Zero Tier Public IP Address range

Hey there.
Does anyone know the Zero Tier public IP range?
Need to allow UDP inbound on our firewall but can’t find this information anywhere?


ZeroTier is a peer to peer system. It won’t work very well if you only allow our servers and nothing else.
Our roots can be found with host but our network controllers are on dynamic IP addresses and your computers are likely on dynamic IP addresses as well.

Thanks for getting back to me.
We have one server that sits behind a firewall that we want to protect from the internet.
The laptops are fine and we leave them as dynamic.
it’s just this one server that we are having trouble with allowing it to report back to Zero Tier unless we allow all inbound UDP traffic.

Is the network created between the 2 laptops and server only? I would have assumed there is communication back to Zero Tier. Does Zero Tier hand off once the initial link is made?
I assumed all traffic had to flow back through you.

I was just going to allow UDP traffic from your public IP’s

What type of firewall is it? Some enterprise firewalls do NAT in a way that blocks ZeroTier direct connections.

Usually you can allow outgoing UDP and then related/establised incoming udp.

Thanks for the help.
I can’t sign into that site.
Can I get more specifics on what UDP ports Zero tier uses.
This is enterprise firewall and only allows us to pick specific ports or have UDP open inbound which is a risk.

So was thinking I would allow UDP 9993
and then with your advice should we also allow say 20,000 to 40,000 as most of those ports are unused on a windows server.

I got this info from your website
What ports does ZeroTier use?

It listens on three 3 UDP ports:

  • 9993 - The default
  • A random, high numbered port derived from your ZeroTier address
  • A random, high numbered port for use with UPnP/NAT-PMP mappings

Or if the firewall was smart enough and uses DNS could I just allow all UDP traffic from
I see there are 4 public IP’s listed which I assume are ZT’s


The roots listen on 9993
Any behind NAT will appear to be listening on a random port.

We run 4 roots, so there are 4 ip addresses.

What brand of router are you behind?

If you want to manually configure the listening port, use “secondaryPort” described here:

1 Like

For the other two random ports is there a range that I can allow instead of manual config?
Found out its a Juniper.

It’s 1024 - 65535 as far as I know.

A juniper admin had some luck here SRX NAT configuration for a ZT appliance - #3 by jkhuon

1 Like

I found that the key here for a Juniper SRX is to disable the port translation on the source nat.

As for permitted ports, I simply allowed all high-numbered unprivileged UDP ports.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.