Very new here and very new to zerotier. I started using zerotier as my office location still does not have a wired internet connection possibility and I am behind a 5G router, which does not allow inbound traffic to our webserver. So the plan is to make the webserver accessible through my home network which does have fiber and a fixed public IP address. Bandwidth is not a problem, the web traffic is hardly consuming much, display just a simple form.
I have a zerotier node in both home and office lan’s and I can interconnect between these. So far so good. And before anyone asks after seeing the layout I want to achieve: “Why don’t you just run zerotier on the webserver?”, there is a valid reason for that I won’t elaborate on, too long story.
Now the part that I have been struggling with for days, getting totally lost in iptables and some newer method that confuse the **** out of me, is to get the web traffic from my firewall at home all the way through to the webserver and back. All the solutions I have read and tried only make me more confused as I am a total n00b in iptables, masquerading etc. What I hope to achieve is finding someone who can help me step through this and get it to work. I know my way around the terminal, I know vi, but not much about this subject.
Zerotier home: Raspberry Pi 4 running Ubuntu Server (latest LTS version, I believe 24.04)
Zerotier office: PC running Ubuntu LTS 24.04
OK - I’ve done some similar setup with zerotier and other VPNs. No need to fiddle with iptables, masquerading et al. Some straightforward routing and basic tech should do the job.
I’ve redone your schema to more clearly show the logical networks that we’re dealing with:
In this case routing completely from end to end, given the routers in place is going to be frustrating and complicated. But there are a few shortcuts that we can take. If you start with pfSense and NAT 80 and 443 to the RPi (192.168.1.19) traffic on those ports will be able to come in from your internet IP address. Then I would install a simple nginx proxy on the RPi that takes any incoming requests on those ports and forwards them to your web server (192.168.4.58).
But at this point, the web server is living on a network that the RPi doesn’t know anything about, so you’ll need to add a managed route to the Zerotier configuration to use the Zerotier IP of the Ubuntu PC (10.x.y.2) as the route to get to 192.168.4.0/24.
The Ubuntu PC at the office will need to be setup with forwarding enabled:
sudo vi /etc/sysctl.conf
# uncomment net.ipv4.ip_forward=1
sudo sysctl -p
This will allow it to receive packets that are destined for machines other than itself and forward them onto their destination (in this case the web server).
Then we need to sort out the return route for the web server to send back a response to the proxy server. From the web server’s perspective the original requests come from 10.x.y.1 so that’s where they’ll want to send the response. But once again, it has no idea how to get to this network. The simplest thing to do would be to locally add a route to the web server telling it to go through the Ubuntu PC for anything destined for the zerotier address space.
If the webserver is also Ubuntu and using Netplan you’ll want to add something like this to the Netplan configuration file:
routes:
- to: default
via: 192.168.4.1
- to: 10.x.y.0/24
via: 192.168.4.79
metric: 100
Thanks for your clear explanation! It helped a ton getting the insight on it and I’ve got it working now, albeit not completely the way you suggested. What I did is pfsense forwarding webtraffic to the pi (runs on piOS now), on the pi (with forwarding enabled of course) a static route to the webserver address with the remote zerotier node as gateway (also IP forwarding enabled on the remote node of course. (I did use iptables to masquerade the source IP address behind the Pi’s zerotier address). On the remote webserver I added a static route back to the the zerotier node as gateway. Works like a charm now and no extra routing needed within the zerotier network. Thanks a million!
