While you are traveling, you may not want to connect all your devices to public wifi to access the internet, so the solution is to use a VPN to securely access the internet. However if you don’t have a VPN subscription, then how?
There may be a couple of options but complex.
In this article, we will look at how you can route all your traffic from anywhere via your home using ZeroTier without VPN.
This is Part-1 of 2 part series. Check out Part-2 for configuring a travel router as client.
What is ZeroTier?
ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region. Refer ZeroTier One github repo.
How it works?
I will not go too in-depth into ZT features and what is it capable of. At a high level, In the below example, I have a raspberry pi running at my home with ZeroTier One client and connected to ZeroTier virtual network. And on my mobile, I have ZeroTier One client installed and connected to the same virtual network. When I enable the ZeroTier connectivity, it can directly talk to raspberry pi or any other device connected to the same virtual network wherever they are and even behind the NAT.
The way it works is, the Peer-to-Peer connection will be initiated via the Planet Servers hosted by ZeroTier (You can also host your own if you would like to, it is opensource), and once the connection is established, it will try to create a UDP hole punch between these 2 networks. If successful, the network traffic will travel via the direct connection (it’s all encrypted). In case of any issues, it will route the traffic via Planet servers (which may be slow).
ZeroTier account provides up to 50 devices for free as of today. You can register at my.zerotier.com
I wanted to send all my traffic through my home securely wherever I am. So, I have configured Raspberry Pi at Home as Gateway and connected to Zerotier virtual network. And I do not want to install ZeroTier on all my devices, so I have configured a small Travel router from GL.iNet (OpenWrt) with ZeroTier client and routing any of its client traffic via ZeroTier network to my Home Raspberry Pi, which intern sends traffic out to the internet.
I will explain more about travel router configuration in Part-2.
What do you need?
- A Raspberry Pi (Preferably 3/4)
- Power Adapter for Raspberry Pi
- Ethernet cable for connecting Raspberry Pi to your Home Router.
- Ubuntu OS for Raspberry Pi (I am using 20.04 LTS Server)
- Android / iOS Mobile
Let us get started
Create a new ZeroTier Network
Go to my.zerotier.com and register a new account if not done so.
Click on ‘Create A Network’ to create a new ZeroTier virtual network. Which creates a 16 character unique network id. You can not change the network id.
When you go into the details of the network, you can see the Basic settings, where you can change the network name or add a description.
Access Control Private allows anyone who has this network id to join your network, however, you as the owner of this network need to approve.
In the Advanced section, by default, the network will assign an IP range for you, for example, 10.147.18.0/24 as shown in the below screenshot. You may change this to any available IP range which is not conflicting with your internal IP ranges.
Configure Raspberry Pi with ZeroTier
Download the Ubuntu for Raspberry Pi and create the bootable SD card using any of the imaging software. Or You may follow the steps defined in this Ubuntu tutorial for Raspberry Pi.
Setup & Login to the Raspberry Pi console, and install the ZeroTier One client.
curl -s https://install.zerotier.com | sudo bash
Join Raspberry Pi to ZeroTier network
NETWORK_ID=<YourZTNetworkId> sudo zerotier-cli join $NETWORK_ID
Authorize the device by going to https://my.zerotier.com/network/$NETWORK_ID in the Members section.
Now if you run ifconfig in your raspberry pi, you should see a new interface (ztxxxxxxxx) with IP from ZT network. (Example, 10.147.18.21).
Go to your network page on my.zerotier.com and add a Managed Route to route all internet traffic via this IP. Under ‘Add Routes’, use the below information to create a route.
| Destination | (Via) |
| 0.0.0.0/0 | Raspberry Pi IP (ex: 10.147.18.21) |
Enable IP Forwarding
Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot.
Enable it now by running
sudo sysctl -w net.ipv4.ip_forward=1
Configure iptables
Find out your physical network interface name (ex: eth0). Modify the below with Raspberry Pi physical network interface name, ZeroTier interface name.
PHY_IFACE=eth0 ZT_IFACE=ztxxxxxxx
Add below iptable rules
sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
Save iptable rules for loading on boot.
sudo apt install iptables-persistent sudo bash -c iptables-save > /etc/iptables/rules.v4
Use Mobile Phone as Client
- Go to Your App Store / Play Store and download
ZeroTier Oneapp. - Turn off Wifi, Go to browser, and find out your public IP using http://ifconfig.io
- In the
ZeroTier Oneapp, Join the network by entering the network id. - Enable Default Route option. (Without this, you can talk to other ZeroTier devices but the internet traffic won’t be routed via Raspberry Pi).
- Once the network is added, enable the network.
- Goto your Zerotier network settings (my.zerotier.com), and Authorize this device.
- In your phone, go back to browser and refresh the ifconfig.io page, now you should see your home public IP (or ISP public IP if CGNAT)
Conclusion
With this, we are able to configure Raspberry Pi with ZeroTier network as Gateway and able to route traffic from anywhere via this gateway at home. In Part-2, we will look at configuring a mini travel router with ZeroTier, so that multiple devices connected to the router can send traffic via gateway without installing ZeroTier one client in all devices.
References
- https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode
- https://github.com/zerotier/ZeroTierOne
Dear Hari,
Thanks a lot for your article. Can raspberry be replaced by a router or a Windows PC?
Best regards,
Rafal
Hi Rafal,
You may replace it with a linux box, i am not sure about windows Or You may try with openwrt supported routers but i haven’t tried myself.
Regards,
Hari
Hi Hari I get the following error when I run the first iptables command any idea why?
All of the other comands run fine.
sudo iptables -t nat -A POSTROUTING -o $eth0 -j MASQUERADE
Bad argument `MASQUERADE’
Try `iptables -h’ or ‘iptables –help’ for more information.
Hi Heath,
Sorry for the late reply. Hope your issue have been solved already.
Looks like there ‘$’ extra before eth0, it should be just eth0 if the interface name is that.
Regards,
Hari
sudo bash -c iptables-save > /etc/iptables/rules.v4
-bash: /etc/iptables/rules.v4: Permission denied
pi@rpizero:~ $
with sudo su it goes through but not persisent on reboot need to set portforward again
please advise
and need to set DNS option on the android app eg 8.8.8.8
Hi Johhny,
Sorry for the late reply.
Hope your issue on iptables has been resolved.
I believe it is not required to set DNS specifically in the client until you want to force it to use.
You can install pi-hole in raspberry pi and use that as DNS as well in your clients.
Regards,
Hari
I have the same issue with the config not being persistent after reboot. This is the error I get, it doesn’t prompt me to enter in password when running the command with sudo.
-bash: /etc/iptables/rules.v4: Permission denied
Hi Harry,
i have a different scenario, where i have instead of your raspberry pi, and openwrt router connected to the internet and connected to the zerotier network. However the routing inside this router, does not go from the zerotier to the lan, zerotier network is isolated from the lan.
Do you know how to adjust it?
thank you
Hopefully you have found a solution.
But the answer to your problem here is that by default a firewall will drop packets.
If you added zerotier to OpenWRT via a plugin and then connected to the ZeroTier network. You must now create a firewall rule to allow inbound traffic coming from the ZeroTier network to your internal Lan.
Then in the ZeroTier Dashboard you need to add a route to your internal LAN subnet which could be something like 192.168.1.0/24 via the ZeroTier IP of your router.
In addition I added a second route in the dashboard to route all traffic through ZeroTier by adding 0.0.0.0/0 as the destination and the router IP that ZeroTier assigned to it.
Hopefully this will help you and others.
I did this same setup with OPNSense and it works great.