Site to site VPN over ZT difficulties

Why is it so hard to get site to site working on ZT?

(native ZT node)<-> (ZT) <-> (Router) <-> (Non ZT Device) -----> this works

(Non ZT Device) <-> (Router) <-> (ZT) <-> (Router) <-> (Non ZT Device) ------> Nuthin!!

I can't seem to figure out why the FW keeps blocking traffic from another router but any other native ZT node has complete access to either routers internal network just fine.

My example:
-ZT Network [ subnet (192.168.200.0/24) routes: (192.168.201.0/24 via 192.168.200.1), (192.168.202.0/24 via 192.168.200.2)]

-Router 1[ LAN (192.168.201.0/24), ZT Addr (192.168.200.1)]

-Router 2 [ LAN (192.168.202.0/24), ZT Addr (192.168.200.2)]

-etc

The native ZT nodes show up in the router's ARP table and also the routing table shows the routes configured in ZT, but the routers will block any traffic not coming from a native (pc or Mac based) node. Im thinking it has something to do with the IP's not being on the same subnet, but I don't know why. If I was a network ninja I'd probably have this figured out, but alas I'm just a network novice. Thanks

Screen Shot 2020-07-19 at 4.21.25 PM Screen Shot 2020-07-19 at 4.22.15 PM

Don't create a zerotier firewall zone, only add the zerotier network to the LAN zone.

Check the route table on both routers to confirm that the zerotier routes were installed:
192.168.200.0/24 zt0
192.168.201.0/24 gateway 192.168.200.1 zt0
192.168.202.0/24 gateway 192.168.200.2 zt0

Then try pinging the zerotier IPs, both your own and the one on the other router.

2 Likes

Hmm, I'm going to try that out now. Thanks!

Tried that and still no connectivity between routers. I feel its something really simple, but I can't put my finger on it.

The good news is the setup you described is much faster to set up than what I was previously doing, so thank you for that at least. So right now I have full access to each network run by each router from my computer from anywhere, but neither router will talk to the other or allow traffic from each router's respective network to pass to the other.

GRRR

So an interesting note I found out is that while I can ping and access the router at 192.168.206.1, I cannot ping the router at 192.168.200.6. Maybe that has something to do with it. I'm not sure how to allow access to that since it is an unmanaged interface.

If I remember, the Zerotier daemon directly creates and configures the interface and adds routes to the routing table (if configured in the controller). So you need an "Unmanaged" dummy network to make OpenWrt aware of the new network. The interface under Zerotier's hashed name should have an IP on your Zerotier virtual network backbone.

There should be something like this in your /etc/config/network:

config interface 'zt0'
	option ifname 'ztREDACTED'
	option proto 'none'

It associates an OpenWrt name ("zt0") with the kernel name created by Zerotier.

Also when you examine the routing table with route or ip route show, you will see the kernel name 'ztREDACTED' not zt0 as I posted before.

1 Like

Correct, that is there and accounted for.

Screen Shot 2020-07-19 at 6.59.32 PM

Also this from ifconfig

Screen Shot 2020-07-19 at 6.47.51 PM

Bump. Still need help, thanks.

Bump. Still need help, thanks.

Check your zerotier controller dashboard and run zerotier-cli peers on both nodes to confirm the other node is linked.

From the OpenWrt CLI, pinging your own backbone IP (192.168.200.X) and the other node's IP on the backbone should succeed without anything special as long as the zerotier interface is in the lan firewall zone and the route to that subnet points at the zerotier interface.

1 Like

Thank you for the suggestion, I did as you suggested and here are the results

  1. Both routers I am having trouble with show online via zerotier-cli and listpeers shows the other nodes online properly, including the other router.

  2. I pinged via LuCI and CLI
    -pinging each routers own ZT address works.
    -pinging any other ZT address from either router doesn’t work, even if it is a native node.
    -pinging either routers ZT address from a native node doesn’t work.
    -pinging either routers LAN address from a native node works and I have admin access via that address.

It’s making me scratch my head, but hopefully is helpful.

Bump, still need help, thanks.

Bump, still need help, thanks.

Bump. Still not solved.

Bump. I’m gonna keep bumping at most once a day until we get to the root of the problem and solve it.

1 Like

Is ZeroTier worth all the hassle?
I mean, setting up a site-to-site connection is a typical task for WireGuard or OpenVPN.
To solve your problem with ZeroTier requires to find a person who uses this forum, understands ZeroTier better than you and is ready to help.
Given that the technology is quite exotic, the likelihood of finding such a person here is not optimistic.

1 Like

Yes but I am creating portable site to site networks that punch through firewalls and multiple NATs on all sides with zero on site configuration or access to the network I’m connected to. No opening ports or needing public IP addresses because the networks I’m using are not mine. For example when in a hotel I don’t need to have any issues with lazy or incompetent IT staff to get a connection to a remote site, with ZT all I need is an internet drop. If there’s anything else can do that I’m all ears.

I have gotten this to work on OPNsense, the issue with OPNsense is that it is really limited to hardwire only whereas openWRT can use a multitude of ways to connect to the internet easily.

1 Like

I really like Zerotier other than that you have to trust their central authority. I have not had anything like the OP's problems setting it up. Actually quite a bit easier than OpenVPN.

3 Likes

This is true, though theoretically the resources to roll your own root server is available if using their servers could be an issue.

In case you’re still trying to get this to work, try changing your zt interface to static ip. Put the zt ip address for your router as the interface ip. Mine works this way. I put an openwrt router with zerotier in my parents house ( and mine of course ) and they can access the plex server at my house. It’s definitely not through plex remote as both our internet connections are through cgnat.