Home PCs (no zerotier) -> Router A with ZeroTier Client -> Internet -> Remote Router B with Zero Tier as Server ---> Remote Home network
I just don't want install ZeroTier Client in my "home PCs" instead install it in the Router A. So I want to do it to avoid install it in every device attached to Router A
Yes it works the same as other layer 3 VPNs like Wireguard or OpenVPN.
Install the zerotier package on both routers. (It is large, 16/128 or more memory recommended).
Open a free-level account (free allows 25 nodes) on my.zerotier.com and create a network of type Private.
Configure the network number into both routers /etc/config/zerotier and also change option enabled to 1. Restart the zerotier service.
Back on the zerotier controller, observe that both routers are now listed as unauthorized peers. Check the boxes on the left to authorize them.
On the controller, assign each router a unique IP address for a "backbone" network (a /24 range that you aren't using for anything else).
On the controller, configure routes to each LAN via the backbone address of that site's router. (If you also want all Internet use of site A to go through site B, configure a 0.0.0.0/0 route to site B). These routes will be pushed to the peers and installed in their routing tables.
In OpenWrt create a firewall zone for the Zerotier interface (backbone) and set up forwarding to and from that zone.
Well I could configure it. Both Networks can see each other, but I had a problem when I want all Internet use of the network attached to Router A to go through Router B. I couldn't do it. The network attached to Router A get its traffic to internet via Router A, and as I stated I want this traffic go to internet via Router B
This is my enviroment configured
192.168.0.0/24 --- Router A - ISP Name: Claro (192.168.196.10) <------->(192.168.196.20) Router B ISP Name: Personal --- 192.168.2.0/24
As you can see below a Pc from the network 192.168.2.0/24 can reach to 192.168.0.183
As you can see below a Pc from the network 192.168.0.0/24 can reach to 192.168.2.113
Also you can see the routes added in the controller
And as you can see when I do a tracerouter google.com.ar and check my Public IP in a PC attached to Router A (192.168.0.0/24) the packets are routed via ISP Name: Claro and them must routed via Router B with the ISP name Personal
Everything you've done looks right(*). I haven't actually run a default route through Zerotier before though, so I'm going to test it myself now.
though some of your forwards should be removed. Don't forward from wan to any other zone. On Router A that uses the VPN tunnel for all LAN Internet use, the forward from lan->wan should be removed. This forms a "kill switch" function where if the VPN does not work, the lan users will not inadvertently access the Internet directly.
OK there is another step involved on router A to enable Zerotier to be the default route. This isn't directly supported in UCI so it is a little complicated.
First with Zerotier running, run this command on Router A. zerotier-cli set <networkId> allowDefault=1
Use your 16 digit hex network ID number for <networkID>
At this point you should be reaching the Internet through the Zerotier VPN tunnel to router B. But the change is only in RAM. To make it permanent, follow these instructions:
I made a directory /etc/config/zerotier.d instead of the suggested /etc/zerotier, as everything under /etc/config will automatically be kept when you update and save settings.
This only needs to be done on Router A, don't change anything on Router B.
The name is whatever names the top block of of the /etc/config/zerotier file. Instead of uci commands, you can edit the file directly adding these two options: option config_path '/etc/config/zerotier.d' option copy_config_path '1'
I'm having some trouble getting it to stay working on my test setup, but it could just be dodgy LTE service.
On my Router A, I just added the zerotier device to the lan firewall zone (and removed lan->wan forwarding). My Router B is the main router for several things, but the zerotier specific part was to set up a new zerotier zone and forward from lan to and from zerotier and from zerotier to wan.
Well first of all thanks very much @mk24 It works perfect (and all Devices attached to Router A go out to internet via Router B )
But I have an problem with this On Router A that uses the VPN tunnel for all LAN Internet use (so far everything is perfect), the forward from lan->wan should be removed. This forms a "kill switch" function where if the VPN does not work, the lan users will not inadvertently access the Internet directly.
I have done the configurations as you stated but nothing happen. When the VPN does not work the users attached to Router A can´t reach to ISP related to RouterA ISP Name: Claro.
what do you think??
On A, nothing should forward to WAN. This will prevent lan clients from bypassing the VPN and accessing the Internet directly through the local ISP. LAN does forward to zerotier, and also zerotier to lan (if you want site B to be able to reach the LAN computers at A).
On B, zerotier always needs to forward to wan since that is how A uses the Internet.