Blaming RaspAP is a bit too easy. Zerotier alone runs. RaspAP alone runs. But the point is that I need both.
Imagine Microsoft Office stopped working because you are running Google Chrome 
I would like both to work.
I admit that I do not like Linux at all. And zerotier feels much more sophisticated on Windows. But that is not an option.
So I am trying to find the culprit and fix the issue.
EDIT:
pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
EDIT2:
tcp 0 0 10.3.141.1:20230 0.0.0.0:* LISTEN 10969/zerotier-one
tcp 0 0 192.168.0.39:9993 0.0.0.0:* LISTEN 10969/zerotier-one
tcp 0 0 127.0.0.1:9993 0.0.0.0:* LISTEN 10969/zerotier-one
tcp 0 0 10.3.141.1:33329 0.0.0.0:* LISTEN 10969/zerotier-one
tcp 0 0 10.3.141.1:9993 0.0.0.0:* LISTEN 10969/zerotier-one
tcp 0 0 192.168.0.39:20230 0.0.0.0:* LISTEN 10969/zerotier-one
Blaming something that messes with iptables is not a hard leap of logic to make. It’s entirely plausible there’s a mistake in their iptables rules causing the issue.
From your latest edit, I see that your iptables are flushed (ensure ip6tables are flushed as well), and ZeroTier is running. What’s the output of zerotier-cli info now?
How do I flush ip6tables?
same as you flush iptables, just use the ip6tables command instead
pi@raspberrypi:~ $ service --status-all
[ - ] alsa-utils
[ + ] avahi-daemon
[ + ] bluetooth
[ - ] console-setup.sh
[ + ] cron
[ + ] cups
[ + ] cups-browsed
[ + ] dbus
[ + ] dhcpcd
[ + ] dnsmasq
[ + ] dphys-swapfile
[ + ] fake-hwclock
[ - ] fio
[ + ] hostapd
[ - ] hwclock.sh
[ - ] keyboard-setup.sh
[ + ] kmod
[ + ] lightdm
[ + ] lighttpd
[ + ] netfilter-persistent
[ + ] networking
[ - ] nfs-common
[ - ] plymouth
[ + ] plymouth-log
[ + ] procps
[ - ] pulseaudio-enable-autospawn
[ + ] raspi-config
[ + ] rng-tools-debian
[ - ] rpcbind
[ - ] rsync
[ + ] rsyslog
[ - ] saned
[ + ] ssh
[ - ] sudo
[ + ] triggerhappy
[ + ] udev
[ + ] vnstat
[ - ] x11-common
[ + ] zerotier-one
pi@raspberrypi:~ $ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
pi@raspberrypi:~ $ sudo ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
pi@raspberrypi:~ $ sudo zerotier-cli status
Error connecting to the ZeroTier service:
Please check that the service is running and that TCP port 9993 can be contacted via 127.0.0.1.
pi@raspberrypi:~ $ sudo zerotier-cli info
Error connecting to the ZeroTier service:
Please check that the service is running and that TCP port 9993 can be contacted via 127.0.0.1.
pi@raspberrypi:~ $ sudo netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.39:28579 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 10.3.141.1:9993 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 192.168.0.39:43333 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 192.168.0.39:9993 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 10.3.141.1:43333 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 608/vncserver-x11-c
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 568/cupsd
tcp 0 0 127.0.0.1:9993 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 10.3.141.1:28579 0.0.0.0:* LISTEN 592/zerotier-one
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1276/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 633/sshd: /usr/sbin
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 689/lighttpd
tcp6 0 0 ::1:9993 :::* LISTEN 592/zerotier-one
tcp6 0 0 ::1:631 :::* LISTEN 568/cupsd
tcp6 0 0 :::5900 :::* LISTEN 608/vncserver-x11-c
tcp6 0 0 :::53 :::* LISTEN 1276/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 633/sshd: /usr/sbin
tcp6 0 0 :::80 :::* LISTEN 689/lighttpd
udp 0 0 224.0.0.251:5353 0.0.0.0:* 1787/chromium-brows
udp 0 0 224.0.0.251:5353 0.0.0.0:* 1787/chromium-brows
udp 0 0 0.0.0.0:5353 0.0.0.0:* 425/avahi-daemon: r
udp 0 0 192.168.0.39:9993 0.0.0.0:* 592/zerotier-one
udp 0 0 10.3.141.1:9993 0.0.0.0:* 592/zerotier-one
udp 0 0 192.168.0.39:43333 0.0.0.0:* 592/zerotier-one
udp 0 0 10.3.141.1:43333 0.0.0.0:* 592/zerotier-one
udp 0 0 192.168.0.39:28579 0.0.0.0:* 592/zerotier-one
udp 0 0 10.3.141.1:28579 0.0.0.0:* 592/zerotier-one
udp 0 0 0.0.0.0:53 0.0.0.0:* 1276/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1276/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 1042/dhcpcd
udp 0 0 0.0.0.0:631 0.0.0.0:* 679/cups-browsed
udp 0 0 0.0.0.0:54275 0.0.0.0:* 425/avahi-daemon: r
udp6 0 0 :::5353 :::* 425/avahi-daemon: r
udp6 0 0 :::51202 :::* 425/avahi-daemon: r
udp6 0 0 :::53 :::* 1276/dnsmasq
pi@raspberrypi:~ $
Try restarting zerotier? systemctl restart zerotier-one
Content of /etc/iptables/rules.v4
# Generated by iptables-save v1.8.7 on Sat May 7 20:23:38 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
COMMIT
# Completed on Sat May 7 20:23:38 2022
Rules.v6 is empty.
