Skip to content

Configure ZeroTier routing in OpenWrt

Jump to bottom
Óscar García Amor edited this page Oct 10, 2024 · 5 revisions

Currently we have the following setup:

WAN-Interface of the OpenWrt router                   : a public IP on the internet
LAN-Interface of the OpenWrt router                   : 192.168.1.1
IP-Range of the LAN switch on the OpenWrt router      : 192.168.1.0/24
IP-Address of the zt interface on the OpenWrt router  : 172.28.28.1
ZeroTier network route on the OpenWrt router          : 172.28.28.0/24 via zt

Configure routing

To configure the routing we must create a new OpenWrt interface and a zone as detailed below:

# Create interface
uci set network.ZeroTier=interface
uci set network.ZeroTier.proto='none'
uci set network.ZeroTier.device='ztXXXXXXXX' # Replace ztXXXXXXXX with your own ZeroTier interface name

# Create zone
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci add_list firewall.@zone[-1].network='ZeroTier'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'

# Commit changes
uci commit

Restart the firewall to apply the changes:

/etc/init.d/firewall restart

Once this configuration is done we can see the changes in LuCI. The interface in Network -> Interfaces:

ZeroTier Interface

Warning: The Unmanaged interface never shows its IP in LuCI. To see IP must use command ip a from CLI.

And the zone in Network -> Firewall:

ZeroTier Zone Settings

Note: Sometimes restarting the firewall does not apply all the changes correctly. It is good to reboot the router completely to make sure that the changes are correctly applied.

Tests

Because of the route we set for the ZeroTier network within the ZeroTier controller (see Create a network in ZeroTier Central) at my.zerotier.com (192.168.1.0/24 via 172.28.28.1) any of your ZeroTier network members can now reach LAN-IPs (192.168.1.0/24) behind your OpenWrt router.

Clone this wiki locally