Preface

Some time ago, our servers were relocated out of the campus network environment. However, the lab's GPU servers are still within the campus network, making direct connections impossible and requiring the school's VPN for access. As is well known, the school's official VPN offers a terrible experience, so I thought about implementing a self-hosted solution for our group using open-source tools.

So I thought of using zerotier to set up a virtual LAN (I won't go into the specific principles here; you just need to know that after joining a virtual LAN, devices can achieve P2P connections via virtual LAN IP even if they're not on the same LAN, providing a great experience). However, servers in the lab are generally not connected to the internet, so they can't be directly connected to zerotier, and we need to explore other solutions.

Here is my complete solution.

Self-hosted zerotier planet

For this part, I completely followed the GitHub repository below, and I won't go into too much detail here either.

After setting up the planet server according to its README, all machines that join the network can access each other. However, as mentioned in the preface, the lab's servers cannot be directly connected, so another machine is needed for forwarding.

zerotier forwarding

Coincidentally, I have a personal server on campus (referred to as the forwarding server below), and my homepage and other services run on it. I can add it to the virtual LAN and have it forward traffic for connections to the servers.

Assume the forwarding server has a campus IP 172.26.1.2 and a virtual LAN IP 10.11.1.2, and the lab servers all have campus IPs from 114.212.1.101 to 114.212.1.105.

First, enter the configured zerotier planet backend and check the Active bridge option for the forwarding server to allow it to forward traffic.

Forwarding Server Configuration

First, you need to enable the forwarding function. Edit the /etc/sysctl.conf file and change net.ipv4.ip_forward to 1, or add a line if it doesn't exist, then run the following command:

sudo sysctl -p # Make forwarding configuration take effect immediately
# Configure forwarding
PHY_IFACE=enp5s0     # Modify according to your network interface
ZT_IFACE=ztlowm7c2d  # Modify according to your network interface

iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

The above iptables configuration will be lost after a restart. You can search for methods to make it permanent.

Client Configuration

Although you can configure routes in the zerotier planet backend by filling in Target=114.212.0.0/16, Gateway=10.11.1.2 to let clients automatically download the relevant routing table and send traffic to the lab servers through the forwarding server. However, since 114.212.0.0/16 is a public IP range, zerotier won't push this route. (Other internal IP ranges like 172.26.0.0/16 work fine).

Just have users execute the following code on the client side to allow remote configuration of public network routes:

zerotier-cli set {NetworkID} allowGlobal=1