Same error as before when I run zerotier-cli info
I am not sure where
-A POSTROUTING -s 192.168.50.0/24 ! -d 192.168.50.0/24 -j MASQUERADE
COMMIT
is coming from. This IP range is not being used by any of my interfaces.
They are 192.168.0.x and 10.3.141.x
By all accounts with iptables empty & default ACCEPT on all policies, this should work fine. I’m not spotting any reason why the control port shouldn’t be listening on 127.0.0.1:9993
What’s the content of your /etc/hosts file? Wondering if RaspAP messed with something in there
pi@raspberrypi:~ $ telnet 127.0.0.1 9993
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^
Connection closed by foreign host.
pi@raspberrypi:~ $
I have no clue. Linux is driving me crazy with its different networking approaches.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 raspberrypi
Unfortunately I’m stumped on this one, man. I know it works on a Raspberry Pi as I have one in my home network closet. It’s on & running ZT just fine.
If I were you, I’d likely start over with a clean slate on this. Install a fresh copy of Raspbian (or whatever distribution your’re using). Install ZeroTier on it. Ensure it works. Then install RaspAP.
I tried that approach also.
As soon as I install RaspAP, zerotier throws those mentioned errors. Whether I install RaspAP first or zerotier first does not matter. I always end up in the same place 
Do you know of any method of creating a hotspot/AP with a usb wifi dongle that will not mess with zerotier? Despite wanting the nice graphical UI, I would be happy to just have a working wlan1 hotspot as long as zerotier is running properly.
Well we definitely have RaspAP as your culprit then, if ZeroTier works before installing RaspAP, but not after. It’s doing something to your system that is blocking the CLI from accessing the background service.What it’s doing, though? I have no clue
Would any of the following mess with zerotier?
source: GitHub - cilynx/rtl88x2bu: rtl88x2bu driver updated for current kernels.
# Update all packages per normal
sudo apt update
sudo apt upgrade
# Install prereqs
sudo apt install git dnsmasq hostapd bc build-essential dkms raspberrypi-kernel-headers
# Reboot just in case there were any kernel updates
sudo reboot
# Pull down the driver source
git clone https://github.com/cilynx/rtl88x2bu
cd rtl88x2bu/
# Configure for RasPi
sed -i 's/I386_PC = y/I386_PC = n/' Makefile
sed -i 's/ARM_RPI = n/ARM_RPI = y/' Makefile
# DKMS as above
VER=$(sed -n 's/\PACKAGE_VERSION="\(.*\)"/\1/p' dkms.conf)
sudo rsync -rvhP ./ /usr/src/rtl88x2bu-${VER}
sudo dkms add -m rtl88x2bu -v ${VER}
sudo dkms build -m rtl88x2bu -v ${VER} # Takes ~3-minutes on a 3B+
sudo dkms install -m rtl88x2bu -v ${VER}
# Plug in your adapter then confirm your new interface name
ip addr
# Set a static IP for the new interface (adjust if you have a different interface name or preferred IP)
sudo tee -a /etc/dhcpcd.conf <<EOF
interface wlan1
static ip_address=192.168.4.1/24
nohook wpa_supplicant
EOF
# Clobber the default dnsmasq config
sudo tee /etc/dnsmasq.conf <<EOF
interface=wlan1
dhcp-range=192.168.4.100,192.168.4.199,255.255.255.0,24h
EOF
# Configure hostapd
sudo tee /etc/hostapd/hostapd.conf <<EOF
interface=wlan1
driver=nl80211
ssid=pinet
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=CorrectHorseBatteryStaple
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF
sudo sed -i 's|#DAEMON_CONF=""|DAEMON_CONF="/etc/hostapd/hostapd.conf"|' /etc/default/hostapd
# Enable hostapd
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
# Reboot to pick up the config changes
sudo reboot
If ZeroTier works before installing RaspAP, then RaspAP is your issue. I have no clue what it could be doing to block zerotier-cli from accessing the daemon via localhost.
Hello Grant,
I really want to pinpoint the causes and find a possible solution.
So I will start with a completely fresh and clean Raspberry Pi OS and install only zerotier.
I have setup my server at home according to this instruction
From my Windows PC and Android phone I can access the server, everything in the LAN behind it and also the internet through it (i.e. tunnel through the server to the internet).
What do I need to do to achieve this on my Linux client?
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join MYNETWORK
Do I need to do anything else? Internet is established through wlan0.
Do I need any additional packages like iptables-persistent, dnsmasq or similar?
Do I need to create a bridge?
Do I need to adjust any zerotier settings (e.g. allowManaged, allowDefault, allowGlobal)?
Or should installing and joining be all that is needed on a fresh Linux install to have the same access I have from my Android and Windows devices?
Is your Linux client just another machine you want to join the network? Then all you should have to do is install ZeroTier & join the network.