Zerotier install issues

I have something strange going on with my ZT install... hoping someone here may be able to help. Sometime during the install I've lost the ztxxxx interface that was, at least temporarily, visible in the realtime graphs section. Additionally, there is no zerotier-one in /var/lib... thus I have no interface showing up under ifconfig even though I am connected through the zerotier web interface. My zt 'interface' is present still but, as you'd imagine, there is no rx / tx... and inside the interface it shows my zt device but indicates 'absent' if I select the dropdown.

There seems to be something wrong with my system or the guide I've followed, I essentially stuck without a functional interface and am not sure how to proceed from here.

Much appreciate any guidance!

https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

Thanks, the issue I'm having is after resetting... or do you believe something hasn't been reset correctly? I've had a major headache with ZT for some reason.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
opkg list-installed zerotier
/etc/config/openwrt # ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link ER605 v2",
	"board_name": "tplink,er605-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
/etc/config/openwrt # cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd37:a8db:6772::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config device
	option name 'eth1'
	option macaddr

config device
	option name 'eth2'
	option macaddr

config device
	option name 'eth3'
	option macaddr 'AC

config device
	option name 'eth4'
	option macaddr '

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr '

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'ZeroTier'
	option proto 'none'
	option device 'zt_net'

/etc/config/openwrt # cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/openwrt # cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule

config rule
	option name 'Allow-ZeroTier-Inbound'
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'

/etc/config/openwrt # opkg list-installed zerotier
zerotier - 1.2.8-1type or paste code here

Ok, you have not updated software for years...
With such old vetsion no telling if relic software no longer works with cloud service or you configure something wrong.

Configs look default, but remove empty config rule session from firewall file (no impact on vpns from it)

Upgrade to 23.05.5 (luci-apo-attendedsysupgrade is the user-friendliest way)
Try to get to zerotier now.

I just recently installed openwrt to this router and thought it was on 23.05 - I'm new to openwrt but not linux.

Tried your command anyhow - not sure if it's a package or command, tried both ways.

BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

~ # luci-apo-attendedsysupgrade
ash: luci-apo-attendedsysupgrade: not found - no luck:

Unknown package 'luci-apo-attendedsysupgrade'.
Collected errors:

  • opkg_install_cmd: Cannot install package luci-apo-attendedsysupgrade.
    ~ # luci-apo-attendedsysupgrade
    ash: luci-apo-attendedsysupgrade: not found
    ~ # openwrt install luci-apo-attendedsysupgrade
    ash: openwrt: not found
    ~ # luci-apo-attendedsysupgrade
    ash: luci-apo-attendedsysupgrade: not found
    ~ # opkg install luci-apo-attendedsysupgrade
    Unknown package 'luci-apo-attendedsysupgrade'.
    Collected errors:
  • opkg_install_cmd: Cannot install package luci-apo-attendedsysupgrade.
    ~ #

That is a package adding sysupgrade option to the web interface

luci/system/software
refresh sources
search and install extension
log out log in
system/attended sysupgrade

after reboot with new software try zero tier again.

and you always have to click update before actually trying to install something.

1 Like

I can't find it in the web gui either? I updated lists and filtered for the name you provided, no packages show available for Luci-apo-anything.

It is a typo, it is luci-app

my bad, it is luci-app-attendedsysupgrade , sorry for confusion.

No worries, I'm installing now but will be later today before I can get back to it. Thanks!

good luck with that, repost config files changed if you are still encountering issues.

The Zerotier process takes care of creating and configuring the interface. There will be very few references to zerotier in your /etc/config files. IP addresses and routes are centrally administered and pushed to your nodes.

One thing that is necessary is to put the zerotier interface into a firewall zone.

This "stub" interface was used in older versions of OpenWrt merely to attach a UCI network name for the firewall to the independently-created device name. It doesn't actually change anything in the kernel. (See also old instructions for OpenVPN which is the same situation). The "stub" interface definition is no longer necessary now that devices can be referenced directly in the firewall:

config zone 'lan'
    list device 'ztxxxxxxxxxx`
    ...

Replace with the real name of the Zerotier device (which is hashed from your Zerotier network number) of course.

However you may want to keep the stub interface syntax in use since it will facilitate UCI based tools like ifstatus which Luci probably uses.

1 Like

You folks are freaking great!!

That solved my interface issues and I'm up and running with one exception: I can see and ping all devices from each of my Macs but cannot hit the other computer... nor can I hit the computers from the router but can vice-versa. I'm even able to hit my phone while on a different network completely (finally no more of Siri not being able to find my dam phone from my HomePods!!) but have no communication between my two Mac machines.

MacBook-Pro to iMac-Pro: fail -- both directions
Router to either Mac: fail -- one way
either Mac to. router: connect -- one way

I added 0.0.0.0/0 and 128.0.0.0/1 managed routes in ZT Central in order to connect to my phone on a different network and that succeeded but has not had any impact on the above.

No firewall on either at present. Config below:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:4002:a029::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config device
	option name 'eth1'
	option macaddr 

config device
	option name 'eth2'
	option macaddr 

config device
	option name 'eth3'
	option macaddr 

config device
	option name 'eth4'
	option macaddr 

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr 

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'ZeroTier'
	option proto 'none'
	option device 'ztuzezd44e'

#####################################################

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'ZeroTier'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

#####################################################

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


Maybee local firewalls come to play, nothing in your config blocks lan pings.

I've disabled the firewall on both computers thinking the same and Private Relay is off in iCloud... no change.

Traffic finally looks as I'd expect on the ZT instance as well

Zerotier has own extra filter if you ping across it, n{ idea how to configure/diagnose that.