Migrating from reverse SSH to Zerotier tunnel problem

Hi. I want to substitute my SSH Reverse tunnel with Zerotier VPN

Until now:
Openwrt Router (with 3g dongle, no public ip) --------SSH Reverse with ports mapped ------> Ubuntu Server (with public ip and domain)

So, I currently access a service in remote openwrt lan through http://mydomain:port

Now, openwrt router and ubuntu server are joined to zerotier vpn.
Also, I added a static route to ubuntu server and I can ping lan devices in openwrt lan.

But I don't know how to access with domain:port in ubuntu server to devices in openwrt lan.

I tested with iptables in ubuntu:

iptables -t nat -A PREROUTING -p tcp --dport 33333 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT --to-source is a device in openwrt lan, with open port 80. I can ping it from ubuntu server. is ubuntu server lan ip

When I do:

nmap -p 33333

says port 33333 is filtered (no closed)

1 Like

check your firewall rules... or add the proper FORWARD/INPUT rulesets...etc... i.e.;

iptables -I FORWARD -i <ZEROLOCALIF> -m comment --comment "!fw3" -j zone_lan_forward

This doesn't require NAT. It is typically done with pure layer 3 routing.

What is missing from what you describe is the Zerotier backbone network. This is a third IP range which links your sites. Each site holds one IP on the backbone. These IPs are reserved for each site according to your settings on the Zerotier planet controller.

Site 1 (single Ubuntu machine)
Zerotier IP:
Route: via

Site 2 (OpenWrt router)
Zerotier IP:
Route: not needed
Firewall: add Zerotier network to the lan zone. Forwarding within the lan zone must be enabled.

The situation is very straightforward at the Ubuntu machine, it has a new IP address direct into the kernel at Since this netmask is /24, any traffic to 192.168.194.X will go out on this interface.

From the Ubuntu machine, a packet to will originate from its local interface and be forwarded through the gateway, which is the other side of the Zerotier tunnel. The OpenWrt router receives this packet and sends it to, a device on the LAN. The device responds to IP, which is a native network on the OpenWrt router so even without installation of a route it knows to send it into the Zerotier tunnel where the Ubuntu machine will receive it.

Access of the Ubuntu server from the OpenWrt lan is just to use Since the OpenWrt router is the default route for its LAN devices, this will work from any LAN device as well as the router itself.

If you wanted access to the range through the Ubuntu server, first you need a route on the OpenWrt router to that effect ( via and also since the Ubuntu server is not the default router for that network, devices on that LAN would need to have routes installed individually. Or a route in that network's router to bounce packets for via

The Zerotier client can install most of these routes automatically if configured on the Zerotier controller.


Trying to understand...

Rwrt: Router Openwrt LAN
Usrv: Ubuntu Server LAN
Risp: Router ISP (No Linux, No routes, only port forwarding)

Rwrt <------ ----- ZeroTier link ----- --------> Usrv ----> Risp

If I want to access (a device in Rwrt lan) through port forwarding in Risp I could configure PORT 33333 forward to, but Risp does not know this range, have not rules, so I must forward to (Usrv), and Usrv must map this por to Rwrt lan. How can that be done without NAT?

I fully reset iptables and tried several FORWARD rules but no way.

iptables -t nat -A PREROUTING -p tcp --dport 33333 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -p tcp -d --dport 80 -j SNAT --to-source

Curiously these unique rules work perfectly if --to-destination is a local lan ip 192.168.1.x, but they fail when --to-destination is in range 192.168.2.x

My routes:

Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 ztklhyl563 U 0 0 0 eth0 U 0 0 0 ztklhyl563 UG 100 0 0 eth0

I can ping 192.168.2.x, but this range is not accepted as --to-destination.

Check while monitoring the following:

tcpdump -n -i any tcp port 33333 or tcp port 80

Most likely, your replies go to another gateway, so you need to either add a SNAT rule, or redirect gateway for the whole subnet

1 Like

Right, just that.

route add -net gw dev ztklhyl563

In router openwr SOLVES THE PROBLEM. I must add the route with /etc/hotplug.d/iface script because zerotier route 192.168.1./23 via overlaps LAN 192.168.2. in openwrt.

Anyway, I am still intrigued about whether there is another alternative to NAT in this case.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.