Routing all traffic through Home with ZeroTier on travel

While you are traveling, you may not want to connect all your devices to public wifi to access the internet, so the solution is to use a VPN to securely access the internet. However if you don’t have a VPN subscription, then how?

There may be a couple of options but complex.

In this article, we will look at how you can route all your traffic from anywhere via your home using ZeroTier without VPN.

This is Part-1 of 2 part series. Check out Part-2 for configuring a travel router as client.

What is ZeroTier?

ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region. Refer ZeroTier One github repo.

How it works?

I will not go too in-depth into ZT features and what is it capable of. At a high level, In the below example, I have a raspberry pi running at my home with ZeroTier One client and connected to ZeroTier virtual network. And on my mobile, I have ZeroTier One client installed and connected to the same virtual network. When I enable the ZeroTier connectivity, it can directly talk to raspberry pi or any other device connected to the same virtual network wherever they are and even behind the NAT.

The way it works is, the Peer-to-Peer connection will be initiated via the Planet Servers hosted by ZeroTier (You can also host your own if you would like to, it is opensource), and once the connection is established, it will try to create a UDP hole punch between these 2 networks. If successful, the network traffic will travel via the direct connection (it’s all encrypted). In case of any issues, it will route the traffic via Planet servers (which may be slow).

ZeroTier account provides up to 50 devices for free as of today. You can register at my.zerotier.com

I wanted to send all my traffic through my home securely wherever I am. So, I have configured Raspberry Pi at Home as Gateway and connected to Zerotier virtual network. And I do not want to install ZeroTier on all my devices, so I have configured a small Travel router from GL.iNet (OpenWrt) with ZeroTier client and routing any of its client traffic via ZeroTier network to my Home Raspberry Pi, which intern sends traffic out to the internet.

I will explain more about travel router configuration in Part-2.

What do you need?

  • A Raspberry Pi (Preferably 3/4)
  • Power Adapter for Raspberry Pi
  • Ethernet cable for connecting Raspberry Pi to your Home Router.
  • Ubuntu OS for Raspberry Pi (I am using 20.04 LTS Server)
  • Android / iOS Mobile

Let us get started

Create a new ZeroTier Network

Go to my.zerotier.com and register a new account if not done so.

Click on ‘Create A Network’ to create a new ZeroTier virtual network. Which creates a 16 character unique network id. You can not change the network id.

When you go into the details of the network, you can see the Basic settings, where you can change the network name or add a description.

Access Control Private allows anyone who has this network id to join your network, however, you as the owner of this network need to approve.

ZeroTier Network Basic Settings
ZeroTier Network Basic Settings

In the Advanced section, by default, the network will assign an IP range for you, for example, 10.147.18.0/24 as shown in the below screenshot. You may change this to any available IP range which is not conflicting with your internal IP ranges.

ZeroTier network Advanced configuration

Configure Raspberry Pi with ZeroTier

Download the Ubuntu for Raspberry Pi and create the bootable SD card using any of the imaging software. Or You may follow the steps defined in this Ubuntu tutorial for Raspberry Pi.

Setup & Login to the Raspberry Pi console, and install the ZeroTier One client.

curl -s https://install.zerotier.com | sudo bash

Join Raspberry Pi to ZeroTier network

NETWORK_ID=<YourZTNetworkId>
sudo zerotier-cli join $NETWORK_ID

Authorize the device by going to https://my.zerotier.com/network/$NETWORK_ID in the Members section.

Now if you run ifconfig in your raspberry pi, you should see a new interface (ztxxxxxxxx) with IP from ZT network. (Example, 10.147.18.21).

Go to your network page on my.zerotier.com and add a Managed Route to route all internet traffic via this IP. Under ‘Add Routes’, use the below information to create a route.

Destination(Via)
0.0.0.0/0Raspberry Pi IP (ex: 10.147.18.21)

Enable IP Forwarding

Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot.

Enable it now by running

sudo sysctl -w net.ipv4.ip_forward=1

Configure iptables

Find out your physical network interface name (ex: eth0). Modify the below with Raspberry Pi physical network interface name, ZeroTier interface name.

