Do1e

Do1e

github
email
HomeArchivesHomepageAbout @Do1e

Virtual LAN Connection for Campus Network Servers via Zerotier

#CITE Lab13
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses setting up a private network using ZeroTier to connect to a GPU server that is not directly accessible due to being on a campus network. The author outlines their solution, which involves creating a ZeroTier planet server and using a forwarding server within the campus network to relay traffic to the lab servers. Key steps include: 1. **Setting Up ZeroTier Planet**: The author references a GitHub repository for guidance on creating a ZeroTier planet server, allowing devices on the network to communicate. 2. **Configuring the Forwarding Server**: A personal server on campus is designated as the forwarding server, which is added to the ZeroTier network to facilitate traffic forwarding. The author details the necessary configurations, including enabling IP forwarding and setting up iptables rules for traffic management. 3. **Client Configuration**: Since ZeroTier does not automatically route public IP addresses, clients must manually add routes to direct traffic to the lab servers via the forwarding server. Instructions are provided for Windows, Linux, and MacOS users to set up the required routes. The article emphasizes that these configurations need to be reapplied after each reboot, and it suggests looking for permanent configuration methods.

This article is synchronized and updated to xLog by Mix Space
For the best browsing experience, it is recommended to visit the original link
https://www.do1e.cn/posts/citelab/connecting-campus-network-servers-via-zerotier

Introduction#

Recently, I moved the server out of the campus network environment, but the lab's GPU server is still within the campus network, making direct connections impossible; I must use the school's VPN to access it.
As is well known, the official school VPN experience is terrible, so I thought of implementing a self-use solution for the group using open-source tools.

Thus, I considered using zerotier to create a virtual local area network (the specific principles are not elaborated here; you just need to know that after joining the virtual local area network, devices can achieve P2P connections through virtual LAN IPs even if they are not on the same local area network, providing a good experience).
However, servers in the lab generally do not connect to the internet, so they cannot be directly connected to zerotier, and I had to explore other solutions.

Here is my complete solution.

Self-built zerotier planet#

This part was completed with reference to the following GitHub repository, and I won't elaborate too much here.

After setting up the planet server according to its README, all machines that join the network can access each other. However, as mentioned in the introduction, the lab's servers cannot be directly connected and need to use another machine for forwarding.

Forwarding with zerotier#

Coincidentally, I have a personal server on campus (hereinafter referred to as the forwarding server), where my homepage and other services run. I can add it to the virtual local area network and let it help me forward the traffic connecting to the server.

Assuming the forwarding server has an on-campus IP 172.26.1.2 and a virtual LAN IP 10.11.1.2, the lab servers have on-campus IPs ranging from 114.212.1.101 to 114.212.1.105.

First, enter the configured zerotier planet backend and check the Active bridge for the forwarding server to allow it to forward traffic.

Configuration of the forwarding server#

First, you need to enable forwarding functionality by marking the /etc/sysctl.conf file, changing net.ipv4.ip_forward to 1; if it doesn't exist, add a line, then run the following command:

sudo sysctl -p # Forwarding configuration takes effect immediately
# Configure forwarding
PHY_IFACE=enp5s0     # Modify according to your network card
ZT_IFACE=ztlowm7c2d  # Modify according to your network card

iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

The above iptables will become ineffective after a restart; you can search for methods to make the configuration permanent.

Client configuration#

Although you can configure routes in the zerotier planet backend, filling in Target=114.212.0.0/16, Gateway=10.11.1.2, allowing clients to download the relevant routing table and send traffic to the lab servers through the forwarding server.
However, since 114.212.0.0/16 is a public IP range, zerotier will not issue this route. (Other internal IP ranges, such as 172.26.0.0/16, are feasible).

Therefore, each client also needs to add the relevant routes themselves. This step is where I got stuck for a long time, and the specific method is as follows:

Windows

First, run route print to find the number corresponding to the ZeroTier Virtual Port, as shown in the example below, which is 11.

> route print
Interface List
  5...xx xx xx xx xx xx ......Microsoft Wi-Fi Direct Virtual Adapter
  3...xx xx xx xx xx xx ......MediaTek Wi-Fi 6E MT7922 (RZ616) 160MHz Wireless LAN Card
 11...xx xx xx xx xx xx ......ZeroTier Virtual Port

Then run route add 114.212.0.0 mask 255.255.0.0 10.128.3.4 if {No} metric 1 (please replace {No} with the number obtained earlier).

Linux

First, run ifconfig to check the interface corresponding to ZeroTier, which usually starts with zt.

Then run sudo ip route add 114.212.0.0/16 via 10.128.3.4 dev {Interface} metric 1 (please replace {Interface} with the name of the interface obtained earlier).

MacOS

route add -net 114.212.0.0/16 10.128.3.4 -hopcount 1 (AI result, unverified).

Note: You need to execute the above routing configuration after each reboot, or find methods for permanent configuration, but it is not recommended to permanently configure it on laptops.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.