Remote name resolution on Local LAN?

I’d like to replicate my existing OpenVPN implementation with Zerotier. Right now I’m hosting and OpenVPN server via FreshTomato on my rourter and using DDNS to map my assigned IP address to a public URL. We’re moving to Starlink (if it ever ships) and apparently their CGNAT won’t support hosting an OpenVPN server. I thought this would be a good time to explorer Zerotier and see if it would fit my needs.

Currently, when I connect to the open OpenVPN server on a remote client, I’m effectively “on” my lan. I can access any network resource by name, not just IP address. This makes it easy to use SAMBA shares, RDP to several virtual machines, access media servers, and check my security cameras.

To replicate this with ZeroTier I read Route between ZeroTier and Physical Networks, and I think that’s what I need. It seems to be the closest to the way the OpenVPN is set up anyway. I also read “Bridge your ZeroTier and local network with a RaspberryPi” and I can’t discern the pros and cons of the two approaches. I know the routing is Layer 3 and bridging is Layer 2, but I can’t determine why one would work better than the other. I do have a Raspberry PI available. It’s running Pi-hole now and could be used to implement either the routing or bridging approach.

I spun up an Ubuntu VM to test out the routing and I got it to almost work. From the remote client, I could ping a local lan machine by IP address but I couldn’t get it to work using DNS. I see in the that ZeroTier supports pushing DNS information to clients but I don’t understand what to put in the “Search Domain” box. Currently, in my router’s configuration I have the domain name set to “home”. I also use reserved DHCP entries for all my devices. That let’s me access my devices with names like “nas.home” or “camera.home” for example. It looks like the ZeroTier “Search Domain” is expecting “something.something” though. I can’t get it to accept just “home”.

Is what I’m trying to do reasonable/possible? I see in the documentation that "This still doesn’t let you simply address hosts by their name as configured at the controller, but we’re aware of this. We plan on adding a feature to allow the controller itself to be a DNS server too if one desires in a future ZeroTier version (likely post-2.0). ". Is that what being referred to here? I feel like I know just enough to be dangerous but don’t understand all this completely. Any advise or suggestions?

Thanks

Thanks for writing that up.

For the Search Domain you can put something like “int.home”, for now. I think we are going to relax the validation on that form so it’ll accept “home”.

The main trade off between bridging and routing, besides the bridge being a little trickier to set up, is multicast/broadcast only works with bridging. (Though multicast/broadcast doesn’t work on mobile either way)
So if you bridge, mDNS will mostly work and you’ll have dns names and service discovery over zerotier.

Or you can just install zerotier on all your devices in your lan and not use bridging or routing.
Or if your router can run penWRT, there’s a zerotier package and you can use that as your route between zerotier and physical lan.

For dns, another option would be to run GitHub - zerotier/zeronsd: A DNS server for ZeroTier users for your zerotier dns server. This would get you automatic dns on mobile too.
I use a different domain than my physical lan’s “.home” or “.local”

It would be awesome if the Search Domain validation was removed, at least it would be the simplest for me anyway.

Regarding bridging - I was following along with the documentation until I got to the Switch to systemd networking section. Specifically, my pi uses DHCP to pull a reserved IP address from the router. I can’t continue to do that and remove the DCHP stuff as instructed, can I? Also, I wouldn’t want to affect the pi-hole running on the pi either.

I have several IOT devices I’d like to access remotely so installing ZeroTier everywhere isn’t an option at the moment. I’ll do some research on the zerosd, I’d seen some references to that but didn’t really understand where it fit in to the mix if my router was handling DNS. I’ve ran my RT-AC68U with FreshTomato for years and I’m comfortable with it. Perhaps it’s time to look at changing my setup though.

That bridge tutorial will break your pi-hole setup. You could probably do the routing method without too much trouble. Please don’t change/break stuff because of me!

With zeronsd, only names in the zerotier domain you enter would go through zeronsd. The rest use the system dns servers, which is why you might not want to use .local for your zerotier network’s dns domain.