Foreword
Some time ago, the server was relocated out of the campus network environment, but the lab's GPU server is still within the campus network, making direct connection impossible and requiring the school's VPN for access.
As is well known, the school's official VPN experience is terrible, so I thought of using open-source tools to implement a solution for internal use within the group.
So I thought of using zerotier to set up a virtual LAN (the specific principles won't be elaborated here; you just need to know that after joining the virtual LAN, devices can achieve P2P connections via virtual LAN IPs even if they are not on the same physical LAN, providing a great experience).
However, the servers in the lab are generally not connected to the internet, so they cannot be directly connected to zerotier, and we have to explore other solutions.
Below is my complete solution.
Self-built zerotier planet
For this part, I completely referred to the following GitHub repository, so I won't elaborate further here.
After setting up the planet server according to its README, all machines that join the network can communicate with each other. However, as mentioned in the foreword, the lab servers cannot be directly connected, and another machine needs to be used for forwarding.
Forwarding with zerotier
Coincidentally, I have a personal server on campus (hereinafter referred to as the forwarding server), on which my homepage and other services run. I can add it to the virtual LAN and have it forward the traffic to the lab servers.
Assume the forwarding server has a campus IP 172.26.1.2 and a virtual LAN IP 10.11.1.2, and the lab servers have campus IPs from 114.212.1.101 to 114.212.1.105.
First, go to the zerotier planet backend configured above, and check the "Active bridge" option for the forwarding server to allow it to forward traffic.
Configuration of the forwarding server
First, enable forwarding by editing the /etc/sysctl.conf file, changing net.ipv4.ip_forward to 1, or adding a line if it doesn't exist, then run the following commands:
sudo sysctl -p # Forwarding configuration takes effect immediately
# Configure forwarding
PHY_IFACE=enp5s0 # Modify according to your network card
ZT_IFACE=ztlowm7c2d # Modify according to your network card
iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
The above iptables rules will be lost after reboot; you can search for permanent configuration methods on your own.
Client configuration
Although you can configure routes in the zerotier planet backend, setting Target=114.212.0.0/16, Gateway=10.11.1.2, so that clients download the relevant routing table and send traffic destined for the lab servers to the forwarding server.
However, because 114.212.0.0/16 is a public IP range, zerotier will not distribute this route. (Other private IP ranges, such as 172.26.0.0/16, are feasible).
Simply have users execute the following code on the client to allow remotely configured public routes:
zerotier-cli set {Network ID} allowGlobal=1