Zerotier two sites, route all from one site

So, I am going nuts as I cant make it work, but I bet it is a simple fix.
Here is the scenario:

Site A:
Subnet: 10.112.1.0/24
Zerotier IP: 10.112.0.1
Gateway (ISP modem): 192.168.5.1

Site B
Subnet: 10.112.2.1/24
Zerotier IP: 10.112.0.2
Gateway (ISP modem): 192.168.1.1

Everything works regarding Zerotier, I can ping any device on Site A from Site B and vice versa.
Now I want to make Site A to use Site B ISP Gateway (192.168.1.1), aka, make VPN on Site A to go online through Site B.
I can ping 192.168.1.1 from Site A, and open modem configuration in browser.
But I am stuck here. What next? If I set manual route, nothing happens...
If I set on Zerotier interface to use default gateway, nothing happens...

Seems I cant route 0.0.0.0/0 through zerotier interface, or I am doing it completely wrong.

I even tried to play with gateway metric, no luck...

Please help me as I am losing my mind...

image


That requires a special configuration which is not supported by UCI or Luci.

  • On your Zerotier Central page, add a route 0.0.0.0/0 via the Zerotier IP of the "server" node that you want to be used as the VPN route to the Internet.
  • On the OpenWrt "client" node(s) that will be using the default route, bring up Zerotier then run on the CLI: zerotier-cli set <networkId> allowDefault=1 (use your 10 digit networkID number)
  • On the client(s), place the zerotier interface in the wan firewall zone, as (unless you have symmetric routing configured) this is the simplest way to NAT the LAN's Internet usage into the Zerotier tunnel. (This is standard OpenWrt configuration supported by Luci.)
  • On the client node(s), do the steps on this page under "Advanced Configuration" to make the Zerotier configuration change permanent.
    https://openwrt.org/docs/guide-user/services/vpn/zerotier#advanced_configuration
2 Likes

Thanks man, it works perfectly!

In what firewall zone should I put Zerotier interface at "Server" side? Do I need to enable masquerading? :thinking:

If you trust everything on the Zerotier network, you can place it in the lan zone. This also of course inherently allows lan-lan VPN access and forwarding from the remote lan to the local wan. If you make a new zone that has better control of access and forwarding though you'll need to write rules for what you do want to allow.

No. The only masquerade needed is the one already present on wan, which will masquerade all Internet use from either site to the one IPv4 address that the server site has. Zerotier encourages symmetric routing among LANs by pushing centrally-configured routes to the clients, and you should use that feature.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.