ZeroTier on OpenWRT - Networking advice

tiago_xavier_9 · January 18, 2024, 9:57pm

Hi experts,

I’m having a issue that is clearly due to my lack of knowledge.
My situation is as following:
I have a local server running at my house, I’ve setup zerotier on that server so that I can access it outside of my network. I’ve followed a guide on how to setup a full tunnel on zerotier, and that works fine. I can use the ZeroTier app for android, turn it on, and boom I’m in my server even outside.
Now I had the need to make my parents (different home from mine) LG TV reach my home server. As LG does not have a ZeroTier app yet, I was left with 2 options, a double ethernet Pi running zerotier, or a router. I had a old one laying around and tried my luck.
It was a very old router, but I was able to install OpenWRT on it, and then Zerotier.
I disabled WiFi, as I only need a ethernet connection from that router to the TV.
I configured everything, connected my parents router to openwrt router, and then a ethernet cable to the TV. I mapped a bridge from openwrt router LAN1 to LAN2, and the TV got internet just fine. I’ve also setup zerotier, and joined my zerotier network.
I can see the new device, which is the openwrt router added to my devices, authorized it, and it got a ip address and is always connect.
I was then expecting the TV to reach the home server, but it doesn’t.
What am I missing? Is there any extra setup needed?

Much appreciated!

l0crian · January 19, 2024, 9:59pm

Do you expect their TV to follow a default route to your home (e.g. use your home’s internet for their TV)?

AndrewZ · January 19, 2024, 11:57pm

Your server has no information on how to reach the TV. In other words, there is no route from the server to your parent’s LAN (or even a single host, the TV). You need to setup a managed route for {TV IP}/32 via OpenWrt ZT IP.
Your parent’s TV is in a similar situation. It has its default route pointing to the existing local router that has no idea about ZeroTier existence. You need to add a static route on the main router: {ZT subnet or a single host, your server} via OpenWrt LAN IP.

You don’t need “a double ethernet Pi”, one port will be enough.

See [my] explanations in this forum on how to access remote webcams, that’s very close use case.

tiago_xavier_9 · January 21, 2024, 5:40pm

Yes, that is exactly what I was trying to achieve!

tiago_xavier_9 · January 21, 2024, 5:43pm

I think that makes sense, but for example, how can my mobile device with ZeroTier App reach my home server without any kind of setup?
All I had to do on the app was to check the option that route all traffic through zerotier.
Maybe all I need to do is to enable that on the openwrt router as well?

I will definitely check your thread.

l0crian · January 21, 2024, 5:49pm

Assuming you already have a managed route inside ZeroTier Central for 0.0.0.0/0, then your next step will be to allow the remote OpenWRT instance to accept that default. You can use this from the linux shell on that router.:

zerotier-cli set <networkId> allowDefault=1

You can verify that you have the default with either of these from the linux shell:

ip route
route -n

tiago_xavier_9 · January 21, 2024, 5:54pm

Yes, I already have a managed route for 0.0.0.0/0 on my zerotier network.

I couldn’t use zerotier-cli has everytime the router reseted, the configs were lost. But I was able to make then persisten by editing the /etc/config/zerotier file has following:

config zerotier 'sample_config'
        option enabled '1'
        list join 'my network id'
        option secret 'my key'

Maybe I need a extra option to do the same as allowdefault=1?

The zerotier client on the openwrt router is able to reach the network, I’ve authorized the device and it got a new ip address. If I perform a zerotier-cli networks I can see it is online.

l0crian · January 21, 2024, 5:58pm

How did you install ZeroTier? Did you install the opkg? In the Zerotier-one directory, there’s a network specific local.conf that has the allow settings in there.

You can always manually add that default as a static route in Luci as well.

tiago_xavier_9 · January 21, 2024, 6:06pm

Had to create a custom openwrt image with zerotier already on it. The router is a oldie, and does not have space if I performed a clean openwrt install and then tried to install zerotier via opkg.

I know the file that I can edit the settings, its the /etc/config/zerotier. Just thinking I may be missing something as that allowdefault=1 does? Any idea how I can set that option on the file?

