Do1e

Do1e

github
email
HomeArchivesHomepageAbout @Do1e

Virtual LAN Connection of Campus Network Servers via Zerotier

#CITE Lab197
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses setting up a private network using Zerotier to access a GPU server that is on a campus network. Due to poor performance of the school's official VPN, the author decided to create a self-hosted solution. The process involves creating a Zerotier planet server, which allows devices to connect via a virtual LAN, and using a forwarding server to relay traffic since the lab servers cannot connect directly to the internet. The author details the configuration steps for enabling IP forwarding on the forwarding server and setting up iptables rules to manage traffic. Additionally, clients need to manually add routes to ensure traffic to the lab servers is directed through the forwarding server, as Zerotier does not automatically handle public IP ranges. Instructions for configuring routes on Windows, Linux, and MacOS are provided, emphasizing the need to reapply these settings after each reboot.

This article is synchronized and updated to xLog by Mix Space
For the best browsing experience, it is recommended to visit the original link
https://www.do1e.cn/posts/citelab/connecting-campus-network-servers-via-zerotier

Introduction#

Recently, I moved the server out of the campus network environment, but the GPU servers in the lab are still within the campus network, making direct connections impossible; I must use the school's VPN to access them.
As is well known, the official VPN experience of the school is terrible, so I thought about implementing a self-use solution within the group using open-source tools.

Thus, I considered using zerotier to create a virtual local area network (the specific principles will not be elaborated here; you just need to know that after joining the virtual local area network, devices can achieve P2P connections through virtual LAN IPs even if they are not on the same local area network, providing a great experience).
However, servers in the lab generally do not connect to the internet, so they cannot be directly connected to zerotier, and I had to explore other solutions.

Here is my complete solution.

Self-built zerotier planet#

This part was completed with reference to the following GitHub repository, and I won't elaborate too much here.

After setting up the planet server according to its README, all machines that join the network can access each other. However, as mentioned in the introduction, the lab's servers cannot be directly connected and need to use another machine for forwarding.

Forwarding with zerotier#

Coincidentally, I have a personal server on campus (hereinafter referred to as the forwarding server), on which my homepage and other services are running. I can add it to the virtual local area network and let it help me forward the traffic connecting to the server.

Assuming the forwarding server has an on-campus IP 172.26.1.2 and a virtual LAN IP 10.11.1.2, the lab servers have on-campus IPs ranging from 114.212.1.101 to 114.212.1.105.

First, enter the configured zerotier planet backend and check the Active bridge for the forwarding server to allow it to forward traffic.

Configuration of the forwarding server#

First, you need to enable the forwarding function by marking the /etc/sysctl.conf file, changing net.ipv4.ip_forward to 1; if it doesn't exist, add a line, then run the following command:

sudo sysctl -p # Forwarding configuration takes effect immediately
# Configure forwarding
PHY_IFACE=enp5s0     # Modify according to your network card
ZT_IFACE=ztlowm7c2d  # Modify according to your network card

iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

The above iptables will lose effectiveness after a restart; you can search for methods to make the configuration permanent.

Client configuration#

Although you can configure routes in the zerotier planet backend, filling in Target=114.212.0.0/16, Gateway=10.11.1.2 allows clients to download the relevant routing table and send traffic to the lab servers through the forwarding server.
However, since 114.212.0.0/16 is a public IP range, zerotier will not distribute this route. (Other internal IP ranges, such as 172.26.0.0/16, are feasible).

Therefore, each client also needs to add the relevant routes themselves. This step was also where I got stuck for a long time; the specific method is as follows:

Windows

First, run route print to find the number corresponding to the ZeroTier Virtual Port; for example, the following example shows 11.

> route print
Interface List
  5...xx xx xx xx xx xx ......Microsoft Wi-Fi Direct Virtual Adapter
  3...xx xx xx xx xx xx ......MediaTek Wi-Fi 6E MT7922 (RZ616) 160MHz Wireless LAN Card
 11...xx xx xx xx xx xx ......ZeroTier Virtual Port

Then run route add 114.212.0.0 mask 255.255.0.0 10.128.3.4 if {No} metric 1 (please replace {No} with the number obtained earlier).

Linux

First, run ifconfig to check the interface corresponding to ZeroTier, which usually starts with zt.

Then run sudo ip route add 114.212.0.0/16 via 10.128.3.4 dev {Interface} metric 1 (please replace {Interface} with the interface name obtained earlier).

MacOS

route add -net 114.212.0.0/16 10.128.3.4 -hopcount 1 (AI result, unverified)

Note: You need to execute the above routing configuration after each reboot, or find a method for permanent configuration, but it is not recommended to configure it permanently on laptops.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.