OPNSense: ZeroTier Installation and configuration (site-to-site connection)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome today i'm going to show you how to install and configure zero tier on your opnsense firewall by the end of this video you will have a basic understanding of how zero tier works and how to configure it on opn sense how zero tier compares to other vpn technologies and when you shoot or should not use it and i'll also share some of the pitfalls with you too so you know what to expect from this technology as usual before i show you how to configure zero tier let's learn some theory first naturally before you start playing with the configuration first you have to install the service itself and i don't have it on this slide but there are two types of servers you're gonna talk to zero tier planet servers and zero tier moon servers planet servers are responsible to give you the identity and moon servers are responsible for routing the traffic showing one client where to find the other client in the internet and they also hold access control lists for all of the nodes in zero tier network so when you install the service this is what happens your node in our case it is opens as firewall will go out and reach to planet type server and it will tell him that hey i'm new here can you please give me the identity and the server will reply hey here is your new id and here is the list of the moons then when this is all done you will want to join one of the zero tier networks and when that happens your node will tell zero to your moon hello i want to join network xyz then the moon server will check if the network is public or private and if the network is public your node will be able to join automatically but if the network is private admin of that network will have to go in and manually approve your node on that network and when you join successfully moon will reply hey you are allowed to be on this network your ip is xyz and when this is done finally we have a day-to-day operation your node will send keep lives every two minutes which are hard coded and this is not very optimal for example if you are on 4g network you might lose connectivity time to time i don't know if zero tiers devs have this in plan to allow configuration to change to keep alive but for now it's hard coded and you can't change it unless you compile your own agent and then at each keep alive zero tier moon will send your node additional routing information or notifications about new machines on the network now let's move on to some of the upsides and downsides of zero tier and on my list i have three really big upsides for zero tier users so zero tier is good for admins that need a large sd van zero config networks hands down this is the easiest vpn to configure in 2021 you just need to install the package run one command to join the network and then just approve that new node on the network that's pretty much it you don't have to manage complex configs choose the encryption types and so on and so forth you don't even have to open up any ports because zero tier can work behind the net it's also a good replacement for a traditional corporate vpn because it brings last management overhead on the zero tier control panel that you will see just in a minute you can give every device a description and a name and whenever you want you can just disable access and then whenever you want you can re-enable access so for example if someone left your company you can just tick one box and disable access on their device or company device to the corporate network which is very very easy and straightforward to do and your staff will not have to be highly technically educated because what they need to do is just log into the web panel and click few tick boxes it's also a good solution for side to side vpn when both of your firewalls are behind the net because you will reach out to the moon server and it will automatically ask your firewalls to punch the udp ports on both sides so they can talk to each other double nat can be an issue though now let's talk about the downsides zero tier relies heavily on upnp for peer-to-peer communications for the devices behind the net you can work around this by installing your own moon server and routing all or some traffic through it because whenever peers cannot access each other directly they will route all traffic through the moon server and let me tell you zero tier public moon servers are just trash for that i had 162 millisecond ping between two locations that were 50 kilometers apart and that's because i had to hit the zero tier moon server first then receive a reply from it on the other end and then send the traffic through it back again but once i deployed moon server on my own infrastructure and opened up the ports it was working fine just keep in mind that that specific moon server can be your bottleneck if you push too much traffic through it as i said on previous slide hard-coded keep alive packet timer is not a good thing as well especially when you are on a flaky connection like 4g or wi-fi or something like that and these situations can happen so having a flag in the run time or a line in the configuration file that can change that would be very much appreciated it's also very hard to self-host a planet type server because there is no documentation how to do it first secondly you're gonna have to go through the source code because they didn't release packets to host your own planet server i mean ready to go binaries they don't include planet type things so you're gonna have to go through the source code and compile things yourself and then hard code all of your moon servers too and then whenever that changes you're gonna have to recompile your planet type server binaries again so this is not very straightforward nor is it compelling to do i've seen a lot of interest for this feature from the community so maybe developers will eventually look at it and release the planet type binaries sometime in the future slack for example had to develop their own vpn or sd-van or whatever you want to call it nebula just to overcome this limitation of not being able to install planet type servers on their own infrastructure and the most disappointing thing on this list for me is that zero tier is not very stable on opn sense and freebsd in general out of my five tested devices two misbehaved heavily and they have periodic packet loss of 25 50 or even 90 percent and what's even worse self-hosted moon server