Zerotier cannot connect to my OWRT router - firewall?

Need your support, again …

I still have problems solving my DDNS access to home caused by CGNAT.
Temporarily I could use a different APN for my 5G ISP access, but not permanent allowed so the public IPv4 is gone again.

My next try is now using Zerotier.
I found some guides and successfully setup Zerotier. I do have an IP assigned, router is authorized all seems OK - the only thing is I don’t now how to access my router/LAN now.

root@Diele:~# zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks 16xxxx Home-Network 32:a3:2d:db:14:ee OK PRIVATE ztexxxx 10.139.xxx.xxx/24

• Can you please have a look if my Firewall settings are OK especially for destination and forward zone?
• Do I also need to add a port forward?

I do have a interface “zerotier” and a zone is assigned

grafik518×147 14.4 KB

Zone settings

grafik481×646 47.2 KB

Traffic rule

grafik395×458 21.1 KB

Can you please support me here to get access via DDNS to my LAN?

With cgnat you cannot have access to your home directly, so DDNS is useless.

You need a "man in the middle" e.g. with zerotier, netbird, tailscale, a vps in the cloud etc.
But that does not use DDNS

OK, Zerotier is up and running (see the config above).

I don’fully understand that Zerotier functionality and I thought I can just connect now via DDNS.

If not via DDNS how do I access my LAN now, maybe this is a stupid question …..

With another zerotier client.

I do not know zerotier but e.g. for netbird there are clients for your phone, windows pc, etc.

OK, I will give it a try, I realized there is an Android app available.

But what about my immich and seafile server running and setup using nginx is that possible to reach?

Could you please have a look to my firewall settings I have added above If these are OK and if I need to add a portforward?

Thanks a lot

While chnat is not very saturated you can do what zerotier does

• open a public port and assign ddns name to that address using natpmpc in a kind of script.

As said I do not use zerotier but your router uses it and if your phone also has the zerotier client and if setup correctly your phone should have full access to your whole network including the servers

Still having trouble to connect to my home network using the app on my android phone.

Played a bit with the firewall settings. In Zerotier gui (Web) I can see the OWRT router and my phone on “green”. When starting the Zerotier VPN it is immediately connecting but I cannot reach the router nor any other local IP address.

I assume something wrong with my firewall settings, can somebody please check my firewall settings as shown above and also these I changed without success

grafik550×703 51 KB

and

grafik554×524 26 KB

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

In the OpenWrt firewall, uncheck masquerading on zerotier. Make sure that forwarding is allowed from the zerotier zone to the zone containing the server.

In Zerotier Central, add a route to the server at home LAN via your home router's Zerotier tunnel IP. Also make sure the Zerotier routing table contains a LAN entry with the /24 of the Zerotier tunnel (containing both the phone and the router). These routes will be pushed into the phone's routing table when the phone connects. Then from the phone you would use the server's own LAN address. The server will see the phone's Zerotier address as the source.

It is not necessary to open any ports for a Zerotier tunnel. The Zerotier client makes outgoing connections which pass through default firewalls and multiple layers of NAT.

root@Diele:~# ubus call system board
{
	"kernel": "6.6.119",
	"hostname": "Diele",
	"system": "ARMv8 Processor rev 4",
	"model": "Cudy WR3000S v1",
	"board_name": "cudy,wr3000s-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.5 r2",
		"builddate": "1766005702"
	}
}
root@Diele:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr 'xxx.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'vpn'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan1:t'
	list ports 'lan2:t'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key 'xxxSdfk0='
	option listen_port '5xxx3'
	list addresses 'xxx'
	list addresses 'xxxe2d::/48'

config wireguard_wgserver
	option description 'My Peer'
	option public_key 'pxxxKcptixSEz4='
	option private_key 'xxx9Fb3CL8WEF83679lo='
	option route_allowed_ips '1'
	option endpoint_port 'xxx3'
	option persistent_keepalive '25'
	list allowed_ips '1xxx2/32'

config wireguard_wgserver
	option description 'Tobi Peer'
	option public_key 'DxxxcFo='
	option private_key 'yxxxqOIzm7oxxhPGs='
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '25'
	list allowed_ips '172.22.22.3/32'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key 'IxxxEQ='
	option mtu '1420'
	list addresses '1xxx32'
	list dns '1xxx1'

config wireguard_wgclient
	option description 'Imported peer configuration'
	option public_key 'xxxo='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	list allowed_ips '::/1'
	list allowed_ips '8000::/1'
	option persistent_keepalive '25'
	option endpoint_host 'xxx1'
	option endpoint_port '5xxx'

config interface 'zerotier'
	option proto 'none'
	option device 'ztexxx'