PHY_IFACE=eth0
ZT_IFACE=ztxxxxxxx

Add below iptable rules

sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT

Save iptable rules for loading on boot.

sudo apt install iptables-persistent
sudo bash -c iptables-save > /etc/iptables/rules.v4

Use Mobile Phone as Client

  • Go to Your App Store / Play Store and download ZeroTier One app.
  • Turn off Wifi, Go to browser, and find out your public IP using http://ifconfig.io
  • In the ZeroTier One app, Join the network by entering the network id.
  • Enable Default Route option. (Without this, you can talk to other ZeroTier devices but the internet traffic won’t be routed via Raspberry Pi).
  • Once the network is added, enable the network.
  • Goto your Zerotier network settings (my.zerotier.com), and Authorize this device.
  • In your phone, go back to browser and refresh the ifconfig.io page, now you should see your home public IP (or ISP public IP if CGNAT)

Conclusion

With this, we are able to configure Raspberry Pi with ZeroTier network as Gateway and able to route traffic from anywhere via this gateway at home. In Part-2, we will look at configuring a mini travel router with ZeroTier, so that multiple devices connected to the router can send traffic via gateway without installing ZeroTier one client in all devices.

References

708
Total Page Visits: 38335 - Today Page Visits: 1

9 thoughts on “Routing all traffic through Home with ZeroTier on travel

  1. Rafal

    Dear Hari,
    Thanks a lot for your article. Can raspberry be replaced by a router or a Windows PC?
    Best regards,
    Rafal

    Reply
  2. Heath

    Hi Hari I get the following error when I run the first iptables command any idea why?
    All of the other comands run fine.
    sudo iptables -t nat -A POSTROUTING -o $eth0 -j MASQUERADE
    Bad argument `MASQUERADE’
    Try `iptables -h’ or ‘iptables –help’ for more information.

    Reply
    1. Hari Krishna Vemula Post author

      Hi Heath,
      Sorry for the late reply. Hope your issue have been solved already.
      Looks like there ‘$’ extra before eth0, it should be just eth0 if the interface name is that.

      Regards,
      Hari

      Reply
  3. Johhny

    sudo bash -c iptables-save > /etc/iptables/rules.v4
    -bash: /etc/iptables/rules.v4: Permission denied
    pi@rpizero:~ $
    with sudo su it goes through but not persisent on reboot need to set portforward again
    please advise

    and need to set DNS option on the android app eg 8.8.8.8

    Reply
    1. Hari Krishna Vemula Post author

      Hi Johhny,
      Sorry for the late reply.
      Hope your issue on iptables has been resolved.
      I believe it is not required to set DNS specifically in the client until you want to force it to use.
      You can install pi-hole in raspberry pi and use that as DNS as well in your clients.

      Regards,
      Hari

      Reply
      1. bry

        I have the same issue with the config not being persistent after reboot. This is the error I get, it doesn’t prompt me to enter in password when running the command with sudo.

        -bash: /etc/iptables/rules.v4: Permission denied

        Reply
  4. Sherif Omran

    Hi Harry,

    i have a different scenario, where i have instead of your raspberry pi, and openwrt router connected to the internet and connected to the zerotier network. However the routing inside this router, does not go from the zerotier to the lan, zerotier network is isolated from the lan.
    Do you know how to adjust it?
    thank you

    Reply
    1. jferreira

      Hopefully you have found a solution.
      But the answer to your problem here is that by default a firewall will drop packets.
      If you added zerotier to OpenWRT via a plugin and then connected to the ZeroTier network. You must now create a firewall rule to allow inbound traffic coming from the ZeroTier network to your internal Lan.
      Then in the ZeroTier Dashboard you need to add a route to your internal LAN subnet which could be something like 192.168.1.0/24 via the ZeroTier IP of your router.
      In addition I added a second route in the dashboard to route all traffic through ZeroTier by adding 0.0.0.0/0 as the destination and the router IP that ZeroTier assigned to it.
      Hopefully this will help you and others.
      I did this same setup with OPNSense and it works great.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *