Articles on: Guides

Route between ZeroTier and Physical Networks

  • [](/)
  • Guides
  • Advanced Networking
  • Route between ZeroTier and Physical Networks


On this page


This seems to be the simplest pattern for getting remote access to your LAN. It doesn't require access to the LAN's router or have some of the pitfalls of bridging. This requires a Linux PC or VM, something that runs iptables, on your LAN. A Raspberry Pi works. This is a NAT/Masquerade setup.


If you have a router that can run zerotier, you should use that instead of this article. Many router vendors and operating systems have zerotier packages.


Possible Disadvantages


No broadcast/multicast across networks (but the mobile OS's don't allow this anyways).


Can't initiate connections from the LAN to an external ZeroTier client.


Summary


  • Install ZeroTier
  • Add a managed route to the ZeroTier network (at my.zerotier.com)
  • Enable IP Forwarding
  • Configure iptables


Required information


For Example:


Install ZeroTier


https://www.zerotier.com/download/


undefined sudo zerotier-cli join $NETWORK_IDsudo zerotier-cli listnetworks


Authorize it at my.zerotier.com/network/$NETWORK_ID


The listnetworks output has the ZeroTier Interface name under <dev>


Configure the ZeroTier managed route


At my.zerotier.com/network/$NETWORK_ID->Settings->Managed Routes


This adds another route to every device joined to the ZeroTier network.


For example:


Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection.


Enable IP forwarding


This can vary depending on linux distribution. Typically:


Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot.


To enable it now


undefined sudo sysctl -w net.ipv4.ip_forward=1


Configure iptables


Assign some shell variables (personalize these)


undefined PHY_IFACE=eth0; ZT_IFACE=zt7nnig26


Add rules to iptables


undefined sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADEsudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT


Save iptables rules for next boot


undefined sudo apt install iptables-persistentsudo bash -c iptables-save > /etc/iptables/rules.v4


Test


  • Turn off wifi on your phone
  • Join it to the zerotier network, authorize it
  • Try to access something on the physical LAN

Updated on: 12/07/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!