Net Privacy Pro

Accessing remote hosts (especially your own) can be challenging when you don’t own a dedicated IP address. And even when you do, this has severe security implications. One solution is to set up your own VPN with all your hosts. You can do this manually with excellent tools like WireGuard, or you can use professionally managed services. In this article, I will go into one of these services and show you how you can span your own VPN with ZeroTier One.

I wanted to be able to connect to my home computer from mobile for a very long time. I’ve always had a use-case: Quickly finding a local file, doing something on the browser that is signed in to an account there, use an application that I don’t have handy on mobile, etc. In the beginning, I used TeamViewer, but stopped due to privacy reasons. Using TeamViewer is like having someone sit behind you and look over your shoulder while you type in your password.

When I got more involved with network security, I learned how to configure my own VPN. In the next sections, I will introduce you to the fundamentals of VPNs and to the basics of the ZeroTier One service.

Introduction to VPNs for Mesh Networking

I covered VPNs in a previous article about Private Internet Access (PIA). VPNs (or Virtual Private Networks) are used in two different contexts:

  • Relaying your internet connection through a third party internet provider: This is the mainstream understanding of what a VPN does. You connect your computer to that VPN provider, and all your traffic is routed through their servers. This can serve different use-cases, like obscuring your identity, overcoming geo-restrictions, or defeating censorship. PIA is one example of a service offering this functionality. Others include CyberGhost VPN, NordVPN, and ExpressVPN.
  • Connecting different machines to the same virtual network: Imagine your home LAN, but with computers located in arbitrary locations. This is the true meaning of “Virtual Private Network“: You span a network over a number of hosts you choose to add to the network. The purpose of this is not necessarily routing your internet traffic through a different host, but making another host accessible as if it were on the same LAN. This is the type of VPN I will discuss in this article.

Imagine the two like this:

Above you see both variants. The left “Relaying Internet Traffic VPN” type is what popular service like the ones mentioned above offer. The right “Spanning a Mesh Network via VPN” is a technique for tieing together physically separated hosts. For spanning such mesh networks through VPN, services exist as well. personally I used Hamachi for along time (when it was still free to use). Later I switched to the one I will present to you here: ZeroTier One.

Introduction to ZeroTier One

I have used ZeroTier One for at least the past ~10 years. I can’t recall exactly when I started using it, but it has always been very helpful. Essentially, what it does it this:

You sign up for an account on zerotier.com. After you created an account, you can sign in with it on my.zerotier.com. This is the management interface and dashboard in which you can create and manage private networks. You don’t necessarily have to sign up with your email address. Signing up/in with Google, GitHub, or your Microsoft account works just fine. You will see a list of your current networks after signing in:

Overview of all your ZeroTier One VPN networks

Here, you see the unique identifier of the networks (blurred out here), their names, potentially a description, their assigned subnet they use on this network, the number of nodes registered inside, and when the networks were created. In the screenshot above you see an account using the free tier. This tier allows you to register 25 nodes (i.e., hosts) simultaneously. This is a great quota to span your own VPN with ZeroTier One.

Inside a network page, you can set a variety of details. These not only include the name and description. You can decide whether anyone can join the network, or only authorized (by you) hosts. You can select the IP range the automatic DHCP server assigns, can add routing information, and much more (including IPv6 settings, multicast details, and a DNS configuration).

Settings to administer your own VPN with ZeroTier One

Apart from managing settings, you can manually add or authorize requesting hosts:

ZeroTier One overview of all the hosts on your own VPN mesh network

You can assign them specific IPs, see their public IP, and set a name and description for each host. If you want to remove or unauthorize them (these are two different things), you can do so easily, too.

Client Apps for ZeroTier One

ZeroTier One is available on various platforms on their download page, including Windows, mac OS, Linux, iOS, and Android. You can also install it on Synology NAS devices, which means you can add your NAS directly to your mesh network. The features for the desktop apps are pretty much the same for all of them: You can join a network, manage the settings for your host, and disconnect from it again. All of them make it very easy to span your own VPN with ZeroTier One.

The ZeroTier One Windows Client, allowing you to join or disconnect from your own VPN mesh network

On mobile, you get to join networks and disconnect from them, too. The app will ask you for permission to install a VPN profile, which you should allow for it to work. Join can join multiple networks at the same time, although only one can route your internet traffic. This can be turned on or off in the desktop, as well as the mobile apps. You will have to specify a designated default route for this to work though.

Joining your own ZeroTier One Network

To add a host to a network, you just follow these simple steps:

  1. Create a network on my.zerotier.com, note down the network address (the long-ish alphanumeric string).
  2. Install a client application on your host to add to the network.
  3. Join the network from the host by entering the network address; the host is now requesting to join the network.
  4. On my.zerotier.com, go to the network’s dashboard and scroll all the way down to the hosts list. You will see one with a red dashed line next to it. When you click the checkbox next to it, you will allow it to join the network.
Allow or reject hosts in your ZeroTier One VPN when they requests to join your private network

Once you completed this step, the new host will be assigned an IP address for the mesh network and can communicate with all other hosts on that private network.

Conclusion on spanning your own VPN with ZeroTier One

You now know the difference between an internet relaying VPN service and a VPN meshing hosts together. In this article, you learned how to set up a basic mesh network with ZeroTier one and add hosts to it. You have seen basic administration features to get you started. From now on, you can freely connect hosts from the internet together to a virtual LAN (not a VLAN though). You can now span your own VPN with ZeroTier One.

ZeroTier One offers a generous free tier, but also has competetive prices for higher grade tiers. In the free tier, you can add 25 hosts and onlu assign one administrator. For most hobbyists, this is probably more than enough for most projects though.

If you found this article useful or want to share your own thoughts and experiences, feel free to comment below to get the conversation started!

Leave a Reply

Your email address will not be published. Required fields are marked *