I raised this topic in the youtube chat as I have a client with 2 properties in Cape Town, South Africa. He has the same Fiber provider and ISP at both properties. The Fiber provider has a block on either sites seeing the others public IP address and thus I cannot connect a Unifi Site to Site VPN, hence my question about spanning VLANs over Zerotier.
I need to span the VLANs between the 2 sites as my client has IP cameras on 1 VLAN, Access Control on a different VLAN, he wants a VLAN to sync 2 NAS boxes (1 NAS Box per site).
If they can’t communicate to each others’ public IP, then ZeroTier won’t be able to bring up the direct tunnel connections and thus you’d be relying on the hub server to relay all your messages. It would work, but would be slow.
It might be possible to figure out and fix why they can’t reach each other. Are the two public IPs in the “same subnet”? E.g., are they like this?
Site A: 20.30.40.12/24
Site B: 20.30.40.78/24
Default Gateway (ISP): 20.30.40.1
An ISP may do this to save public IPs, using a larger subnet prevents wasted IPs due to the network, broadcast, and extra gateway IPs. But it means the routers now think they are in the same broadcast domain (subnet) and thus try to communicate directly to each other at layer 2. If this is the case, it can be fixed by adding some additional static routes to each router.
On Router A: 20.30.40.78/32 → 20.30.40.1
On Router B: 20.30.40.12/32 → 20.30.40.1
Both sites have their own public IPs with dynDNS, I can access both using my mobile carrier data connection.
The fiber company has done something on their side to block two FTTH customers from being able to connect to each other, when I asked the ISP how I could get this to work they suggested changing it to a FTTB account and 5 times the cost.
If Zerotier relay is the only way to do it, it will do even if it is slow, better slow than no connection at all.
Could you proxy the VPN through a web host of some sort? I’ve never researched this, but it seems it would be the same as using a server to connect both zerotier endpoints. Maybe something like a Linode or Rackspace VPS?
Thank you for the suggestion, but I am trying to keep the VPN side as simple as possible and make changing on the VPN as quick and pain free as possible.
Zerotier consists of a few different parts that work together, and are open source to a larger or smaller degree.
The zerotier clients and hubs (referred to as planets and moons) are fully open source and you can run your own infrastructure for free or use that provided by the Zerotier foundation for free. This includes the relay servers.
But to find each other you need a login server. A basic login server is open source but it lacks a GUI. The Zerotier foundations offers Zerotier Central, which I don’t think is open source, as the official solution. Using Zerotier Central is free for up to 50 nodes, regardless of what you’re using Zerotier for.
I didn’t know that, I should have looked more closely the last time I had the webpage up. I may need to play with this as it could be useful going forward.
One more thing to add to my stack of things to learn.