PIA Split Tunnel + Zerotier failing

zwimer · August 2, 2022, 8:14pm

What I want:
PIA and Zerotier to both work on the same machine via PIA’s ‘Split Tunneling’ feature.

What I have:
I run Fedora 36. PIA supports a ‘Split Tunnel’ option which allows permitting specific traffic not to be put behind the PIA VPN. Without Split Tunneling, connecting to PIA prevents zerotier from working, which is not unexpected.

What I have tried:

When I run PIA it seems to block zerotier, which is not unexpected.
I enabled split tunneling and whitelisting the Zerotier’s root IPs; now zerotier was able to give me an IP address but the P2P connections between clients were still blocked.
I whitelisted the binary /usr/sbin/zerotier-one which is what systemd runs. I assumed that, at least in OpenVPN mode, all traffic would proxy through this service. This did not work, zerotier P2P was still blocked.

The final question:
What exactly should I add to the Split Tunneling whitelist to permit PIA VPN and Zerotier to play nice? Is there some proxy app that zerotier-one uses or something? Split Tunneling allows filtering based off IPs and which App, but does not allow port-based filtering sadly.

zt-grant · August 2, 2022, 8:48pm

Yes, unfortunately most “privacy” VPNs prevent ZeroTier from working as they don’t allow incoming UDP traffic in most cases.

Bypassing the roots is one step, but you also need to bypass any other machines running ZeroTier you wish to communicate with as well if you want peer-to-peer connections to work. So in order to work well, you’ll need to white list any possible IP addresses of nodes you wish to communicate with. In addition, you also need to white list the network controllers. In the case of our hosted network controllers, they are hosted on ephemeral IP addresses that can change at any time without notice.

system · September 1, 2022, 8:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.