Skip to content

Instantly share code, notes, and snippets.

@rogeriopradoj

rogeriopradoj/zt_VPN.md

Forked from markus2120/zt_VPN.md
Created February 11, 2022 10:17
Show Gist options
  • Save rogeriopradoj/84a42420695f048705073aaf5f51c233 to your computer and use it in GitHub Desktop.
Save rogeriopradoj/84a42420695f048705073aaf5f51c233 to your computer and use it in GitHub Desktop.
Download ZIP
Route all traffic with a raspberry pi like a VPN
Raw
zt_VPN.md

Credits

what?

Route all traffic with a raspberry pi like a VPN.

steps

at my.zerotier.com

  • create account
  • create network on Networks tab
  • copy Network ID
  • delete the auto-assign range and managed route for IPv4
  • ip listed here must be what gets assigned in zerotier web interface 'managed ips' section 10.147.20.66. See below
  • eth0 of raspberry pi 10.147.17.1

Important

  • The main point is that the local-physical-ethernet-network 10.147.17.0/24 and zt-network is 10.147.20.0/24
  • If you have public ips it did not work for me

image

back on pi

  • sudo zerotier-cli join ${networkId}

on my.zerotier.com

  • Since our office has NAT network I have blacked the public IP - right side...
  • Warning: Do not enable Bridge

image

edit /etc/network/interfaces

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0
iface eth0 inet manual

auto eth0
iface eth0 inet static
        address 10.147.17.1
        netmask 255.255.255.0
        broadcast 10.147.20.255
        gateway 10.147.20.254
        dns-nameservers redacted
        dns-search redacted

This file is default

/var/lib/zerotier-one/networks.d/zt-network-id.local.conf

allowManaged=1
allowGlobal=0
allowDefault=0

Find your interface name zt0 or zt??????. Adapt tutorial accordingly.

  • ip a

1: lo: 
2: eth0: 
3: wlan0: 
5: zt0:

/etc/sysctl.conf

Uncomment the next line to enable packet forwarding for IPv4


net.ipv4.ip_forward=1

From DO tutorial

#!/bin/bash
# A very basic IPtables / Netfilter script /etc/firewall/enable.sh

PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

#service networking restart > /dev/null 2>&1

touch /root/RUNNING_FIREWALL_IPTABLES_NOW

# Flush the tables to apply changes
/sbin/iptables -F

# Default policy to drop 'everything' but our output to internet
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P INPUT   ACCEPT
/sbin/iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
/sbin/iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
/sbin/iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i ztklhsm3zp -o enp2s0 -j ACCEPT


exit 0

Client side

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment