Full Tunnel Mode (again!)

boozedog · April 9, 2023, 2:15am

I’ve been working on getting Full Tunnel Mode working and am running into exactly the same problem as this person: Full Tunnel Mode

@olesyey were you ever able to get it working?

@zt-grant does this page need to be updated maybe? https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode

zt-travis · April 10, 2023, 7:12pm

Hello,
That document should still be relevant. My tunnels still work. Hmm.

Centos clients might still be sensitive about the rp_filter setting mentioned.

Are your clients getting “direct” connections to the gateway node in zerotier-cli peers ?

boozedog · April 10, 2023, 10:14pm

Thanks for responding @zt-travis … got this figured out … I had uncommented the following from the default flow rules in ZeroTier Central:

#
# Uncomment to drop non-ZeroTier issued and managed IP addresses.
#
# This prevents IP spoofing but also blocks manual IP management at the OS level and
# bridging unless special rules to exempt certain hosts or traffic are added before
# this rule.
#
drop
	not chr ipauth
;

Re-commenting those three lines solved the problem.

This does make me wonder though, is there an improved way I could write that rule so that bridging is supported but unwanted IP spoofing etc is prevented?

zt-travis · April 10, 2023, 10:43pm

Thanks! We’ll have to remember to check that next time someone asks about routing.

For Maybe something like

drop ipdest 10.147.20.0/24  and not chr ipauth

(replace the subnet with your network’s subnet)

I’d probably have to think about it more. It’s tricky to get outgoing and returning traffic right.
If the only nodes on your network are your devices, you might not need to worry about chr ipauth
I don’t know if I would let people I don’t know/trust use one of my nodes as an internet exit

boozedog · April 10, 2023, 10:55pm

Thanks @zt-travis … yeah my network is private so untrusted users not a problem. So maybe I don’t need to worry about this?

boozedog · April 11, 2023, 11:30am

OK so now I’ve got Android and iOS clients connecting correctly and routing internet traffic through my egress node.

But I’m having trouble getting a Linux client to route internet traffic.

I’ve got net.ipv4.conf.all.rp_filter = 2 set on the Linux client and rebooted, and I’m able to ping the egress node from the Linux client via the egress node’s ZeroTier address, as long as allowDefault is set to false for the ZeroTier network on the Linux client.

But as soon as I set allowDefault=true on the Linux client, I lose all connectivity … can not connect to internet and also can no longer ping the egress node via its ZeroTier IP address.

Any ideas? I am probably missing a step in the instructions.

zt-travis · April 11, 2023, 3:44pm

I don’t think so. Ask your doctor if chr ipauth is right for you.

That should just work on linux. I can’t think of any extra steps other than “allowDefault” at the moment.
Is the linux client getting a “direct” connection to the router? Maybe look at the firewall on the linux client.

system · May 11, 2023, 3:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.