Hi.
I’m new to VPN and was glad that ZeroTier was very easy to install and use. I connected several Windows PCs without any problem. But when I tried to connect to my Raspberry, every connection is rejected.
I found out, that the firewall (iptables) blocks the connection to the VPN. “zerotier-cli info” shows me OFFLINE, as soon as I start the iptables rules. I attached rules at the beginning of the chain to accept every incoming and outgoing connection from the IP range of the VPN(10.147.x.0). And I accept every connection from the virtual ZT interface.
But in the end every attempt to connect runs though the chain and is rejected. I read several HowTos, but they are all regarding the forwarding of communication and using the Raspberry as a kind of gateway.
But I just want to establish a connection to the Raspberry like to a normal computer. Any ideas?
Welcome. Post your rules if you like: iptables-save
You basically need all outgoing udp ports allowed, and 9993 udp in.
For the outgoing, you might be able to get the “owner” module of iptables to work. The installer creates a zerotier-one user on the system in most cases.
iptables -A OUTPUT -m owner --uid-owner 998 -j ACCEPT
Make sure your zerotier interfaces are allowed to talk too:
I reconstructed my iptables completely new and from the beginning.
My last config was enabling all IP addresses individually (e.g 192.168.0.55/32), also the VPN IPs. Now I opened the complete range (192.168.0.0/24 and 10.147.x.0/24).
There were some rules at the beginning I didn’t understand (:INPUT - [0:0]). I used a configuration app some years ago, and I think, there were some errors. I don’t know the meaning of the minus after INPUT.
Now I have default policies DROP and added chains for acceptance of x.x.x.0/24, the port 9993 and the virtual interface.
I’m having the exact same issues with Zerotier on my RPi 3 over eth0 (192.168.1.7::192.168.1.1:255.255.255.0)
I’m completely lost with iptables, but can tell you that it’s bone-stock from the latest RPi-OS image (2021-01-11-raspios-buster-armhf)
I’ve been using the official Bridge your ZeroTier and local network with a RaspberryPi guide.
My zt user info is as follows: zerotier-one:x:999:995::/var/lib/zerotier-one:/bin/bash
Would anyone mind helping me with the commands to type, in order to achieve @Lalle75 's fix?
This is what I use, 2 commands, all traffic allowed in on zerotier NIC
iptables -I INPUT -i zt3jnzbdh7 -j ACCEPT
Use conntrack. this means that any allowed outbound connection attempt will be allowed to come back in. Other wise you have to open a bunch of ports and that sucks.
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
it looks like -A INPUT -p udp -j DROP is dropping all UDP
so -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT isn’t checked.
As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or may not
The packet continues to traverse the chain until either
1. a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the `ACCEPT` or `DROP`, or a module returning such an ultimate fate; or
2. a rule calls the `RETURN` verdict, in which case processing returns to the calling chain; or
3. the end of the chain is reached; traversal either continues in the parent chain (as if `RETURN` was used), or the base chain policy, which is an ultimate fate, is used.