[Guide] Setup ZeroTier to connect 3 sites with IPv4 and IPv6

I manage networking on 3 locations. Every location has a LAN with IPv4 and IPv6. I want to connect these LAN’s with ZeroTier. Various websites and articles did give me some pointers to get this working. Maybe some people find my setup helpful.

ZeroTier is installed on an EdgeMAX router (see https://kruyt.org/zerotier-on-a-ubiquiti-edgerouter how to install) on Site1 & 2, Site3 has ZeroTier on an OPNsense router (see https://docs.opnsense.org/manual/how-tos/zerotier.html)

ZeroTier network setup

The controller is installed on a AWS EC2 instance, port 9993/UDP has to be open to the internet. Configuration is done with some API commands.

Get the authorisation secret and put it in a variable:

TOKEN=$(sudo cat /var/lib/zerotier-one/authtoken.secret)

Get your nodeid and put it in a variable:

curl -X GET "http://localhost:9993/status" -H "X-ZT1-AUTH: ${TOKEN}"

The output will show your nodeid in “address”.


Create your network and put it in a variable:

curl -X POST "http://localhost:9993/controller/network/${NODEID}______" -H "X-ZT1-AUTH: ${TOKEN}" -d {}

Posting ${NODEID}______ will generate a random networkid.


Configure the network:

curl -X POST "http://localhost:9993/controller/network/${NWID}" -H "X-ZT1-AUTH: ${TOKEN}" \
  -d '{"ipAssignmentPools": [{"ipRangeStart": "", "ipRangeEnd": ""}], \
  "v4AssignMode": "zt", "private": true, "v6AssignMode": { "6plane": false, "rfc4193": true, "zt": false } }'

Router setup

On the EdgeMAX router confuguration can be done via the CLI.

sudo zerotier-cli join 8d6xxxxxxxxxxx65

Allow routing configuration of global IPv6 adresses on all clients:

sudo zerotier-cli set 8d6xxxxxxxxxxx65 allowGlobal=1

Get the nodeid:

sudo zerotier-cli info

On OPNsense configuration is done via the GUI, make also a note of nodeid.

Authorize the routers on the ZeroTier controler

Every router should be authorized with his nodeid:

curl -X POST "http://localhost:9993/controller/network/${NWID}/member/48xxxxxxe9" -H "X-ZT1-AUTH: ${TOKEN}" -d '{"authorized": true}'

After authorisation make a note of the ip-addresses given to the routers.

ZeroTier network routing

network:, 2001:41xx:xxxx:xxxx::/64
router:, fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1ae9/88

network:, 2001:1cxx:xxxx:xxxx::/64
router:, fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:2393/88

network:, 2aof:29xx:xxxx:xxxx::/64
router:, fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:2c98/88

Configure the routing:

curl -X POST http://localhost:9993/controller/network/${NWID}/ -H "X-ZT1-AUTH: ${TOKEN}" \
  -d '{ "routes": [{"target": "", "via": null}, \
  {"target": "", "via": ""}, \
  {"target": "", "via": ""}, \
  {"target": "", "via": ""}, \
  {"target": "fd8d:xxxx:xxxx:xxxx:xxxx::/80", "via": null}, \
  {"target": "2001:41xx:xxxx:xxxx::/64", "via": "fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1ae9"},
  {"target": "2001:1cxx:xxxx:xxxx::/64", "via": "fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:2393"}, \
  {"target": "2aof:29xx:xxxx:xxxx::/64", "via": "fd8d:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:2c98"} ] }'

With the right local DNS service, all devices on all sites can now reach each other.