Skip to content

Configure ZeroTier on OpenWrt

Jump to bottom
Óscar García Amor edited this page Sep 19, 2024 · 3 revisions

To avoid problems all ZeroTier configuration is done from command line for this you must access your router via SSH.

Installation

Log into your router and run opkg update and opkg install zerotier to install ZeroTier as shown below:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install zerotier
Installing zerotier (1.14.1-1) to root...
Installing libstdcpp6 (13.3.0-4) to root...
Installing kmod-tun (6.6.51-1) to root...
Installing ip-tiny (6.9.0-1) to root...
Installing libminiupnpc (2.2.8-1) to root...
Installing libnatpmp1 (20230423-1) to root...
Installing libatomic1 (13.3.0-4) to root...
Configuring kmod-tun.
Configuring libstdcpp6.
Configuring ip-tiny.
Configuring libminiupnpc.
Configuring libnatpmp1.
Configuring libatomic1.
Configuring zerotier.
disabled in /etc/config/zerotier

Note that both versions and dependencies may vary slightly depending on the version of ZeroTier or OpenWrt.

Configure ZeroTier on your OpenWrt router

To configure ZeroTier in the router you must first create the network. If you have not done so, consult the Create a network in ZeroTier Central guide to do it. In our example the ZeroTier network identifier is 8ad5123ed69d6f69, this value will be different in your case.

If we look at the configuration with uci of ZeroTier just installed we will see something like this:

root@OpenWrt:~# uci show zerotier
zerotier.global=zerotier
zerotier.global.enabled='0'
zerotier.earth=network
zerotier.earth.id='8056c2e21c000001'
zerotier.earth.allow_managed='1'
zerotier.earth.allow_global='0'
zerotier.earth.allow_default='0'
zerotier.earth.allow_dns='0'

Or if you read the config file:

root@OpenWrt:~# cat /etc/config/zerotier

config zerotier 'global'
	# Sets whether ZeroTier is enabled or not
	option enabled 0
	# Sets the ZeroTier listening port (default 9993; set to 0 for random)
	#option port '9993'
	# Client secret (leave blank to generate a secret on first run)
	option secret ''
	# Path of the optional file local.conf (see documentation at
	# https://docs.zerotier.com/config#local-configuration-options)
	#option local_conf_path '/etc/zerotier.conf'
	# Persistent configuration directory (to perform other configurations such
	# as controller mode or moons, etc.)
	#option config_path '/etc/zerotier'
	# Copy the contents of the persistent configuration directory to memory
	# instead of linking it, this avoids writing to flash
	#option copy_config_path '1'

# Network configuration, you can have as many configurations as networks you
# want to join (the network name is optional)
config network 'earth'
	# Identifier of the network you wish to join
	option id '8056c2e21c000001'
	# Network configuration parameters (all are optional, if not indicated the
	# default values are set, see documentation at
	# https://docs.zerotier.com/config/#network-specific-configuration)
	option allow_managed '1'
	option allow_global '0'
	option allow_default '0'
	option allow_dns '0'

# Example of a second network (unnamed as it is optional)
#config network
#	option id '1234567890123456'
#	option allow_managed '1'
#	option allow_global '0'
#	option allow_default '0'
#	option allow_dns '0'

This is only a sample config that show you all options that you can configure. To join your network let's create a new simple configuration:

uci set zerotier.global.enabled='1'
uci delete zerotier.earth
uci set zerotier.openwrt_network=network
uci set zerotier.openwrt_network.id='8ad5123ed69d6f69'
uci commit zerotier

If we now check the configuration, we should see something similar to the following:

root@OpenWrt:~# uci show zerotier
zerotier.global=zerotier
zerotier.global.enabled='1'
zerotier.openwrt_network=network
zerotier.openwrt_network.id='8ad5123ed69d6f69'

Or by checking the file /etc/config/zerotier:

root@OpenWrt:~# cat /etc/config/zerotier

config zerotier 'global'
	option enabled '1'

config network 'openwrt_network'
	option id '8ad5123ed69d6f69'

