More Platforms and Open Source
加入的方式很簡單，在項目主頁:https://www.zerotier.com/ 下載符合你系統的ZeroTier One程式、並執行安裝。
進入項目主頁右邊的 【Create and Control Networks】【Sign In】去創建或者管理網絡。
創建後，可以根據需要設置網絡的屬性，如【Description:】【Access Control:Private Network (uncheck to make network public)】【Frame Types Allowed: IPv4 IPv6 IPX No Filtering】【IPv4 Addressing: Do Not Manage Assignment (let OS or user do it)】
【 Have ZeroTier Assign IPv4 Addresses】
【Broadcast: Enable Wildcard MAC (ff:ff:ff:ff:ff:ff)】
回到 ZeroTier One軟件的主界面，在右下方的Network ID的輸入16位的Network ID 如（8056c2e21c9cbec2），即可申請加入該網絡。
Getting the Software
If you’re running Linux or have built from source, see the command line wiki for instructions on how to control ZeroTier One from the command line. More information about Linux installation can be found here.
How It Works: ZeroTier Addresses and Network IDs
Two kinds of numbers control everything. They look like this:
|– The author’s laptop’s ZeroTier address
|– Network ID of Earth, a public network
A 16-digit network ID identifies a virtual network. A 10-digit address identifies a device.
To join a network from a device, enter the network’s ID and click “Join.” To authorize a device to join a private network, log in to the network administration interface and authorize it by its address. (Public networks don’t require authorization. Anyone can join them.)
These numbers are not secrets. They’re safe to freely distribute. The graphical control panel has a convenient feature to make it easier for users to send these numbers around: if you click on your computer’s address (shown in the lower left hand corner) or a network ID, it is automatically copied to the clipboard. This makes it easy to paste it into a chat window, an e-mail, etc.
>> Hey, can you add my new laptop to the company network? It’s 01d34db33f.
Those two kinds of numbers are all there is to it.
Use Cases and Patterns for Deployment
What about the intricacies of deployment in a larger organization? These patterns should help you get started. They are listed from easiest to most complex. If you’re starting from scratch we recommend starting with a fully virtual LAN and then proceeding to bridging when/if you need it.
The third option (gateway / firewall) is more or less mutually exclusive to the first two and is against the “spirit” of project, but it can be used to allow users in highly restricted networks to access remote virtual LANs.
- Install ZeroTier One on everything and use a virtual LAN as your primary network.
- If you have physical LANs, use them as commodity net access pipes only.
- Groups with no legacy network infrastructure who want to start fresh with full network virtualization.
- Organizations with no physical site, like mobile teams and startups without offices.
- Associations that inherently span physical boundaries, like academic collaborations between universities.
- Almost zero configuration: create a network, install the software, and join it!
- Network is completely mobile and location-agnostic.
- Can evolve into the next pattern with no reconfiguration of existing systems.
- Only devices that can run ZeroTier One can participate.
- No mobile support yet. Several options are in development.
- Small performance hit vs. a naked physical LAN due to encryption and protocol overhead.
|Bridged Physical and Virtual
- Install ZeroTier One on an always-on server at a physical site and bridge the virtual interface to the physical one.
- Also install the software on mobile machines and remote desktops, giving each a “virtual wire” to the physical LAN.
- Organizations with a central location and existing infrastructure and want something more like a conventional VPN.
- Users who want to connect legacy systems and “dumb” devices (printers, faxes, etc.) to a virtual LAN.
- Preserves existing network configuration
- Connects old OSes and devices that can’t run ZeroTier One
- Requires an always-on gateway server such as a Linux router and some system administration.
- Uses more bandwidth since each active bridge must get almost all multicast/broadcast traffic.
- Complexities may arise when mobile users are also on the physical LAN.
|Virtual Network Behind Gateway
- Install ZeroTier One on a firewall or gateway box and treat the virtual LAN as an external network.
- Set up routes and firewall rules to enable access.
- Organizations with security restrictions prohibiting open bridging to a mobile network or the installation of software like ZeroTier One on internal systems.
- Broadcast domain isolation and fine-grained IP/port control for better security isolation.
- Uses a little less bandwidth than a bridged configuration.
- Requires the most configuration and administration.
- Announcements like mDNS/Bonjour and Netbios will not work without special setup.
Instead of setting up a LAN and then figuring out how to access it remotely or just entrusting everything to the cloud, why not virtualize? For a small team you can have a virtual LAN running in just a few minutes.
1. Install ZeroTier One on all the systems that you wish to be a part of your network. This may include desktops, laptops, physical servers, and virtual systems in the cloud.
2. Create a network for your organization. For simple networks we recommend using ZeroTier’s built-in IP assignment feature. Select an IP range that is unlikely to conflict with home networks and coffee shop WiFis and that provides enough room for all your devices. The pull-down box provides some suggestions.
3. On each device, join your new network via its 16-digit network ID. Unless you’ve made your network public or pre-authorized all your devices by entering their addresses on the web, ACCESS_DENIED will be shown as the network’s status.
4. Return to the control panel. The 10-digit ZeroTier addresses of the devices you’ve connected should now be listed. If you recognize them, click the check box beside each address to authorize it. It might also be helpful for future reference to enter a description for each in its notes field.
Over the next few minutes the network status on each device should change to OK and it should get an IP address. You’ll see these assignments appear on the web control panel too. You now have an imaginary office LAN that works no matter where you or anyone else is physically located.
From this point forward, treat the virtual interface on each device as if it were plugged into your office network switch. When you set up internal services such as wikis, source control systems, bug trackers, domain controllers, file shares, etc., configure them to bind and allow traffic to/from this interface’s address. Treat your “real” network the way you would treat a hotel WiFi: as a pipe to access the Internet and nothing more.
