Full Tunnel Mode (again!)

I’ve been working on getting Full Tunnel Mode working and am running into exactly the same problem as this person: Full Tunnel Mode

@olesyey were you ever able to get it working?

@zt-grant does this page need to be updated maybe? https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode

That document should still be relevant. My tunnels still work. Hmm.

Centos clients might still be sensitive about the rp_filter setting mentioned.

Are your clients getting “direct” connections to the gateway node in zerotier-cli peers ?

Thanks for responding @zt-travis … got this figured out … I had uncommented the following from the default flow rules in ZeroTier Central:

# Uncomment to drop non-ZeroTier issued and managed IP addresses.
# This prevents IP spoofing but also blocks manual IP management at the OS level and
# bridging unless special rules to exempt certain hosts or traffic are added before
# this rule.
	not chr ipauth

Re-commenting those three lines solved the problem.

This does make me wonder though, is there an improved way I could write that rule so that bridging is supported but unwanted IP spoofing etc is prevented?

Thanks! We’ll have to remember to check that next time someone asks about routing.

For Maybe something like

drop ipdest  and not chr ipauth

(replace the subnet with your network’s subnet)

I’d probably have to think about it more. It’s tricky to get outgoing and returning traffic right.
If the only nodes on your network are your devices, you might not need to worry about chr ipauth
I don’t know if I would let people I don’t know/trust use one of my nodes as an internet exit :slight_smile:

Thanks @zt-travis … yeah my network is private so untrusted users not a problem. So maybe I don’t need to worry about this?

OK so now I’ve got Android and iOS clients connecting correctly and routing internet traffic through my egress node.

But I’m having trouble getting a Linux client to route internet traffic.

I’ve got net.ipv4.conf.all.rp_filter = 2 set on the Linux client and rebooted, and I’m able to ping the egress node from the Linux client via the egress node’s ZeroTier address, as long as allowDefault is set to false for the ZeroTier network on the Linux client.

But as soon as I set allowDefault=true on the Linux client, I lose all connectivity … can not connect to internet and also can no longer ping the egress node via its ZeroTier IP address.

Any ideas? I am probably missing a step in the instructions.

I don’t think so. Ask your doctor if chr ipauth is right for you.

That should just work on linux. I can’t think of any extra steps other than “allowDefault” at the moment.
Is the linux client getting a “direct” connection to the router? Maybe look at the firewall on the linux client.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.