didn't solve that issue at all i think you could play with system tunables and kind of fight this but i would prefer something to work out of the box and include good code before i need to make any changes that require a reboot of my system now enough of this good versus bad rant let's move on to our network diagram and let's dive into the configuration so in today's video we have opns at site a and opn sends its side b lan nat on this side is 10 0 31 0 24 and lan on side b is 10 0 41 0 24 and i will consider the setup working once test vm from site a with the ip of 10.031.5 will be able to reach dvm of 10.0.41.1 on site b to establish the connection between two firewalls they will have to go out to zero tier servers and then zero tier servers will ask them to establish udp tunnel which is running usually on port 9993 now with this covered let the fun part begin so i'll open my proxmox server at site a and in fact i cannot ping side b and if i switch to side b i cannot ping site a all right first thing is to create a zero tier network so just hit create a network and it will be automatically created let's give it a name of youtube demo if you plan on having multiple zero tier networks it's a good idea to leave a description over here this default ip range will work for me just fine but if you choose a different one you can choose from here and then just change the mask we are not interested in any of these options at the moment because this will be a basic setup if you want to learn more please refer to zero tier official documentation now this is all we have to do in here at the moment now let's move on to our firewalls this will be a firewall at site a and this is the firewall at side b and these firewalls have different themes so it's easier for you and me to distinguish which site we are working on so let's go to site a system firmware and plugins here we want to search for zero tier and install it while it's installing do the same on the second firewall now when it's installed refresh the page and go to vpn zero tier and then settings the only thing we need to do here is enable the interface apply settings then go to networks and just add our new network you can find the network id in this yellow box or at the top of your configuration just put the network id in here and then give it a local description in my case i'll keep it the same as a network name hit save enable it and do the same on the other firewall now we just need to switch back to zero tier central web panel and authorize our two firewalls if it's hard for you to understand which one is which go back to your firewall vpn zero tier and overview at the top you will see the address so just match it to your zero tier central account this is our site a and this is our site b changes are saved automatically and you don't have to press save button or anything like that now what's left to do is just to authorize the access after a few moments you'll see a version of your client in the version section and that's when you can go back to your firewalls and start configuring them on firewall a go to interfaces assignments and create a new interface which starts with zat t i'll name it youtube demo now open it up enable it prevent from removal configuration type is static and give it the ip from managed iplist in my case it's 10 243 176 124 so i paste that in here and our network range is slash 16 yes it is all right slash 16 don't forget to mark this check box and it will automatically create a gateway for you so we don't have to do it manually click save and apply changes now we just need to allow the traffic on our new network interface go to firewall rules and our new interface i'll add a wide open rule but you can filter it down to your specific needs accordingly save the changes and apply okay now this is all done on firewall a let's move on to firewall b and do the same things over here now when everything is done at firewall b let's try to ping our vms okay site a cannot ping and side b cannot ping too and this is to be expected because vms don't have routing information on how to reach the network on the other side so what we have to do now is add that routing information go to interfaces and overview now expand the interface you are interested in and copy the network address go to zero tier central scroll up and in the routes section add your destination and then use the ip address of site a submit save some time i'll paste in the gateway first and now i'll copy the address submit now when the routes have been submitted go ahead and restart the zero tier service all right my goodness it was supposed to be zero config setup and i had to spend 15 minutes troubleshooting this stuff it's all right just sometimes you have to sacrifice sacrifice virgin goat to get zero tier working on opn sense it's fine all right the tunnel dropped again yep it dropped well we need another virgin goat i'm definitely leaving this in the video so everyone knows what's up with zero tier on opns i believe this happens due to freebsd icmp buffer getting full but i might be wrong and i've seen some solutions on the internet that by tinkering with some system tunables you can get this working but in my opinion it should be working by default especially when opnsn's team wants to leave this package in the main repository or at least i don't know leave some notes in the documentation for the admins out there who wants to fix this stuff if zero tier wasn't this unstable i would have probably switched all of my firewalls to it but for now i'll stick to wireguard as you can see tunnel is up and this guide can be stopped here you've seen all of the ups and downs of this technology and if you are using this technology on daily basis please do let us know in the comments down below what was your experience with it that's it for this video please like sub and share if you are interested in helping out our channel directly there is a paypal donation link down below don't forget that we provide consulting services for the products you've seen in this video or in any of our previous videos you can reach out to us by email our reddit community or you could simply send me a dm on reddit thank you very much for watching and i'll see you in the next one
Info
Channel: Gateway IT Tutorials
Views: 4,138
Rating: undefined out of 5
Keywords:
Id: JQfjFqoVePg
Channel Id: undefined
Length: 21min 34sec (1294 seconds)
Published: Sat May 15 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.