Everything that works over an ordinary ethernet should work on your virtual one, even iTunes music sharing and LAN games.
Bridged Physical and Virtual
Bridging is presently an experimental feature. See this blog post. In-depth documentation is coming shortly.
Virtual Network Behind Gateway
You’re a network administrator at a high-security national lab, and security restrictions prohibit you from installing anything like ZeroTier One behind your firewall. Some of the users on your network want to access a virtual LAN belonging to an academic collaboration spanning several universities. How do you allow this?
The easiest answer may be to install ZeroTier One on a system outside your firewall, such as in the DMZ or even entirly outside your network boundary. Give this box’s 10-digit address to the administrator of the virtual network you want to join, and join it. This gateway will get an IP on the virtual net, an address that you will treat as if it were an external IP on the open Internet.
The easiest approach is to set up your virtual LAN gateway as a “masquerading” NAT router. Configure it to statically NAT traffic from your internal IP range to appear behind the gateway’s IP on the virtual network and enable connection tracking. Finally, configure your core router to route traffic to the virtual network’s IP space via the gateway. If people on the virtual LAN also need to connect in to services behind your firewall, you can accomplish this by mapping ports on the gateway’s virtual LAN IP (which you’re treating as external) back into your LAN to their appropriate destinations.
If you want to actually map the virtual LAN’s IP range into your internal network without employing NAT, you’ll have to collaborate with the administrators of the virtual network and give them your internal IP range. They will have to add routes to this range via your gateway, allowing users of the virtual ethernet to “see” your internal LAN. Using firewall rules on the gateway or on your core router you can still control which IP:port combinations are permitted entry and exit.
This configuration looks almost identical to a NAT router on the open Internet. As such, it sort of breaks the paradigm and defeats the purpose. It’s by far the most inconvenient of any option presented here. But for some users it might be the only option available.
Exact configuration details are beyond the scope of this document, but there are many guides and helper applications for operating systems like Linux to assist in firewall rule configuration. Just remember that you’re treating your gateway’s virtual network interface to the virtual LAN as if it were an interface to a broadband modem or other Internet connection.
Troubleshooting Firewall Issues
Complete instructions for configuring your local firewall is beyond the scope of this guide since every operating system (or third party firewall app) works differently, but here are some guidelines to get you started.
Virtual networks look like any other kind of LAN or WiFi network to your operating system, so traffic over them is subject to local firewall rules. (This differs from some VPNs.) If you find it impossible to communicate— or especially if others find it impossible to communicate with you— it is likely that your local firewall is blocking traffic.
Many firewalls have two ways of treating a network: a “public” or “untrusted” mode and a “home or office network” or “trusted” mode. More restrictive rules are applied to the former, while the latter is subjected to less restriction or none at all. Since your firewall doesn’t know anything about ZeroTier, it’s likely that it will place its virtual networks in the untrusted category until you tell it otherwise. You may have to change this to allow others to access services on your computer. (On the other hand, if you’re trying out public networks you may want to leave those in untrusted mode.)
Many firewalls block ICMP PING messages. If a user cannot ping you, you may still be able to communicate.
Some firewalls may interfere with ZeroTier One itself. The first time you install, you may receive a dialog box asking you if you want to allow the ZeroTier One service to communicate with the Internet. At a minimum, your firewall must permit the establishment of outbound UDP conversations to the Internet on port 9993 or TCP connections on port 443. (UDP is strongly preferred, TCP is fallback only if UDP fails.) If a firewall blocks or interferes with both paths, nothing will work.
The Github project wiki hosts technical FAQs, operating system specific guides, and other detailed information.
The World Was Flat
In the beginning, the Internet had a flat address space. Almost any system online could connect to any other. Want to send me a file? Here, FTP it to my computer. Here’s my IP address.
When the network opened to the public, operating systems and applications proved too insecure and unreliable to weather the exposure. Firewalls were put in place, a mitigation strategy that seems to have become permanent. This helped protect insecure services from abuse, but also made formerly trivial operations very difficult. Want to send me a file? Hmm… let’s see. Can you open a port? Got a Dropbox account? Too big? Make a torrent? Oops, my firewall doesn’t allow torrents. Mail me a USB stick?
Security has improved dramatically since those days, but most users and IT department still prefer to have firewall barriers in place. Programmers continue to write insecure code, operating systems continue to have poor service and app isolation, and users continue to engage in bad security practices like unprotected drive sharing and the use of easily guessable passwords.
Back to the Future
But you’re adventurous. You have an up-to-date system. You know how to configure things correctly.
ZeroTier One creates virtual networks that span physical boundaries, including firewalls. Most users will want these to be private gated communities, but they can also be open. In the control panel you’ll notice a check box labeled “private” for each network. It’s checked by default. Un-check this box and you’ve created a public network. Anyone can now join. All they need is the network’s 16-digit ID.
You can also join Earth. It’s exactly what it sounds like: a virtual coffee shop WiFi network for the entire planet. Just join 8056c2e21c000001 and you’re there.
It’s a network with no tiers. Now you know where ZeroTier’s name originated. It was the pain of collaboration on the firewall-studded locked-down Internet that inspired the development of this app.
Security is your responsibility!
There’s nothing special about ZeroTier public LANs. When you connect at a hotel, coffee shop, university, airport, or conference center, you are also joining an untrusted network. Securing your system is always a good idea.
Make sure your operating system is up to date. Turn off remote services that you don’t need running and make sure any that are open are protected by strong passwords (unless you actually want them open to the world). Most operating systems have local firewalls as well, and these can help protect you from unwittingly sharing things you don’t want open.
If none of that makes sense to you, we recommend learning a bit about security and how to configure network services before experimenting with these networks.