Local.conf documentation

shows an example with a parameter [role] in it that isn’t actually listed in the “settings available” bit.
I have tried googling this but “role”, “upstream”, “virtual”, are seemingly too generic to come up with anything useful.

I am trying to come up with a way to get a ZT user behind a restricted firewall working. By restricted, I mean one that only allows a limited set of ports, eg 53/80/443. This is not a completely uncommon scenario.

I have got ZT1 working on a host in a datacentre, with its ZT port set to 443 and TCP/UDP 443 forwarded to it. This works fine when the client has unrestricted internet access, but once I move it behind a test router that only allows out 53/80/443, it stops.

So I thought perhaps creating a local.conf on the client to tell it how to reach this one specific host would do the trick [per comment from documentation “Hints on where to reach this peer if no upstreams/roots are online”]:

    "virtual": {
        "beef99cafe": {
            "try": [ "" ]


I know the zerotier-one service is reading this file fine [because with a syntax error in the service won’t start], but as far as I can tell with a packet capture, it just ignores it. The client never sends any packets to so long as it can’t reach anything else.

I can’t be the only person trying to get this working from networks that don’t allow a great many services out to the internet.

Yeah, you’re going to have a bad time here if you’re only allowing UDP out to ports 53/80/443. UDP needs to be able to reach just about any port, as you cannot control what port our roots, network controllers, or any other external nodes are using.

What does

Hints on where to reach this peer if no upstreams/roots are online

mean? Because it doesn’t seem to do what I think it implies. I can’t work out how to get any logging out of zerotier-one either.

This is frustrating because I had this working 2 days ago - moved test device to behind restricted test router, single peer is connected and I can get on to it:

but since then it hasn’t worked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.