Old ZeroTier setup guide
If not already installed, install ZeroTier on your router.
To perform installation using LuCI go to System -> Software, click on Update lists to get latest packages lists. Then in filter search for zerotier, only one package must appear, press Install.
If you are confortable in command line. You can install it with the following commands:
root@openwrt:~# opkg update
root@OpenWrt:~# opkg install zerotier
Installing zerotier (1.2.12-2) to root...
Downloading ...
Installing libstdcpp (7.3.0-1) to root...
Downloading ...
Installing kmod-tun (4.14.95-1) to root...
Downloading ...
Installing libmnl (1.0.4-1) to root...
Downloading ...
Installing ip-tiny (4.16.0-8) to root...
Downloading ...
Installing libminiupnpc (2.0.20170509-1) to root...
Downloading ...
Installing libnatpmp (20150609-1) to root...
Downloading ...
Configuring kmod-tun.
Configuring libmnl.
Configuring libstdcpp.
Configuring ip-tiny.
Configuring libminiupnpc.
Configuring libnatpmp.
Configuring zerotier.
disabled in config
Take note that the sample above is for my setup (OpenWrt 18.06.2 r7676-cddd7b4c77) and with ZeroTier 1.2.12. The output, versions, and dependencies may vary depending of your hardware and versions.
If not already done, create a network on any kind of ZeroTier controller. At least you could use the free service at https://my.zerotier.com to create a network.
My network setup looks like this (! not my real one !):
ZeroTier Controller
-------------------
Network ID: 17d709436cd2ee29
IPv4 Auto-Assign (advanced)
[x] Auto-Assign from Range: 172.28.28.1-172.28.28.255
Managed Routes:
172.28.28.0/24 (LAN)
192.168.1.0/24 (172.28.28.1)
IPv6 Auto-Assign
[ ] ZeroTier RFC4193 (/128 for each device)
[ ] ZeroTier 6PLANE (/80 routable for each device)
[ ] Auto-Assign from Range
Some screenshots of this configuration are shown below:
For now, the only method to configure ZeroTier is using the command line and the UCI System (or editing config by hand). SSH into your OpenWRT router. A look at the uci config should show something like this:
root@openwrt:~# uci show zerotier
zerotier.sample_config=zerotier
zerotier.sample_config.enabled='0'
zerotier.sample_config.join='8056c2e21c000001'
Or if you read the config file:
root@OpenWrt:~# cat /etc/config/zerotier
config zerotier sample_config
option enabled 0
# persistent configuration folder (for ZT controller mode)
#option config_path '/etc/zerotier'
#option port '9993'
# Generate secret on first start
option secret ''
# Join a public network called Earth
list join '8056c2e21c000001'
#list join '<other_network>'
This is only a sample config that show you all options that you can configure. To join to your network we will create a new ZeroTier connection with name openwrt_network using uci:
root@OpenWrt:~# uci set zerotier.openwrt_network=zerotier
root@OpenWrt:~# uci add_list zerotier.openwrt_network.join='8ad5123ed69d6f69'
root@OpenWrt:~# uci set zerotier.openwrt_network.enabled='1'
root@OpenWrt:~# uci commit zerotier
Hint: The zerotier.openwrt_network.join config variable is a so called list. You can add more networks with following command:
root@openwrt:~# uci add_list zerotier.openwrt_network.join='<network id to add to join list>'
If you want to remove a network ID from the list use the following command:
root@openwrt:~# uci del_list zerotier.openwrt_network.join='<network id to remove from join list>'
Now verify that /etc/config/zerotier represents your config, mine looks like this:
root@openwrt:~# cat /etc/config/zerotier
config zerotier 'sample_config'
option enabled '0'
list join '8056c2e21c000001'
config zerotier 'openwrt_network'
list join '8ad5123ed69d6f69'
option enabled '1'
As you can see, the sample_config is not enabled while openwrt_network is enabled.
