Configure ZeroTier routing in OpenWrt
Currently we have the following setup:
WAN-Interface of the OpenWrt router : a public IP on the internet
LAN-Interface of the OpenWrt router : 192.168.1.1
IP-Range of the LAN switch on the OpenWrt router : 192.168.1.0/24
IP-Address of the zt interface on the OpenWrt router : 172.28.28.1
ZeroTier network route on the OpenWrt router : 172.28.28.0/24 via zt
To configure the routing we must create a new OpenWrt interface and a zone as detailed below:
# Create interface
uci set network.ZeroTier=interface
uci set network.ZeroTier.proto='none'
uci set network.ZeroTier.device='ztXXXXXXXX' # Replace ztXXXXXXXX with your own ZeroTier interface name
# Create zone
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci add_list firewall.@zone[-1].network='ZeroTier'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpn'
uci set firewall.@forwarding[-1].dest='wan'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpn'
# Commit changes
uci commit
Restart the firewall to apply the changes:
/etc/init.d/firewall restart
Once this configuration is done we can see the changes in LuCI. The
interface in Network -> Interfaces:
Warning: The Unmanaged interface never shows its IP in LuCI. To see
IP must use command ip a from CLI.
And the zone in Network -> Firewall:
Because of the route we set for the ZeroTier network within the ZeroTier
controller (see Create a network in ZeroTier Central) at
my.zerotier.com (192.168.1.0/24 via 172.28.18.1) any of your ZeroTier
network members can now reach LAN-IPs (192.168.1.0/24) behind your OpenWrt
router.