bridged-zerotier icon indicating copy to clipboard operation
bridged-zerotier copied to clipboard
verified publisher icon pglez82

Just a question

Open oriolrius opened this issue 5 years ago • 6 comments

Hi and thanks for your work, I reviewed your scripts because I use very similar ones. But I have a question about the "tun" interface. Why do you create it? I don't use that interface and it works for me. The only relevant step that I do and it's not in your scripts is the iptables configuration allowing all traffic for the interfaces. I understand you solve that putting the interfaces in promiscuous mode.

Thanks for your work and support.

oriolrius avatar Sep 01 '20 05:09 oriolrius

@oriolrius Would you mind sharing your iptables commands? I'd like to avoid promisc if possible.

mrbluecoat avatar Sep 08 '20 04:09 mrbluecoat

@oriolrius I am not by any means an expert in this field. I just faced this problem and found a solution that worked for me but, for sure, it can be improved. Thank you for your comment, the next time I need the script I would try it without the tun interface.

pglez82 avatar Sep 08 '20 06:09 pglez82

I'll try the iptables commands from https://www.digitalocean.com/community/tutorials/getting-started-software-defined-networking-creating-vpn-zerotier-one or https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode

mrbluecoat avatar Sep 08 '20 14:09 mrbluecoat

@oriolrius I am not by any means an expert in this field. I just faced this problem and found a solution that worked for me but, for sure, it can be improved. Thank you for your comment, the next time I need the script I would try it without the tun interface.

I just configure Zerotier, of course, setting bridge mode and then I run this script from "rc.local" or crontab: (/opt/network/bridge.sh)

#!/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
export PATH

cd /opt/network
source config

date

# esperem fins que la interficie existeixi
while [ ! -e "/sys/class/net/$VPN_IF" ];
do
  sleep 2;
done

# zerotier parameters (depends on what you want here)
zerotier-cli set $ZT_NET_ID allowDefault=0
zerotier-cli set $ZT_NET_ID allowManaged=0
zerotier-cli set $ZT_NET_ID allowGlobal=0

# bridge
brctl addbr br0
brctl addif br0 $LOCAL_IF
brctl addif br0 $VPN_IF
brctl setfd br0 0
brctl stp br0 on

# ip
ip addr flush dev $LOCAL_IF
ip addr flush dev $VPN_IF
ip addr add $BR_IP dev br0
ip link set $LOCAL_IF up
ip link set $VPN_IF up
ip link set br0 up

# route
ip route add default via $GW

# iptables (optional, depends on your configuration)
iptables -I FORWARD -i $VPN_IF -j ACCEPT
iptables -I FORWARD -o $VPN_IF -j ACCEPT
iptables -I FORWARD -i br0 -j ACCEPT
iptables -I FORWARD -o br0 -j ACCEPT
iptables -I FORWARD -i $LOCAL_IF -j ACCEPT
iptables -I FORWARD -o $LOCAL_IF -j ACCEPT

Config file looks like this (/opt/network/config):

ZT_NET_ID="XXX"
LOCAL_IF="ethXX"
VPN_IF="ztXXX"
BR_IP="10.X.X.X/24"
BR_NET="10.X.X.X/24"
GW="10.X.X.1"

I hope this is useful for you.

oriolrius avatar Sep 21 '20 16:09 oriolrius

Is BR_IP supposed to be a CIDR range?

mrbluecoat avatar Sep 22 '20 15:09 mrbluecoat

Is BR_IP supposed to be a CIDR range?

Yes, it is.

oriolrius avatar Sep 23 '20 04:09 oriolrius