Road Warrior DNS


Successfully using ZeroTier with a Rasp Pi bridging gateway (Layer 2) into my home LAN. I use Pi-Hole on the LAN for ad blocking and DNS over https (D0H) to Cloudflare. All good so far.

The ZeroTier iPhone app (1.6.4) allows me to set the DNS to the IP address of the Pi-Hole (which is not a ZeroTier member) and when the iPhone is used on the mobile network it uses Pi-Hole as DNS. I get full ad blocking and DoH. Perfect.

There is no option to set the DNS on the Windows client. Is there a workaround? Perhaps a setting in ZeroTier Central that pushes a DNS IP adress to the Windows client instead?

Hi Andrew, may I know how you did this i also want my raspberry pi as a bridge for my home network but unfortunately i have no success configuring this. :sad:

Hi heliosfiend. I followed the Zerotier guide here. I found it useful to take the instructions from the guide and to write my own ‘Build Plan’ with my own network paramenters inserted. I read and re-read the guide, checking every time. It is then easier to copy/paste into Termnal without making typing misatkes. I find it a safer way than trying to insert into someone else’s guide. Maybe that is because I’m a hobbyist and no expert. There are a good number of personalisations to be inserted and it is too easy to get them wrong.

Hi Andrew, I followed that same guide , I got the bridge to work and was pingable on lan, however i cant seem to ping other devices connected to zerotier. the only thing working for me right now is this guide. but unfortunately i can only initiate the connection from zerotier to lan only . I will try to rework stuff with my raspberry from scratch so everything is fresh. thank you :slight_smile:

Hi. The guide you have followed states ’ Can’t initiate connections from the LAN to an external ZeroTier client’ as one of the limitations of the configuration. Try the guide here. I just ran through it again an hour ago and it definitely works

You can set a dns search domain from, but it doesn’t let you override all dns (yet).

If you set up “full tunnel mode”, you can handle dns on your gateway.

Hi @zt-travis. Now you have me hooked! I seeem to be falling between two stools here, you might say. I have a small business I run from my home but much of my time is spent out and about. Please excuse that I have some experience of networking, Linux and command line, but no formal training.

I followed and adapted the Knowledge Base article “Bridge your ZeroTier and local network with a RaspberryPi” updated by you in Feb-2021. My gateway is an R-Pi Model B (Buster-lite) and performance is good and snappy running ZT and bridge. I adapted/configured to suit my ZT network and my LAN. All great. Everything the way it should be, everything talking to everything and bridging allowing bothway visibility of all devices between both networks. The iptables rules piece at the end of your article makes no difference to functionality, plus it does not persist after rebooting the bridge device. No matter. The IP address range for ZT is set to be within the LAN IP address range but outside the DHCP range for the LAN. LAN DHCP and DNS is a Pi-Hole at IP address (static).

My network parameters for bridging are:

  • Physical LAN Subnet:
  • Physical LAN DHCP RANGE: through
  • ZeroTier Auto-Assign Range: through
  • ZeroTier Managed Route:
  • Default Gateway IP Address:
  • Bridge IP Address: (static)

I then followed the Knowledge Base article “Overriding Default Route / Full Tunnel Mode” updated by you in Sept-2020. That article is based on CentOS and I’m having trouble translating it to R-Pi OS. I have added a new Managed Route on ZT at: via I have made the edit to /etc/sysctl.conf on the R-Pi to allow IPv4 forwarding. I have queries about the iptables section:

  1. What is meant by the term ‘public IP of the gateway’? Is that the LAN IP (in my case Or is it the WAN IP address provided by my ISP? My ISP changes the WAN IP regularly, static is not an option.

  2. In R-Pi OS the location /etc/sysconfig does not exist. Where to create/edit the iptables file?

  3. Should the iptables configuration be made persistent?

My (road warrior) clients are Windows 10 laptops and iOS devices. I have accesss to an Android tablet for testing purposes. This means that the rest of the “…Full Tunnel Mode” tutorial is not relevant as it applies to Linux clients, I presume.

If R-Pi is the subject of the 'Bridging" Knowlwdge Base article it would be perfect if the 'Full Tunnel" article were a smooth follow on using the same R-Pi.

Thanks in advance.

Hey sorry that article is assuming the gateway node is a cloud VM with a public IP address. You should be able to use Masquerade instead of DNAT on your Pi’s iptables, but then you’ll be “double nat’ed” (the pi and then your internet router) when you use full tunnel mode. Which may cause annoyances depending on what you’re doing.

Ideally you could install zerotier on your house’s internet gateway, or use a cheap VPS as your gateway. I should have mentioned this stuff.

If I remember correctly, there’s a package called iptables-persistent.

good idea

OK. How about my second query? Where do I create the MASQUERADE iptables entry in R-Pi OS? And I assume the $ZT_IFACE and $WAN_IFACE are the devs, in my case eth0 and ztxxxxxxx.

Great guidance so far, thank you.

An article on how to combine R-Pi bridging and Full Tunnel would be great. My WAN router at home is pfsense, chosen mainly because the ‘free’ one provided by my ISP is so locked down.

I managed to get it working, on my main house/network :smiley: , now i need to bridge my 2nd house so that they can communicate with each other. :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.