ZeroTier: is this a good time to use...
- 
 @FATeknollogee said: @scottalanmiller said: @FATeknollogee said: @scottalanmiller said: @FATeknollogee said: @scottalanmiller said: @Breffni-Potter said: @scottalanmiller said: Why would you want a terminal server intentionally dropping off of the network? They want to stop access for over-seas consultants at certain times. Killing VPN access to the network is not a good way to go about that. Using AD to stop logins would be far better. I thought we are getting rid of the VPN? But you are asking about installing a VPN. I'm confused. Currently, we use a Site to Site VPN & remote users connect using Windows VPN You are just removing your old VPN and looking at a new one. Both are fully VPNs. I hear you, that "VPN" moniker is just so yesterday...I much prefer to say ZT  But ones a product, ones a thing. ZT is the brand of VPN you are using. 
- 
 @FATeknollogee said: @Breffni-Potter said: But it's still a VPN  Yeah, but we need to make it sound like its a really big deal (jk). Like the "cloud" then you call it "Software Defined Networking". 
- 
 
- 
 @scottalanmiller said: But ones a product, ones a thing. ZT is the brand of VPN you are using. True that 
- 
 @scottalanmiller said: Yes, at $4 you can't afford not to  I paid the $4 and I am not even over 10 devices yet!  
- 
 @anonymous said: @scottalanmiller said: Yes, at $4 you can't afford not to  I paid the $4 and I am not even over 10 devices yet!  Big spender  
- 
 @scottalanmiller said: Big spender  I support the products I use  Well, when they make it affordable that is..... cough, cough @olivier cough, cough 
- 
 For the really mission critical enterprise bits, they offer support. https://www.zerotier.com/product-ss.shtml They are still working on the structure of how they'll do it. But depending on your needs, might be helpful. 
- 
 Wow... 3 pages of replies already, lol. There's a few things to note... If you install ZeroTier on a device that is part of active directory, by default, it will add the ZeroTier IP address into AD's DNS servers. To fix that, you go into the Windows Adapters list, and edit the ZT Adapter, and set the IP address, and DNS to "use dhcp" -- they'll just be blank to start with. Then you go in and uncheck the "Register this connection's address in dns" checkbox, and check your DNS server to make sure your ZT IP address is gone. If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What I have done is set up my own DNSMasq server on one of my Linux ZT devices, and just add that DNS server to the DNS settings of the NIC in Windows or Linux. 
- 
 
- 
 @dafyre said: If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What issue have you seen there? 
- 
 @dafyre said: Wow... 3 pages of replies already, lol. There's a few things to note... If you install ZeroTier on a device that is part of active directory, by default, it will add the ZeroTier IP address into AD's DNS servers. To fix that, you go into the Windows Adapters list, and edit the ZT Adapter, and set the IP address, and DNS to "use dhcp" -- they'll just be blank to start with. Then you go in and uncheck the "Register this connection's address in dns" checkbox, and check your DNS server to make sure your ZT IP address is gone. If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. Did they fix that - the last time I tried it I couldn't get the adapter to stop registering with DNS - FYI, the server in question was a DC running DNS locally. 
- 
 @scottalanmiller said: @dafyre said: If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What issue have you seen there? The issue this caused me was that my computer that don't have ZT installed would attempt to connect to the ZT IP instead of the LAN IP. I'm assuming DNS was answering requests in a round robin effect and causing the problem. I realize that the desire with ZT is that all machines should be running ZT - but I wasn't ready to pull that trigger. 
- 
 @Dashrender said: @scottalanmiller said: @dafyre said: If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What issue have you seen there? The issue this caused me was that my computer that don't have ZT installed would attempt to connect to the ZT IP instead of the LAN IP. I'm assuming DNS was answering requests in a round robin effect and causing the problem. This is exactly the problem. I work around it by setting up a DNS server on the ZT IP range using DNSMasq and telling it to not register. 
- 
 @dafyre said: @Dashrender said: @scottalanmiller said: @dafyre said: If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What issue have you seen there? The issue this caused me was that my computer that don't have ZT installed would attempt to connect to the ZT IP instead of the LAN IP. I'm assuming DNS was answering requests in a round robin effect and causing the problem. This is exactly the problem. I work around it by setting up a DNS server on the ZT IP range using DNSMasq and telling it to not register. In this case, you have to manually manage all DNS entries, right? so no chance of using IPv6? 
- 
 @Dashrender said: In this case, you have to manually manage all DNS entries, right? so no chance of using IPv6? Does that rule out IPv6? 
- 
 @Dashrender said: @dafyre said: @Dashrender said: @scottalanmiller said: @dafyre said: If you do not do that, any client device has a potential to get the ZT IP address of your server, and that will cause problems. What issue have you seen there? The issue this caused me was that my computer that don't have ZT installed would attempt to connect to the ZT IP instead of the LAN IP. I'm assuming DNS was answering requests in a round robin effect and causing the problem. This is exactly the problem. I work around it by setting up a DNS server on the ZT IP range using DNSMasq and telling it to not register. In this case, you have to manually manage all DNS entries, right? so no chance of using IPv6? You do have to manage DNS entries, but that doesn't necessarily rule out IPv6. I'm not sure if DNSMasq is compatible with it or not. ZT, AFAIK does support IPv6. 
- 
 ZT's site says that it does IPv6, I saw that this week. 
- 
 @scottalanmiller said: ZT's site says that it does IPv6, I saw that this week. If that is the case, then all you need is a DNS Server that supports IPv6. I think DNSMasq should work, as it just looks in the /etc/hosts file. 
- 
 I'm not questioning wither or not ZT supports IPv6, I'd be surprised if it didn't. But the use of IPv6 is largely predicated on the use of DNS. I suppose if you only worry about putting servers IPv6 addresses in DNS, then you're probably OK manually handling that - but if you have to do that for endpoints coming and going all the time, then you'll need to give up DHCP so that endpoint IPv6's aren't changing all the time. I'm thinking about the use of something like WSUS inside ZT where WSUS relies on DNS for endpoint connections. 