Sadly I don’t have Luci as well due to the low space

AndrewZ · January 21, 2024, 6:12pm

They are on the same ZT subnet.

tiago_xavier_9 · January 21, 2024, 6:18pm

Even when I’m using a different wireless or mobile data?
Would it be just a matter of making the openwrt router on the same zt subnet as well?

AndrewZ · January 21, 2024, 6:29pm

Once ZT client on OpenWrt router is successfully connected to ZT network, it will automatically join the same ZT subnet, nothing to configure.
However, your TV lives on the different subnet and you need to configure routing as advised.

If your goal stays the same - “TV reach my home server”, you do not need to create 0.0.0.0/0 route in ZT.

tiago_xavier_9 · January 21, 2024, 6:42pm

I’ve authorized the zerotier client on the openwrt on the zerotier central, so they should be on the same subnet, right?
Why can’t the TV still reach the server?

AndrewZ · January 21, 2024, 6:49pm

You should be able to verify this by checking IP addresses on all the devices.

I guess you have not followed all my recommendations.
I suggest temporarily replacing the TV with a PC, so you can run ping, traceroute, etc.; and draw a diagram with all the IP addresses.

tiago_xavier_9 · January 21, 2024, 6:56pm

I didnt’t had the chance yet. The router is already on my parent’s I will go there with a laptop in 2 days, and will try your suggestions.
Thanks in advance!

tiago_xavier_9 · January 21, 2024, 7:12pm

I did find several threads with the same doubt, but no answer yet - OpenWRT Config allowDefault

tiago_xavier_9 · January 23, 2024, 9:05pm

I’ve just installed zerotier on a desktop on my parents. After joining the network, I couldn’t reach my home server, but after enabling “Allow default route override”, I can reach it just fine. So I’m assuming all my managed routes are properly set on zerotier central, as both a desktop and my mobile work.
This is the output of route print on said desktop:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.68     35
          0.0.0.0          0.0.0.0   25.255.255.254    172.23.37.218  10034
          0.0.0.0        128.0.0.0   172.23.154.239    172.23.37.218    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0   172.23.154.239    172.23.37.218    291
       172.23.0.0      255.255.0.0         On-link     172.23.37.218    291
    172.23.37.218  255.255.255.255         On-link     172.23.37.218    291
   172.23.255.255  255.255.255.255         On-link     172.23.37.218    291
      192.168.1.0    255.255.255.0         On-link      192.168.1.68    291
     192.168.1.68  255.255.255.255         On-link      192.168.1.68    291
    192.168.1.255  255.255.255.255         On-link      192.168.1.68    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.1.68    291
        224.0.0.0        240.0.0.0         On-link     172.23.37.218    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.1.68    291
  255.255.255.255  255.255.255.255         On-link     172.23.37.218    291

I strongly believe that everything is around this command on the openwrt router:

zerotier-cli set <networkId> allowDefault=1

Everytime I perfom it, the zerotier service simply goes down. I’ve tried to mimic that behaviour by performing:
uci set zerotier.sample_config.allowDefault='1'

I think it worked, as if I perform a:
uci show zerotier
It shows:

zerotier.sample_config=zerotier
zerotier.sample_config.enabled='1'
zerotier.sample_config.join='mynetwork'
zerotier.sample_config.secret='mysecret'
zerotier.sample_config.allowDefault='1'

This is the openwrt router -n output before zerotier is able to join the network:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

And this is what it shows after it joins the network:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
172.23.0.0      0.0.0.0         255.255.0.0     U     0      0        0 zt0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Any idea what I might be missing?

l0crian · January 23, 2024, 9:10pm

You may have to restart the zerotier process after making that change. You should receive these into your routing table:
0.0.0.0/1
128.0.0.0/1

tiago_xavier_9 · January 23, 2024, 9:16pm

I did, even rebooted the router

tiago_xavier_9 · January 23, 2024, 9:22pm

Well, the issue may be with
uci set zerotier.sample_config.allowDefault='1'
It might just not do anything. As I’ve tried to add a dummy value, for example:
uci set zerotier.sample_config.teste='1'
And that option got added to the zerotier config file. So it seems it does not check for sintax or valid parameters of any source.

Really struggling to understand why the allowdefault via zerotier-cli is failing