Zerotier: Network Privacy - snowgiant1312/SEC440 GitHub Wiki
ZeroTier Proposal
ZeroTier is an open source software that utilizes software-defined networking (SDN). It has the capability to act as a peer-to-peer VPN that establishes connectivity through UDP hole punching.
https://en.wikipedia.org/wiki/ZeroTier
Overview
For the project, I am going to install ZeroTier on one of my CentOS machines leveraging a mysql database and client machines. Using ZeroTier will allow me to encrypt the data exchanged between client and server. Unencrypted mysql data being exchanged between machines on an insecure network is the security flaw I am trying to address. Endpoints connections are peer-to-peer and end-to-end encrypted. ZeroTier is also relatively new and I have had issues with setting up VPNs in the past so using ZeroTier will be a good learning opportunity for me.
References
https://ezplatform.com/blog/remote-database-server-zerotier-mysql-mariadb
Build
SDN Creation
my.zerotier.com
A ZeroTier account is required to utilize the service. Once the account is created, log into it and click the Networks tab and then click Create. A network ID will be generated along with a network name. The network ID will be necessary later on to connect clients to the ZeroTier network. Set Access Controls to private.
In the next section choose an IPv4 address range that ZeroTier will run on. Keep Auto-Assign checked.
ZeroTier Client Installation
Zerotier is installed on clients machines using a script.
curl -s 'https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61' | gpg --import && if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi
Once the script is successfully ran you will receive a message that contains the clients ZeroTier address which is necessary to connect to the ZeroTier network.
*** Success! Your ZeroTier address [ xxxxxxxxxx ].
Joining the ZeroTier Network
sudo zerotier-cli join [NetworkID]
After the join to the ZeroTier network is initiated on the client, it needs to be authorized through the ZeroTier web console.
Locate the Members section. It should be showing the clients with the ZeroTier addresses that were generated when ZeroTier was installed. Checkmark the Auth? box to authorize them on the network.
Connectivity
ZeroTier should be successfully installed on Xubuntu-Lan and the webserver and authorized through the web console. (or any client and server combo)
ip a to show that the ZeroTier IP is assigned to the machine.
To verify connectivity ping the ZeroTier IP from each machine to each other.
Enable VPN
On the server: sudo sysctl net.ipv4.ip_forward
The output will most likely come up as: net.ipv4.ip_forward = 0
sudo nano /etc/sysctl.conf
Add this line to the bottom of the config file: net.ipv4.ip_forward = 1
Apply the change: sudo sysctl -p
Running sudo sysctl net.ipv4.ip_forward again should now return this an output: net.ipv4.ip_forward = 1
ip link show to show interface names
These following commands will enable NAT and IP Masquerading on the server.
sudo iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i [ztier interface name] -o ens160 -j ACCEPT
IPtables don't persist through reboots automatically
sudo netfilter-persistent save
Reboot the server to test if the IPtables saved
sudo iptables-save should output the previous 3 commands from before
Global Route
Head to the Managed Routes Section on the ZeroTier web console.
Configure it similar to the image above replacing 10.147.17.43 with the servers ZeroTier IP and 10.147.17.0/24 with whatever IPv4 address range you are using.
Client Configurations (Xubuntu-Lan)
sudo nano /etc/sysctl.conf
Add this line to the bottom of the config file: net.ipv4.conf.all.rp_filter=2
Implement changes: sudo sysctl -p
Enable default route traffic VPN functionality
sudo zerotier-cli set [NetworkID] allowDefault=1
If you are configuring ZeroTier on non-linux clients you can download ZeroTier directly from the website.
mySQL Configurations
There isn't much that needs to be configured for mySQL to utilize ZeroTier. The only issue that might occur is if the bind address is not set to 0.0.0.0 in /etc/mysql/my.cnf. Change the bind address to 0.0.0.0 and restart mySQL for the changes to be applied. Another thing to keep an eye out for is making sure that the mySQL user is able to connect from any address or specify the virtual ZeroTier address: 'mysqluser'@'%'
ZeroTier should now be fully configured
Video:
https://drive.google.com/open?id=1yQvq65eUmEsZLIvWjegeSa0ds5-wIlWQ