Install a Router as ZeroTier Client

Hi everyone I want to deploy this scenario

Home PCs (no zerotier) -> Router A with ZeroTier Client -> Internet -> Remote Router B with Zero Tier as Server ---> Remote Home network

I just don't want install ZeroTier Client in my "home PCs" instead install it in the Router A. So I want to do it to avoid install it in every device attached to Router A

Thanks and have a good day ahead

Yes it works the same as other layer 3 VPNs like Wireguard or OpenVPN.

  • Install the zerotier package on both routers. (It is large, 16/128 or more memory recommended).
  • Open a free-level account (free allows 25 nodes) on my.zerotier.com and create a network of type Private.
  • Configure the network number into both routers /etc/config/zerotier and also change option enabled to 1. Restart the zerotier service.
  • Back on the zerotier controller, observe that both routers are now listed as unauthorized peers. Check the boxes on the left to authorize them.
  • On the controller, assign each router a unique IP address for a "backbone" network (a /24 range that you aren't using for anything else).
  • On the controller, configure routes to each LAN via the backbone address of that site's router. (If you also want all Internet use of site A to go through site B, configure a 0.0.0.0/0 route to site B). These routes will be pushed to the peers and installed in their routing tables.
  • In OpenWrt create a firewall zone for the Zerotier interface (backbone) and set up forwarding to and from that zone.
1 Like

Thanks very much for your answer. You are so polite.
I will try to do the configuration and come back here to share comments or any doubts
Thanks.

About your last step
"In OpenWrt create a firewall zone for the Zerotier interface (backbone) and set up forwarding to and from that zone."

Should I do it in Both routers?? I mean in Router A and Router B.

Yes, I assume you want symmetric routing where all the LAN devices at site A can reach the LAN of site B and vise versa.

First, Thanks for your answer
No, I just want all Internet use of site A to go through site B

Well I could configure it. Both Networks can see each other, but I had a problem when I want all Internet use of the network attached to Router A to go through Router B. I couldn't do it. The network attached to Router A get its traffic to internet via Router A, and as I stated I want this traffic go to internet via Router B

This is my enviroment configured

192.168.0.0/24 --- Router A - ISP Name: Claro (192.168.196.10) <------->(192.168.196.20) Router B ISP Name: Personal --- 192.168.2.0/24

As you can see below a Pc from the network 192.168.2.0/24 can reach to 192.168.0.183

imagen

As you can see below a Pc from the network 192.168.0.0/24 can reach to 192.168.2.113

imagen

Also you can see the routes added in the controller

rutasquefuncionan

And as you can see the members are ok

The Firewall zones both router as configured as you stated

Router A

Router B

Details interfaces related to Router A

Details interfaces related to Router B

And as you can see when I do a tracerouter google.com.ar and check my Public IP in a PC attached to Router A (192.168.0.0/24) the packets are routed via ISP Name: Claro and them must routed via Router B with the ISP name Personal

imagen

Could someone help me?

Thanks

What does route -n on Router A report?

Everything you've done looks right(*). I haven't actually run a default route through Zerotier before though, so I'm going to test it myself now.

  • though some of your forwards should be removed. Don't forward from wan to any other zone. On Router A that uses the VPN tunnel for all LAN Internet use, the forward from lan->wan should be removed. This forms a "kill switch" function where if the VPN does not work, the lan users will not inadvertently access the Internet directly.

OK there is another step involved on router A to enable Zerotier to be the default route. This isn't directly supported in UCI so it is a little complicated.

First with Zerotier running, run this command on Router A.
zerotier-cli set <networkId> allowDefault=1
Use your 16 digit hex network ID number for <networkID>

At this point you should be reaching the Internet through the Zerotier VPN tunnel to router B. But the change is only in RAM. To make it permanent, follow these instructions:

I made a directory /etc/config/zerotier.d instead of the suggested /etc/zerotier, as everything under /etc/config will automatically be kept when you update and save settings.

This only needs to be done on Router A, don't change anything on Router B.

Look This is the results about the command route -n about the Router A

I have modified "forwardings" about the wan to any other zone.
Router B

About Firwall Zones related to Router A, I have modifed as you requested:

So Far Both networks can see each other, but devices attached to Router A can't go out to Internet

Devices Attached to Router A

Devices Attached to Router B

imagen

But there is an issue when I want to executed the command in the Router A as you requested

It work mate
The firewall zone in the router A should be in this way

And then I could execute the comand stated by you without any problem
zerotier-cli set <networkId> allowDefault=1

I love you. :heart_eyes:

Now I should config to make it permanent, I meant after a reboot or after a power outage

I don't understand how to get the name

Which name I should put in my case??

uci set zerotier.xxxxxxxx.config_path='/etc/zerotier.d'
uci set zerotier.xxxxxxxx.copy_config_path='1'
uci commit zerotier
/etc/init.d/zerotier restart

:thinking:

The name is whatever names the top block of of the /etc/config/zerotier file. Instead of uci commands, you can edit the file directly adding these two options:
option config_path '/etc/config/zerotier.d'
option copy_config_path '1'

I'm having some trouble getting it to stay working on my test setup, but it could just be dodgy LTE service.

Also I'm having issues to navigate via Router B.

Perhaps we are forgetting some configurations. If you want I could send to via via PM, config file about this environment test

On my Router A, I just added the zerotier device to the lan firewall zone (and removed lan->wan forwarding). My Router B is the main router for several things, but the zerotier specific part was to set up a new zerotier zone and forward from lan to and from zerotier and from zerotier to wan.

Something like this??
ROUTER A

ROUTER B

Well first of all thanks very much @mk24 It works perfect (and all Devices attached to Router A go out to internet via Router B ) :grinning: :blush:
But I have an problem with this
On Router A that uses the VPN tunnel for all LAN Internet use (so far everything is perfect), the forward from lan->wan should be removed. This forms a "kill switch" function where if the VPN does not work, the lan users will not inadvertently access the Internet directly.
I have done the configurations as you stated but nothing happen. When the VPN does not work the users attached to Router A can´t reach to ISP related to RouterA ISP Name: Claro.
what do you think??

On A, nothing should forward to WAN. This will prevent lan clients from bypassing the VPN and accessing the Internet directly through the local ISP. LAN does forward to zerotier, and also zerotier to lan (if you want site B to be able to reach the LAN computers at A).

On B, zerotier always needs to forward to wan since that is how A uses the Internet.