If it looks similar on your end, reboot your router. (Yes, you must actually reboot your router here)
root@openwrt:~# reboot
After the reboot, re-login using SSH and verify that the ztXXXXXXXX interface is up and running. The XXXXXXXX is generated based on the network ID:
root@openwrt:~# ip a
... (several networks)
6: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 6a:04:a7:8b:b8:6a brd ff:ff:ff:ff:ff:ff
inet6 fe80::6804:a7ff:fe8b:b86a/64 scope link
valid_lft forever preferred_lft forever
and your ZeroTier client should be in state online:
root@openwrt:~# zerotier-cli info
200 info 41c7017c10 ONLINE 1.1.14
If now we take a look to our config we must have a new option called secret:
root@OpenWrt:~# uci show zerotier
zerotier.sample_config=zerotier
zerotier.sample_config.enabled='0'
zerotier.sample_config.join='8056c2e21c000001'
zerotier.openwrt_network=zerotier
zerotier.openwrt_network.join='8ad5123ed69d6f69'
zerotier.openwrt_network.enabled='1'
zerotier.openwrt_network.secret='6b3a5d8678:0:...'
The zerotier.openwrt_network.secret is the content of /var/lib/zerotier-one/identity.secret.
Warning
If you don't have zerotier.openwrt_network.secret option (or it appears in blank) you must add it to avoid that the system asks for password in every reboot. Simply run:
root@OpenWrt:~# uci set zerotier.openwrt_network.secret="$(cat /var/lib/zerotier-one/identity.secret)"
root@OpenWrt:~# uci commit zerotier
After some time, your OpenWrt router should appear within your controller (my.zerotier.com or on your self-hosted one).
Make sure you Authorize the client, so it can pickup an IP from your network. Because we want to later route all traffic of all members of our ZeroTier Network ID into our LAN we make sure, that the ZeroTier IP address of our OpenWRT router is fixed to 172.28.28.1 by setting it up manually within the ZeroTier controller (eg. my.zerotier.com). Also make sure that you have checked the Allow Ethernet Bridging option.
Hint If you change any network settings for the ZeroTier client running on your OpenWRT router you should reboot the router, because it will sometimes not pick up the changed configuration!
After authorization of the OpenWRT router as a ZeroTier client and after a reboot of your router, the router should pickup the config of your network (eg IP address) for its ztXXXXXXXX interface:
root@openwrt:~# ip a
... (several networks)
6: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 6a:04:a7:8b:b8:6a brd ff:ff:ff:ff:ff:ff
inet 172.28.28.1/24 brd 172.28.28.255 scope global ztXXXXXXXX
valid_lft forever preferred_lft forever
inet6 fe80::6804:a7ff:fe8b:b86a/64 scope link
valid_lft forever preferred_lft forever
It is now a good time to backup the configuration of your OpenWRT router before you continue.
You need configure your firewall to permit incoming UDP connections to port 9993 to get better performance.
In OpenWrt 18.06 LuCI go to Network -> Firewall -> Traffic Rules and in Open ports on router set:
Name: Allow-ZeroTier-Inbound
Protocol: UPD
External port: 9993
And press add. You must see a new entry Allow-ZeroTier-Inbound:
Any udp
From any host in wan
To any router IP at port 9993 on this device
Accept input
Press on Edit and change Source zone from WAN to Any Zone and Save and Apply the changes, should look like this:
In OpenWrt 19.07 LuCI go to Network -> Firewall -> Traffic Rules press on Add:
Name: Allow-ZeroTier-Inbound
Protocol: UPD
Source zone: Any zone
Destination zone: Device
Destination port: 9993
And press save. You must see a new entry Allow-ZeroTier-Inbound:
Match:
Incoming IPv4 and IPv6, protocol UDP
From any zone
To this device, port 9993
Action:
Accept input
Save and Apply the changes.
root@OpenWrt:~# uci add firewall rule
root@OpenWrt:~# uci set firewall.@rule[-1].name='Allow-ZeroTier-Inbound'
root@OpenWrt:~# uci set firewall.@rule[-1].src='*'
root@OpenWrt:~# uci set firewall.@rule[-1].target='ACCEPT'
root@OpenWrt:~# uci set firewall.@rule[-1].proto='udp'
root@OpenWrt:~# uci set firewall.@rule[-1].dest_port='9993'
root@OpenWrt:~# uci commit firewall
root@OpenWrt:~# /etc/init.d/firewall restart
In any case you must have an entry in /etc/config/firewall similar to this:
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '9993'
option name 'Allow-ZeroTier-Inbound'
option src '*'
Note: The option enabled '1' is optional.
