We plan to use ZeroTier to transfer Data and FSMO roles from a hosted server in someone else’s infrastructure to ours, they have denied IPSEC VPN access.
I have setup a test network between the x2 devices and can ping both sides over the 192.168.192.0/24 network ZeroTier has assigned but not the local LAN subnets.
Is there a way to do this? i tried setting up manual routes to each network using the ZeroTier assigned IP’s as the gateway but failed miserably.
Network looks like below:
DC1:
LAN: 172.16.127.5/24
ZeroTier: 192.168.192.83
If I understand correctly, you installed Zerotier on the two DCs? In the most basic configuration, this is just like adding a network card to the servers so they have direct access to both networks, but there’s no routing.
If you need to do routing this becomes a little more complicated. You’d need to enable Packet forwarding on the DCs (not sure how your security folks will feel about that) and even then, only the DCs would be able to communicate across this connection and even then I’m not sure how that would work since there is no valid return route on the other machines on each of the LANs. i.e. they receive a packet from the DC on DC1 and want to send a packet back to 172.16.127.5/24 and since it’s non-local they will probably use their default gateway to try and send it and there’s no route to get there.
If you can register a static route on their router/firewalls, to use the DCs as the next hop to the remote subnet, that would do the trick, but again, if they refused a simple IPSec VPN connection it seems unlikely they will allow this. Otherwise you’d need to enable forwarding on the DCs and the change the default route for all of the devices on each LAN to use the DC as their default gateway which is yet another big ask.
So yes, technically this is quite possible but requires configuration of other components and buy-in from their network people.