root@Diele:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option cell_density '0'
	option country 'US'
	option txpower '23'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SEK'
	option encryption 'psk2'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE40'
	option txpower '20'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SEK'
	option encryption 'psk2'
	option key 'xxx'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk2'
	option key 'xxx'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk2'
	option key 'xxx'
	option network 'guest'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'VPN2'
	option encryption 'psk2'
	option key 'xxx'
	option network 'vpn'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'VPN'
	option encryption 'psk2'
	option key 'xxx'
	option network 'vpn'

root@Diele:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option sequential_ip '1'

config dhcp 'lan'
	option interface 'lan'
	option start '101'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'vpn'
	option interface 'vpn'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'BRW405BD8EAFF6B'
	option ip '192.168.2.250'
	list mac 'xxx'

root@Diele:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wgclient'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'vpn'
	option name 'Allow-DNS-vpn'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'vpn'
	option name 'Allow-DHCP-vpn'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'guest'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NGINX 443'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.2.100'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NGINX 80'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.2.100'
	option dest_port '80'

config rule
	option src 'wan'
	option name 'Allow-xxx-forWG'
	list proto 'udp'
	option dest_port 'xxx'
	option target 'ACCEPT'

config nat
	option name 'SNAT-WGServer'
	list proto 'all'
	option src 'lan'
	option src_ip '1xxx/24'
	option target 'MASQUERADE'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'NGINX 2283 Immich'
	option src 'wan'
	option src_dport '2283'
	option dest_ip '192.168.2.100'
	option dest_port '2283'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'zerotier'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'zerotier'
	option masq '1'

config forwarding
	option src 'zerotier'
	option dest 'lan'

config forwarding
	option src 'wan'
	option dest 'zerotier'

config rule
	option src 'zerotier'
	option name 'Allow-Zerotier'
	list proto 'udp'
	option dest_port '9993'
	option target 'ACCEPT'

quite a lot …

Remove masq here

how should that look like, where to set that?

Don’t know how and where to do that

what I tried but no success is “allow ethernet bridging”

grafik1620×530 41.8 KB

These are the zerotier IPs for my authorized devices

grafik695×551 23 KB

removed masq - reboot - still cannot access the router

I can see both on “green” and connected in zerotier central.

there is a little piece missing I assume …

I do connect with the android phone and getting the message connected almost instantly

When now trying to reach my router on 192.168.2.1 it isn’t working neither any other LAN address but I can access the internet!

anyone using zerotier on OpenWrt and one Android smartphone getting access to router and LAN?

I can't find a way to install routes on the new Central. I have a legacy account and there is a route section on the network page in the legacy Central. According to this, there should be a Managed Routes section on your network-->settings tab, but I can't find it.

Edit: I found that Managed Routes are now a premium feature. The free plan does not include them.

OK they improve

So one solution would be to “not” to use the new central but the old version of Zerotier!
I assume the OWRT setup is not changed for these two Zerotier versions, that is just the Zerotier server what is different, I also assume the Android app remains the same as well, right?

Do you have maybe a link to a meaningful description for the old version installation process?

Thanks a lot

These are different versions of the Central account. The client on the router or the phone is the same for either. I don't think the legacy account system is available to new subscribers.

When you can't install a route on the endpoint phone the workaround would be to use NAT and reverse NAT (redirect / port forward) at the router to forward port(s) from the router's Zerotier address to the server on the LAN.

Yes, I use it to access my IMMICH docker from my mobile. Works perfectly. Dead simple to setup.

One major misconception with ZT is that ZT requires firewall rules. ZT does not require any FW rules or zone settings. ZT runs over HTTPS and therefore traverses the firewall regardless of rules and zones i.e. if you can browse the internet with chrome or firefox then ZT can do the same. I cannot SSH into my immich macine right now but it should go something like this…

1. Install zerotier interface in openwrt. Do not modify any FW rules as it is not necessary.
2. edit ZT configuration file on router and add in your ZT account id
3. approve openwrt device in your ZT control panel
4. ssh into openwrt router and run ip a or ifconfig and confirm your ZT interface now has a private ZT IP address (usually 10.147.10.x)
5. on android or iphone download ZT app and enter your ZT account id
6. approve android devce in your ZT control panel
7. on your android device click on ZT app and the network ID and you should see “status OK”

From this point on your android or iphone can now connect to your router over an encrypted HTTPS tunnel. You can test this by pinging from the openwrt router to your phone the ip address.

Hi, this is exactly what I did and stuck now cause I cannot access my router/local lan.

I am playing a bit with the firewall settings but this shouldn’t disturb cause irrelevant as you said.
What else could be wrong did you use zerotier central or the “old” version?