Hi. I want to substitute my SSH Reverse tunnel with Zerotier VPN
Until now:
Openwrt Router (with 3g dongle, no public ip) --------SSH Reverse with ports mapped ------> Ubuntu Server (with public ip and domain)
So, I currently access a service in remote openwrt lan through http://mydomain:port
Now, openwrt router and ubuntu server are joined to zerotier vpn.
Also, I added a static route to ubuntu server and I can ping lan devices in openwrt lan.
But I don't know how to access with domain:port in ubuntu server to devices in openwrt lan.
This doesn't require NAT. It is typically done with pure layer 3 routing.
What is missing from what you describe is the Zerotier backbone network. This is a third IP range which links your sites. Each site holds one IP on the backbone. These IPs are reserved for each site according to your settings on the Zerotier planet controller.
Site 1 (single Ubuntu machine)
Zerotier IP: 192.168.194.1/24
Route: 192.168.2.0/24 via 192.168.194.2
Site 2 (OpenWrt router)
Zerotier IP: 192.168.194.2/24
LAN: 192.168.2.1/24
Route: not needed
Firewall: add Zerotier network to the lan zone. Forwarding within the lan zone must be enabled.
The situation is very straightforward at the Ubuntu machine, it has a new IP address direct into the kernel at 192.168.194.1. Since this netmask is /24, any traffic to 192.168.194.X will go out on this interface.
From the Ubuntu machine, a packet to 192.168.2.10 will originate from its local interface 192.168.194.1 and be forwarded through the gateway 192.168.194.2, which is the other side of the Zerotier tunnel. The OpenWrt router receives this packet and sends it to 192.168.2.10, a device on the LAN. The device responds to IP 192.168.194.1, which is a native network on the OpenWrt router so even without installation of a route it knows to send it into the Zerotier tunnel where the Ubuntu machine will receive it.
Access of the Ubuntu server from the OpenWrt lan is just to use 192.168.194.1. Since the OpenWrt router is the default route for its LAN devices, this will work from any LAN device as well as the router itself.
If you wanted access to the 192.168.1.0 range through the Ubuntu server, first you need a route on the OpenWrt router to that effect (192.168.1.0/24 via 192.168.194.1) and also since the Ubuntu server is not the default router for that network, devices on that LAN would need to have routes installed individually. Or a route in that network's router to bounce packets for 192.168.2.0/24 via 192.168.1.7.
The Zerotier client can install most of these routes automatically if configured on the Zerotier controller.
If I want to access 192.168.2.11 (a device in Rwrt lan) through port forwarding in Risp I could configure PORT 33333 forward to 192.168.2.11:80, but Risp does not know this range, have not rules, so I must forward to 192.168.1.7:33333 (Usrv), and Usrv must map this por to Rwrt lan. How can that be done without NAT?
Curiously these unique rules work perfectly if --to-destination is a local lan ip 192.168.1.x, but they fail when --to-destination is in range 192.168.2.x
My routes:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 192.168.194.2 255.255.255.0 UG 0 0 0 ztklhyl563
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.194.0 0.0.0.0 255.255.255.0 U 0 0 0 ztklhyl563
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
I can ping 192.168.2.x, but this range is not accepted as --to-destination.
route add -net 192.168.1.0/24 gw 192.168.194.1 dev ztklhyl563
In router openwr SOLVES THE PROBLEM. I must add the route with /etc/hotplug.d/iface script because zerotier route 192.168.1./23 via 192.168.194.1 overlaps LAN 192.168.2. in openwrt.
Anyway, I am still intrigued about whether there is another alternative to NAT in this case.