Full tunnel, 99.9% of the way there but stuck (iptables)

I am new to Zerotier but a quick study. I have it on all the Linux machines I need to talk to each other to pass sensor collection data between them without the high overhead of OpenVPN - and speed is improved, improving synchronizing everything.

My full tunnel (ip4) setup is working with 1 public facing cloud machine acting as my exit node that centralizes all my data to the public. I did this because of the need of port forwarding behind all the different networks my data collection devices are behind.

Now my problem. From the public, everything is fully accessable the way it should be expected with full tunnel. My ZT clients though can’t access http://<my_FQDN>:PORT if that port forwards beyond my entry point computer if they are configured/connected for full tunnel as they are. It just sits and eventually times out. I can however access using <zerotier_ip>:DEVICE_PORT and it goes successfully -as it should when running as a client.

Some of my ports are app specific so they are a 1:1 port forward (8504 → 8504) others are to keep the systems intact ie ssh (2200 → 22 on ip 10.x.x.*0 / 2201 → 22 on 10.x.x.*1 etc…)

I know nothing about proper iptable rules (learning as I go) and only have gone off of many dozens of threads to get this working. One comment on a reply SOMEWHERE mentioned that they needed to provide the original poster an additional rule so the ZT-clients request would hit the “gateway”/“exit node” and come back in and be directed like it was a normal request. I can’t find this again or figure this out for the life of me.

All my machines are setup correctly that when I do “curl -4 ifconfig.co” it shows the IP of my public facing “exit node” no matter what isp they are connected to

I’ve attached a image of my “exit node” iptables -L --line-numbers output. It looks like a mess because of the docker apps running on it.

My interfaces are eth0 & ztc3quyxi2
My zero tier ip set is
My Linux installed are all either Ubuntu v20+ or Rpi (no GPU)
No bridging or dns changes are forced to the clients

I know it’s an exit node rule issue because it even happens on my cell phone ONLY when “pass all data through zerotier” option is selected. If I shut that off, then I can access everything correctly when my phone client is running.

EDIT: I have also added a link to the screenshot of my nat table showing the forwarding currently setup on it since new users can only enabled one object in a post

NAT table: Microsoft OneDrive - Access files anywhere. Create docs with free Office Online.

EXTRA CREDIT Different issue - As a bonus, how do I force a permanent route change on a Windows computer to pass all of it’s data through zerotier as Linux machines do so easily. The UI does not make any routing changes to Windows to the extent needed to do this. It’s my only appliance that I need to port forward to that is Windows based. The software has a built in webserver specific to it. This machine is Ethernet direct to my isp modem (who does not offer port forwarding) but my Linux machines behind it all forward fine - so again a route issue. When I ran OpenVPN I was able to tunnel just fine to it because it changed the routing.

Thanks everyone, these groups and articles have been amazing and I hope to contribute my experience from all this.

Here is the answer… All the way at the bottom of this document


Works like a charm !

For windows routing, if you have only configured your full tunnel exit point for ip4 then go into the windows control panel, network settings, change network adaptor properties and disable ip6 physically in the adaptor settings of the NIC you connect to your Internet with.

Set the zerotier app settings to the following

As soon as I did that, everything works. https://ifconfig.co states my exit nodes ip address and port forwarding through my exit node works.

Hope this helps someone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.