Configuring as dedicated wireless VPN AP

fulltim3e41 · November 8, 2024, 5:37pm

I currently have a Netis N6 with owrt in dumb wireless AP mode downstream from a x86 owrt router.

My goal is to send all traffic from wireless clients through a ZeroTier VPN interface on the main router.

Presumably i cant set the "exit node" up on the wireless AP as its not doing any routing. I can use the ZT option to allowDefault=1, but that doesnt seem to work for any clients, wired and wireless, again presumably, because of the firewall.

Ive had a look at making this work using PBR but have no idea what to do there, if someone understands policy based routing in luci, a pointer would be appreciated.

Say i have a client on the main router that has an ip 192.168.10.123, and i want to send all traffic from it via the zerotier tunnel (which is set up to route everywhere through a remote client). I open Policy Routing, add a policy setting the source address to 192.168.10.123 and the remote to 0.0.0.0/0 with the interface selected as zerotier.

This does nothing in combination with zerotier setting the default route:

root@OpenWrt:~# zerotier-cli set xxxxxxxxxxxxxxx0c27 allowDefault=1
{"allowDNS":false,"allowDefault":true,"allowGlobal":false,"allowManaged":true,"assignedAddresses":["192.168.196.20/24"],"bridge":true,"broadcastEnabled":true,"dhcp":false,"dns":{"domain":"","servers":[]},"id":"xxxxxxxxxxxxx","mac":"xxxxxxxxxx29:a0","mtu":2800,"multicastSubscriptions":[{"adi":0,"mac":"xxxxxxxx00:01"},{"adi":0,"mac":"xxxxxxxx0:00:01"},{"adi":0,"mac":"xxxxxxxxx00:02"},{"adi":0,"mac":"x0:00:00"xxxxxxxxxxxx},{"adi":0,"mac":"xxxxxxxxxxxx9:a0"}],"name":"zt_net","netconfRevision":267,"nwid":"xxxxxxxx10c27","portDeviceName":"zth6rjvwdc","portError":0,"routes":[{"flags":0,"metric":0,"target":"0.0.0.0/0","via":"192.168.196.17"},{"flags":0,"metric":0,"target":"192.168.1.0/24","via":"192.168.196.1"},{"flags":0,"metric":0,"target":"192.168.10.0/23","via":"192.168.196.20"},{"flags":0,"metric":0,"target":"192.168.196.0/24","via":null}],"status":"OK","type":"PRIVATE"}

mk24 · November 8, 2024, 7:27pm

Several other things have to be in place:

In Zerotier Central, install a 0.0.0.0/0 route which is via the tunnel IP address of the particular remote site where you want the Internet to go out from.
Make sure the router at that site allows forwarding from Zerotier to its wan interface. If that router is OpenWrt, it needs to have a zone for zerotier and a rule allowing forwarding from there to wan.
In the local router place the Zerotier interface in a firewall zone with masquerading enabled. This can be a new zone or the default wan. When you use wan, incoming connections over zerotier will be subject to the wan zone's input policies, (by default, block everything); you may or may not want that.

fulltim3e41 · November 9, 2024, 5:20am

I may be stumbling on the firewall part, i really dont understand how it works. My brain just isnt wired the neccessary way. This is what i have how (its what i have on all my owrt routers with zt):

What is wrong here? It seems like everything is allowed in the vpn zone...

mk24 · November 9, 2024, 1:06pm

That should work for the local end. There is a lot of extra stuff though. All that is really needed as far as the local firewall is:

Forwarding lan=>vpn allowed. Remove the rule you added, the global lan=>vpn forward will work.
vpn zone has masquerade checked.

Do you also own the remote system that you're trying to forward to? As I mentioned, configuration there is also required.

fulltim3e41 · November 9, 2024, 9:44pm

I do - it's a VPS. Other devices do work when the zt client overrides the default (android, windows, Linux). This is my first try on owrt...

Would some config files shed light on what the issue could be?