I’ve installed ZeroTier on a Windows device and a CentOS host on a cloud provider. I want the ZeroTier CentOS host to override the default route for the ZeroTier network. I’ve followed the guide in the docs through to step 3. I have not performed any of the IPv6 steps, I don’t use IPv6 for anything.
On the CentOS host, I have the following line in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
I also have the following in /etc/sysconfig/iptables:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 172.25.0.0/16 -j SNAT --to-source AAA.AAA.AAA.AAA
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 172.25.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 172.25.0.0/0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT
In iptables, AAA.AAA.AAA.AAA is where I’ve placed the CentOS host’s public IP accessible over the internet. I’m using the 172.25.*.*/16 subnet scheme in ZeroTier Central, so I’ve put that in the POSTROUTING and the first FORWARD lines. I’m not exactly sure why the guide linked above has you put the same subnet in the second FORWARD line but with a /0 CIDR value, however I’ve tried it with /16 and it still hasn’t fixed the issue, so I’ve left it as /0 for now.
My Windows host has Allow Default and Allow Managed checked in the GUI.
The CentOS host has access to the internet. I can curl pretty much anything. However, once Allow Default is checked on the Windows host, I lose access to the internet. I can’t ping out, I can’t resolve DNS names, I can’t do anything. However, I can ping the CentOS host by its ZeroTier IP, so at least something is functioning. (This is no longer true, see end of post)
I’ve restarted the CentOS host, I’ve restarted iptables using systemctl, I’ve ensured it’s enabled too. I tried to follow the IPv6 portion of the guide linked above, but there is no clarity as to whether or not I should be using my CentOS host’s ethernet IPv6 address, or the IPv6 address on the ZeroTier network interface. As of right now, I have not finished the IPv6 portion, so if that is necessary please let me know.
Here is the output of iptables -S and iptables -L in case it helps:
[root@CentOSHost ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A FORWARD -s 172.25.0.0/16 -i zt+ -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT[root@CentOSHost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all – 172.25.0.0/16 anywhere
ACCEPT all – anywhere anywhereChain OUTPUT (policy ACCEPT)
target prot opt source destination
I’ve also added the following to the Managed Routes in ZeroTier Central:
Where AAA.AAA.AAA.AAA is the same public IP of the CentOS host, and is the same IP used in the aforementioned iptables file. I’ll admit, previously this was not done properly (I had a different IP because I nuked the first box I was testing with and never changed the IP to match the new box). Now that this has been changed, I can still browse the internet and do stuff, but my public IP on the Windows host is not changing to that of the CentOS host. This is all while Allow Default is checked on the Windows host.