Hello!, I came accross and issue were Zerotier tries to use a remote internal IP to connect to the peer actually acting as gateway to that subnet.
This was addressed in the past here in the forum by @zt-travis, and I totally forgot about it.
I got bitten twice, now I took some notes I would like to share:
Hi! Thanks for writing this up.
We have a note about this in our docs site now as well. Using multipath to stop it is interesting!
One thing I’ll say is zerotier-one does blacklist itself from listening on it’s own interfaces.
The issue with the routes, and that zerotier will listen on and advertise on physical LAN addresses, so two computers on the physical LAN don’t send their zerotier traffic out the internet and back.
So eventually “10.1.0.10” gets sent to host B as a potential path to host A. And then the OS goes: “I know how to get packets to 10.1.0.0/24, via 172.16.1.10” And then the same thing happens in the other direction. It only happens when you have more than 1 zerotier router on a network as far as I know.
I don’t know of a way to prevent this with the BSD networking stack. I think it happens on Windows too. Linux has a socket option that prevents it.
Great post!
For the whitelisting part, there is a bind feature that you can use. As long as the IPs towards your public facing segment are static, this should work.
ZeroTier-> show config
{
"physical": {},
"virtual": {},
"settings": {
"bind": [
"x.x.x.x"
]
}
}
You can bind to multiple IPs (just separate by commas).
Thanks!, unluckily in my usecase, ISP asigns addresses via DHCP.