If it looks similar on your end, reboot your router. (Yes, you must actually reboot your router here)

root@OpenWrt:~# reboot
Tip about networks

Each network configuration you create is used to join that network, you can add more networks if you wish in this way:

uci set zerotier.my_pretty_network=network
uci set zerotier.my_pretty_network.id='<network_id>'
uci commit zerotier

In the previous example we are using as network name my_pretty_network, this name is arbitrary, you can put whatever you want. To delete a network:

uci delete zerotier.my_pretty_network
uci commit zerotier

We can also add unnamed networks, in which case it is done as follows:

nid=$(uci add zerotier network)
uci set zerotier.$nid.id='<network_id>'
uci commit zerotier

In this case the network will appear with a number when reviewing the configuration:

root@OpenWrt:~# uci show zerotier
zerotier.global=zerotier
zerotier.global.enabled='1'
zerotier.openwrt_network=network
zerotier.openwrt_network.id='8ad5123ed69d6f69'
zerotier.@network[1]=network
zerotier.@network[1].id='<network_id>'

To delete it is done in a similar way as if it had a name, but we will refer to it by its number:

uci delete zerotier.@network[1]
uci commit zerotier

After the reboot, re-login using SSH and verify that the ztXXXXXXXX interface is up and running. The XXXXXXXX is generated based on the network ID:

root@OpenWrt:~# ip a
... (several networks)
7: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 02:86:64:98:4b:6d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::86:64ff:fe98:4b6d/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever

Your ZeroTier client should be in state online:

root@OpenWrt:~# zerotier-cli info
200 info 866484a9af 1.14.1 ONLINE

If now we take a look to our config we must have a new option called secret:

root@OpenWrt:~# uci show zerotier
zerotier.global=zerotier
zerotier.global.enabled='1'
zerotier.global.secret='0e49c4d11b:0:...'
zerotier.openwrt_network=network
zerotier.openwrt_network.id='8ad5123ed69d6f69'

The zerotier.global.secret is the content of /var/lib/zerotier-one/identity.secret. If for some kind of problem you do not have this secret in the configuration you can add it with the following command:

uci set zerotier.global.secret="$(cat /var/lib/zerotier-one/identity.secret)"
uci commit zerotier

After some time, your OpenWrt router should appear within your controller (my.zerotier.com or on your self-hosted one).

Make sure you Authorize the client, so it can pickup an IP from your network. Because we want to later route all traffic of all members of our ZeroTier Network ID into our LAN we make sure, that the ZeroTier IP address of our OpenWRT router is fixed to 172.28.28.1 by setting it up manually within the ZeroTier controller (eg. my.zerotier.com). Also make sure that you have checked the Allow Ethernet Bridging option.

Configured Member

Warning: If you change any network settings for the ZeroTier client running on your OpenWrt router you should reboot the router because it will sometimes not pick up the changed configuration.

After authorization of the OpenWrt router as a ZeroTier client, the router should pickup the config of your network (eg IP address) for its ztXXXXXXXX interface:

root@OpenWrt:~# ip a
... (several networks)
7: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 02:86:64:98:4b:6d brd ff:ff:ff:ff:ff:ff
    inet 172.28.28.1/24 brd 172.28.28.255 scope global ztXXXXXXXX
       valid_lft forever preferred_lft forever
    inet6 fe80::86:64ff:fe98:4b6d/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever

Open OpenWrt Firewall for ZeroTier Incoming Connections

You need configure your firewall to permit incoming UDP connections to port 9993 to get better performance.

Just execute the following commands:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-ZeroTier-Inbound'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='9993'
uci commit firewall

And restart the firewall to apply the changes:

/etc/init.d/firewall restart

This should create an entry similar to this in /etc/config/firewall:

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9993'
	option name 'Allow-ZeroTier-Inbound'
	option src '*'

Note: The option enabled '1' is optional.

Completing the configuration

At this point the ZeroTier network is configured and you should be able to communicate from your router to any host on the network and vice versa. If you also want any host in your local network to be able to communicate with any host in your ZeroTier network take a look at the Configure ZeroTier routing in OpenWrt guide.

It is now a good time to backup the configuration of your OpenWrt router.

Clone this wiki locally