Port / Firewall

We use a product called LogicMachine where they have build in ZeroTier functionality.
Everything works perfect and it’s very easy for us to setup a new LogicMachine at a customer without messing with ports and firewalls.
But it’s not working when we are on our corporate network.
I made a ticket to our IT department asking them to allow ZeroTier to work on the network, but they have some questions that I don’t know the answers to, can you help me out?
I searched the docs but I could only find that you need to allow TCP port 9993, is that enough?
I can access the web dashboard just fine and see pings, but if I install the windows client it doesn’t work unless I disable our GlobalProtect and connect to my mobiles hotspot.

This is my IT departments questions:

Hey Simon, The VPN connection connects to a URL or FQDN. This information would allow us to configure the firewall and allow the connection. What Destination of the VPN client, what logical port is used by the VPN client, and what application is used by the VPN e.g IPSEC, DTLS?

ZeroTier is not a traditional VPN that connects to a single host or FQDN. It operates peer to peer so that machines running ZeroTier talk directly to each other. As such, there’s no single host to whitelist. It’s any other host running ZT including the root servers and network controllers. A list of the root server IP addresses can be found here, however network controllers are not at stable IP addresses and can change at any time.

Additionally, ZeroTier uses UDP rather than TCP for peer to peer communication. It is its own protocol and doesn’t use IPSEC or DTLS. See here for info on what UDP ports ZeroTier uses.

1 Like