Accessing LAN over ZeroTier

What is ZeroTier

ZeroTier is an open source solution for Global Area Networking.
In a nutshell, ZeroTier allows you to connect different devices on different locations together.
It’s secure and use Peer to Peer technology.

Simple connection

For simple connection, just register at https://my.zerotier.com/ and follow the ZeroTier Manual

You’ll have to install the client on your devices (Windows, MacOS, Apple iOS, Linux, Android and more) and join to the network you created.

You should be able to access network shares from any device on the virtual network.
I used it to connect to my VNC on my Windows machine from my Android phone, I enabled connections only from specific IP range and used the ZetoTier IP in order to connect.
Another use case is if you have a server for example and you want to use an IP whitelist in order to restrict the access to the SSH service but you don’t have static IP on you machine, with ZeroTier you can whitelist the ZT address and access without a problem.

Accessing all LAN devices

It’s no a full tunnel connection so you won’t be able to access other devices on your LAN if the client isn’t installed so I started looking for a solution to enable access to the LAN from ZeroTier.

I found this thread on Reddit and tried to do the same on my FreeNAS box.
The first thought was to create new VM, install ZeroTier and configure it as bridge.
But in a second thought, I wanted to try using Docker just because I already have VM running Docker on it so why not use it and save some resources.

My VM is Alpine Linux image, very minimalistic Linux image.
In order to use the Docker image for ZeroTier I had to do some preparations.

Prerequisites

mkdir /dev/net

mknod /dev/net/tun c 10 200

chmod 0666 /dev/net/tun

echo "tun" >> /etc/modules-load.d/tun.conf

modprobe tun

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p

Docker

I’ve used the ZeroTier image from here: https://hub.docker.com/r/bltavares/zerotier

The command for Docker is:
docker run -d --device=/dev/net/tun \
--net=host \
--cap-add=NET_ADMIN \
--cap-add=SYS_ADMIN \
-v /var/lib/zerotier-one:/var/lib/zerotier-one \
--name zerotier-one \
-d bltavares/zerotier

Now you’ll have to join your ZeroTier network:
docker exec zerotier-one /zerotier-cli join 5016b2a81a032087
Replace 5016b2a81a032087 with your network ID.

Check on your ZeroTier web page and look for the new device then authorize it by ticking the box next to it.

Next, add new route.
On Destination type your home network address, if your network is 192.168.1.1 type 192.168.1.0/24 and on Via type your Docker device IP address.

The Router

If you want to be able to access all the devices on the network, you’ll have to add a route in your router.
For me it was easy as adding a line in my Mikrotik Route List:
Dst. Address – 10.0.1.0/24
Gateway – My docker machine IP

Firewall

The last step is to configure the firewall, I wasn’t sure if I needed to do it on the container’s firewall or the host’s firewall so I applied on both (Alpine doesn’t have iptables by default so you’ll have to install it: pkg add iptables).

Use ifconfig to find your ZeroTier connection name, mine was ztc25e5wzc and my local connection was eth0 so change it accordingly.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o ztc25e5wzc -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ztc25e5wzc -o eth0 -j ACCEPT

Done.
Now you can use any device on the ZeroTier network to connect to your LAN devices.
Use ping app on you phone to ping different devices and see it works as intended.

Good luck!