Skip to content

Instantly share code, notes, and snippets.

@markus2120

markus2120/zt_VPN.md

Last active January 17, 2023 05:51
Show Gist options
  • Star 16 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save markus2120/21283257b007ddddc7fd8bcea5c252a0 to your computer and use it in GitHub Desktop.
Save markus2120/21283257b007ddddc7fd8bcea5c252a0 to your computer and use it in GitHub Desktop.
Download ZIP
Route all traffic with a raspberry pi like a VPN
Raw
zt_VPN.md

Credits

what?

Route all traffic with a raspberry pi like a VPN.

steps

at my.zerotier.com

  • create account
  • create network on Networks tab
  • copy Network ID
  • delete the auto-assign range and managed route for IPv4
  • ip listed here must be what gets assigned in zerotier web interface 'managed ips' section 10.147.20.66. See below
  • eth0 of raspberry pi 10.147.17.1

Important

  • The main point is that the local-physical-ethernet-network 10.147.17.0/24 and zt-network is 10.147.20.0/24
  • If you have public ips it did not work for me

image

back on pi

  • sudo zerotier-cli join ${networkId}

on my.zerotier.com

  • Since our office has NAT network I have blacked the public IP - right side...
  • Warning: Do not enable Bridge

image

edit /etc/network/interfaces

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0
iface eth0 inet manual

auto eth0
iface eth0 inet static
        address 10.147.17.1
        netmask 255.255.255.0
        broadcast 10.147.20.255
        gateway 10.147.20.254
        dns-nameservers redacted
        dns-search redacted

This file is default

/var/lib/zerotier-one/networks.d/zt-network-id.local.conf

allowManaged=1
allowGlobal=0
allowDefault=0

Find your interface name zt0 or zt??????. Adapt tutorial accordingly.

  • ip a

1: lo: 
2: eth0: 
3: wlan0: 
5: zt0:

/etc/sysctl.conf

Uncomment the next line to enable packet forwarding for IPv4


net.ipv4.ip_forward=1

From DO tutorial

#!/bin/bash
# A very basic IPtables / Netfilter script /etc/firewall/enable.sh

PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

#service networking restart > /dev/null 2>&1

touch /root/RUNNING_FIREWALL_IPTABLES_NOW

# Flush the tables to apply changes
/sbin/iptables -F

# Default policy to drop 'everything' but our output to internet
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P INPUT   ACCEPT
/sbin/iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
/sbin/iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i ztklhsm3zp -o enp2s0 -j ACCEPT


exit 0

Client side

image

@xxgmxx
Copy link

xxgmxx commented May 6, 2021

Hi ! I have tried your tutorial, but I am not sure what to do with the last script " #!/bin/bash... "
I have also tried the DO tutorial and I got stuck on step 5
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
My eth0 is named enp0s3 and the zt0 is named enp0s3, so I changed the script to:
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE sudo iptables -A FORWARD -i zt21r4amuq -o enp0s3 -j ACCEPT
If I set default route on my phone, I cant acces internet or the network at all.

Can you help me with it ? What to do with the last script ? Or that to do in the DO tutorial to make it works ?
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment