth
-> A practical guide to building virtual networks. Part 1
-> A practical guide to building virtual networks. Part 2

Source: habr.com