Currently we have the following setup:
WAN-Interface of the OpenWRT router : a public IP on the internet
IP-Range of the LAN switch on the OpenWRT router : 192.168.1.0/24
IP-Address of the zt interface on the OpenWRT router : 172.28.28.1
ZeroTier network route on the OpenWRT router : 172.28.28.0/24 via zt
Now we have to do some final setup within the web interface of the OpenWRT router.
Go to Network -> Interfaces, click on Add new interface and enter the following settings:
Name of the new interface : ZeroTier
Protocol of the new interface : Unmanaged
Create a bridge over multiple interfaces : [ ]
Cover the following interface : Ethernet Adapter: "ztXXXXXXXX"
Click on Submit and then on Save and Apply.
WARNING: The Unmanaged interface never shows its IP in LuCI. To see IP must use command ip a from CLI.
Then go to Network -> Firewall, click on Add to create a new zone with the following settings:
Name: vpn
Input: accept
Output: accept
Forward: accept
Masquerading: [x]
MSS clamping: [ ]
Covered networks: [x] ZeroTier:
[ ] lan:
[ ] wan:
[ ] wan6:
Inter-Zone Forwarding
Allow forward to destination zones: [x] lan:
[x] wan: wan6:
Allow forward from source zones : [x] lan:
[ ] wan: wan6:
Click on Save & Apply
I would now reboot the router again to make sure all the config is applied correctly.
HINT: In Allow forward to destination zones you only need lan to permit comunication between your hosts, but if you want use OpenWRT router connection as gateway to Internet you must select wan and wan6.
# Create interface
uci set network.ZeroTier=interface
uci set network.ZeroTier.proto='none'
uci set network.ZeroTier.device='ztXXX' # Replace ztXXX with your own ZeroTier interface name
# Create zone
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci add_list firewall.@zone[-1].network='ZeroTier'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'
# Commit changes
uci commit
Any ZeroTier client that now joins your ZeroTier Network (in my example: 8ad5123ed69d6f69) should automatically receive an IP address out of the 172.28.28.0/24 range while the ZeroTier client already running on your OpenWRT router has a fixed address of 172.28.28.1.
Because of the route we set for the ZeroTier network within the ZeroTier controller at my.zerotier.com (192.168.1.0/24 via 172.28.18.1) any of your ZeroTier network members can now reach LAN-IPs (192.168.1.0/24) behind your OpenWRT router.
Also allo ZeroTier clients (172.28.28.0/24) can reach each other.
Note: Zerotier >1.1.14 cannot be compiled with uClibc++ anymore.
Install uClibc++
wget http://cxx.uclibc.org/src/uClibc++-0.2.4.tar.bz2
tar -xvjf uClibc++-0.2.4.tar.bz2
cd uClibc++-0.2.4
make
Now put this in the top section of Makefile in ZT source folder:
UC_INC=~/uClibc++-0.2.4/include
UC_LIB=~/uClibc++-0.2.4/src
LDFLAGS+= -L$(UC_LIB) -pthread
LDLIBS+= -L$(UC_LIB) -pthread -fno-builtin -nodefaultlibs -Wl,-Bstatic -luClibc++ -Wl,-Bdynamic -lpthread -lm -lc -lsupc++ -lc -lgcc -lgcc_eh -lgcc_s -lpthread -lm
CXXFLAGS+= -fno-builtin -nostdinc++ -I$(UC_INC) -DGCC_HASCLASSVISIBILITY -Wall -fPIE -fvisibility=hidden
Now call make.