You don’t actually need to configure any special routes on the “router” machine - this should have the ZeroTier client installed on it so it will already have the necessary routes. If you used the -p flag when adding the routes (as in my examples) then you should be able to see the ones you’ve added under persistent routes in the output from:
route PRINT
Then you can use route DELETE to get rid of them. A single route (for the ZT subnet using the “router” machine as gateway) needs to be added to each device on your local network that you want to be able to access the ZeroTier network (but can’t install a ZT client on).
If i’m not mistaken it should be enough to add static route on default gateway/router for your zerotier network (172.27.0.0) with your windows machine ip address as gateway. Then you don’t need to add route on every device in your network.
if it is not possible for you to add a route on the Device or it is not possible for you to install Zerotier directly on this Device here is what I did.
I transformed a linux machine (for example a rpi 4) into a router thanks to linux forwarding. Once done, you must define this linux router as the default gateway of your incompatible device. Once this is done, thanks to iptables rules, the requests from your incompatible device that will go through your linux router will go either to the zerotier interface of the linux router, or to the lan interface of the linux router. Your device will therefore have access to the internet and to zerotier via the linux router.
Moreover, if the device does not need to initiate a connection to zerotier but only to respond to requests from zerotier there is no need to change its default gateway.
if you don’t need full access to the device but just a port you can do ports forwarding.
If you need detail don’t hesitate and don’t be afraid of Linux, linux is cool
It seems you found a solution to Zerotier accessing devices on a private lan. Would you be able to put together a step-by-step setup? I tried many vague suggestions but can’t seem to access to the device without Zeroteir installed. My setup is similar to upInTheNorth. I also have a Windows server 2008 running that I enabled RRAS but still no success.
I think the number of suggestions in this thread proves that there are a few options for achieving physical network bridging with a Windows box, and it depends on your situation which option is best for you:
If you’re able to add static routes on your router, the easiest option is probably to set the IPEnableRouter registry entry on the Windows box that has ZeroTier installed and then on your router create a route to your ZT subnet through the IP of the Windows box. (as per @jakub.pisarczyk’s suggestion)
If you don’t have control of your router (like me) or it won’t allow you to add static routes, but you can add static routes to the device you need to access from ZT (e.g. QNAP NAS in my case) then you can do the IPEnableRouter setting and then follow my instructions to create the route on the device itself.
If neither of the above options are available to you, you’re probably best to follow @celien’s advice and set up a Linux box to be your ZT router, either by attaching a rpi or something to your network, or setting up a VM on your Windows server.
Happy to try and help with specifics if you’re able to share details about your particular network
I’m familiar with general network setup but not familiar with Static Routes. My setup is below. I have a Windows Server 2008 running on the network where the device that I want to access. I have already enabled RRAS for LAN routing. My PC 192.168.192.11 is still not able to ping/connect with the Device security camera 10.10.0.200.
Appreciate if you have instructions on what configurations are needed and where. Thanks.
Thanks for the diagram, in your setup the most important configuration is the managed route in ZeroTier console. So at my.zerotier.com → Settings → Managed Routes you need to add a managed route with destination 10.10.0.0/23 (assuming your security camera network is 10.10.0.0/24) via 192.168.192.2. Note that the destination subnet in the route needs to be slightly larger than the actual subnet (/23 instead of /24) so that clients that are on both networks (like your Server 2008 box) prefer the physical route instead of the ZT one.
At this point you can reconnect ZT on your W10 PC and check that you see the new 10.10.0.0/23 route when you run “route print” on the command line. If you can see the route you should then be able to ping/connect to the Server 2008 box on 10.10.0.100.
If the Server 2008 RRAS box is the default gateway for the security camera network then at this point you might be able to get all the way through to 10.10.0.200, but if not, you might need to add a NAT rule in RRAS:
I think you’re close! Can you at least ping the physical LAN IP of the RRAS server (10.10.0.100?) from your PC? If so, I think it’s the RRAS config that needs to be tweaked…
I’ve never done it myself so maybe someone else could say for sure - basically we need something on that RRAS server so that traffic from your PC over ZT ‘masquerades’ as traffic from the RRAS physical IP, then when the security camera replies it will send the response to the RRAS IP (which it already knows how to get to) and the RRAS box will translate it and send it on to your PC. Some wireshark captures or logs from the RRAS server might be the next step in troubleshooting.
After I disable then re-enable RRAS, I am able to ping/connect the LAN IP of the RRAS server. Something is still missing because I cannot ping any of the clients on the LAN IP.
I did a “tracert 10.10.0.200” and I see the first hop to the ZT IP of the RRAS server (192.168.192.2) but then timeout. I think the response is not finding it way back.
Found the missing piece! Add NAT routing protocol then add Local Area Connection interface and make it public.
Jtm - appreciate your help!
To summarize the steps for anyone that need help with this.
Create new Network on Zerotier
Install Zerotier on Windows server
Add Managed Routes at my.zerotier.com with destination to the LAN ( my.zerotier.com → Settings → Managed Routes you need to add a managed route with destination 10.10.0.0/23 (assuming your security camera network is 10.10.0.0/24) via 192.168.192.2)
Add a public Local Area Connection interface (Right-click on NAT > select New Interface > select the Local Area Connection “LAN” > select Public interface > check Enable NAT)
Your PC/Mobile on ZT should be able to ping/connect with the LAN clients using LAN IP.
Not natively as far as I know, you need the RRAS role and that’s not available outside of Windows Server OS.
You could possibly do it with a 3rd party application or by using a VM/container but the second option will complicate the network and you might end up needing double NAT.
@dan.mannocchi: Yes, there are a few different options but the easiest way for Win10 is to enable Hyper-V.
Then use Powershell to setup and control NAT like the examples below or use Google for other ways.
If you don’t want to enable Hyper-V it’s also possible to use ICS (Internet Connection Sharing) as NAT. As for an example have a look at the Powershell function Set-NetConnectionSharing in How to Setup Wireguard VPN Server On Windows - Henry's Portal
this should make it really easy for anyone stuck on this… simple powershell script. Be advised that in addition to this, you must have routes configured on Zerotier one for the network, as well as a static route for the zerotier subnet pointing to the ip of the machine running this, on the local router. WIth these two requirements met, this script is a single click deployment that enables bidirection communication between all devices on LAN subnet and Zerotier subnet and any other subnets routed through zerotier at other sites.
### Download MSI file
$Folder = 'C:\ZT_install'
"Test to see if folder [$Folder] exists"
if (Test-Path -Path $Folder) {
"Path exists!"
} else {
New-Item -Path "C:\" -Name "ZT_install" -ItemType Directory
}
Invoke-WebRequest -Uri "https://download.zerotier.com/dist/ZeroTier%20One.msi" -OutFile "C:\ZT_install\ZeroTierOne.msi"
#### Start Installation
Start-Process -FilePath ZeroTierOne.msi -WorkingDirectory c:\ZT_install -ArgumentList '/qn','/norestart'
### 2 minute delay
Timeout /NoBreak 30
### Join ZeroTier Network. (Please set this variable accordingly)
$NetworkID = "INSERT YOUR NETWORK ID HERE!!!!!!"
$zerotiercli = "C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe"
$param1 = "-q"
$param2 = "join"
& $zerotiercli $param1 $param2 $NetworkID
### Enable IP forwarding to allow bi-directional LAN Bridging
Set-NetIPInterface -Forwarding Enabled
Set-Service RemoteAccess -StartupType Automatic; Start-Service RemoteAccess
