Route between ZeroTier and Physical Networks
[](/)
Guides
Advanced Networking
Route between ZeroTier and Physical Networks
On this page
This seems to be the simplest pattern for getting remote access to your LAN. It doesn't require access to the LAN's router or have some of the pitfalls of bridging. This requires a Linux PC or VM, something that runs iptables, on your LAN. A Raspberry Pi works. This is a NAT/Masquerade setup.
If you have a router that can run zerotier, you should use that instead of this article. Many router vendors and operating systems have zerotier packages.
Possible Disadvantages
No broadcast/multicast across networks (but the mobile OS's don't allow this anyways).
Can't initiate connections from the LAN to an external ZeroTier client.
Install ZeroTier
Add a managed route to the ZeroTier network (at my.zerotier.com)
Enable IP Forwarding
Configure iptables
For Example:
https://www.zerotier.com/download/
Authorize it at my.zerotier.com/network/$NETWORK_ID
The listnetworks output has the ZeroTier Interface name under <dev>
At `my.zerotier.com/network/$NETWORK_ID`->`Settings`->`Managed Routes`
This adds another route to every device joined to the ZeroTier network.
For example:
Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection.
This can vary depending on linux distribution. Typically:
Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot.
To enable it now
Assign some shell variables (personalize these)
Add rules to iptables
Save iptables rules for next boot
Turn off wifi on your phone
Join it to the zerotier network, authorize it
Try to access something on the physical LAN
Guides
Advanced Networking
Route between ZeroTier and Physical Networks
On this page
This seems to be the simplest pattern for getting remote access to your LAN. It doesn't require access to the LAN's router or have some of the pitfalls of bridging. This requires a Linux PC or VM, something that runs iptables, on your LAN. A Raspberry Pi works. This is a NAT/Masquerade setup.
If you have a router that can run zerotier, you should use that instead of this article. Many router vendors and operating systems have zerotier packages.
Possible Disadvantages
No broadcast/multicast across networks (but the mobile OS's don't allow this anyways).
Can't initiate connections from the LAN to an external ZeroTier client.
Summary[](#summary "Direct link to Summary")
Install ZeroTier
Add a managed route to the ZeroTier network (at my.zerotier.com)
Enable IP Forwarding
Configure iptables
Required information[](#required-information "Direct link to Required information")
For Example:
Install ZeroTier[](#install-zerotier "Direct link to Install ZeroTier")
https://www.zerotier.com/download/
sudo zerotier-cli join $NETWORK_IDsudo zerotier-cli listnetworksAuthorize it at my.zerotier.com/network/$NETWORK_ID
The listnetworks output has the ZeroTier Interface name under <dev>
Configure the ZeroTier managed route[](#configure-the-zerotier-managed-route "Direct link to Configure the ZeroTier managed route")
At `my.zerotier.com/network/$NETWORK_ID`->`Settings`->`Managed Routes`
This adds another route to every device joined to the ZeroTier network.
For example:
Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection.
Enable IP forwarding[](#enable-ip-forwarding "Direct link to Enable IP forwarding")
This can vary depending on linux distribution. Typically:
Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot.
To enable it now
sudo sysctl -w net.ipv4.ip_forward=1Configure iptables[](#configure-iptables "Direct link to Configure iptables")
Assign some shell variables (personalize these)
PHY_IFACE=eth0; ZT_IFACE=zt7nnig26Add rules to iptables
sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADEsudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPTSave iptables rules for next boot
sudo apt install iptables-persistentsudo bash -c iptables-save > /etc/iptables/rules.v4Test[](#test "Direct link to Test")
Turn off wifi on your phone
Join it to the zerotier network, authorize it
Try to access something on the physical LAN
Updated on: 12/07/2024
Thank you!