Zerotier: Setting up the default gateway in Ubuntu Linux

zerotier-ubuntu-gateway.md

Zerotier Ubuntu config notes

Setting up the default gateway (for VPN tunelling)

Ubuntu 18.04 UFW settings, based on [1] Step 1

• ens3 .. primary physical ETH interface
• 10.243.0.0/16 .. ZT network
• 167.76.77.177 .. the public IP on the ens3 interface

1. Add 2 changes to /etc/ufw/before.rules:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# (A) Zerotier NAT
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens3 -s 10.243.0.0/16 -j SNAT --to-source 167.76.77.177
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter

...

# (B) Zerotier forwarding
-A FORWARD -i zt+ -s 10.243.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i ens+ -s 0.0.0.0/0 -d 10.243.0.0/0 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

2. Change the default forwarding policy in /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

3. Allow Zerotier and SSH

$ sudo ufw allow 9993/udp
$ sudo ufw allow OpenSSH

4. Enable/restart the firewall

$ sudo ufw disable
$ sudo ufw enable

5. Enable forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

To activate:

$ sudo sysctl -p

6. Add a default route in Zerotier network config, see [1] Step 2

7. Enable "Allow default" switch on client devices, see [1] Step 3

Relevant links:

• [1] Zerotier - Overriding Default Route / Full Tunnel Mode: https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode