Instantly share code, notes, and snippets.

@ort163 /zt_rpi.md
Last active Feb 7, 2019

Embed
What would you like to do?
zero tier full tunnel mode

Credits

what?

Route all traffic with a raspberry pi in WORK.

steps

at my.zerotier.com

  • create account
  • create network on Networks tab
  • copy Network ID
  • delete the auto-assign range and managed route for IPv4
  • ip listed here must be what gets assigned in zerotier web interface 'managed ips' section 10.147.20.66. See below
  • Actual ip of raspberry pi 10.147.20.72

image

  • make a new managed route that matches your home LAN subnet. For example: 10.147.20.0/24
  • make a new auto-assign range that matches, but doesn't overlap your home LAN.

back on pi

  • sudo zerotier-cli join ${networkId}

on my.zerotier.com

  • Since our office has NAT network I have blacked the public IP - right side...

image

edit /etc/network/interfaces

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0
iface eth0 inet manual

auto eth0
iface eth0 inet static
        address 10.147.20.72
        netmask 255.255.255.0
        broadcast 10.147.20.255
        gateway 10.147.20.254
        dns-nameservers redacted
        dns-search redacted

This file is default

/var/lib/zerotier-one/networks.d/zt-network-id.local.conf

allowManaged=1
allowGlobal=0
allowDefault=0

Find your interface name zt0 or zt??????. Adapt tutorial accordingly.

  • ip a

1: lo: 
2: eth0: 
3: wlan0: 
5: zt0: 

/etc/sysctl.conf

Uncomment the next line to enable packet forwarding for IPv4


net.ipv4.ip_forward=1

From DO tutorial

#!/bin/sh
# A very basic IPtables / Netfilter script /etc/firewall/enable.sh

PATH='/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

touch /root/recent_firewall.lock

#service networking restart > /dev/null 2>&1

# Flush the tables to apply changes
/sbin/iptables -F

# Default policy to drop 'everything' but our output to internet
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P INPUT   ACCEPT
/sbin/iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
/sbin/iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Client side

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment