We will set up an Ubuntu VM that will act as a gateway to an existing network. Clients will be assigned IP addresses within the existing network subnet by ZeroTier, and traffic will be routable to hosts within the network. You need to ensure you have a block of IP addresses available outside of the current DHCP pool, but within the subnet to assign to VPN clients.
This guide is based on ZeroTier's guide for Raspbian.
We will be using the following - make notes of the following for your own network:
| Parameter | Value |
|---|---|
| Existing network | 192.168.1.0/24 |
| ZeroTier VM | 192.168.1.3 |
| Existing DHCP pool | 192.168.1.20-220 |
| New ZeroTier client pool | 192.168.1.221-240 |
| DNS servers | 192.168.1.1 |
| Gateway | 192.168.1.1 |
Create new ZeroTier network at my.zerotier.com. Now change the following:
- Delete all managed routes.
- Set IPv4 auto assign to advanced
- Delete the existing pool
- Set the new DHCP pool (221-240).
- Add a route for the network. Subnet mask should be one wider than the current network, for instance if current network is /24, use /23. (this means if you're physically connected to the network with ZT active, your OS will prefer the more specific route provided by your local connection DHCP and won't route traffic via ZeroTier - see this
- You can also add a route for 0.0.0.0/0, and list the 'via' as your gateway (192.168.1.1 in this case). This will give you the option on each client to 'Allow default route', which will send all internet traffic over the VPN. You can toggle this option on and off as desired.
- Under IPv4, you can enter DNS to provide to clients. Using these is an optional feature on the client. This may interfere with name resolution for intranet services when connected to enterprise networks whilst connected to the VPN.
Make notes of the following:
| Parameter | Value |
|---|---|
| ZeroTier network ID | ab01cd34xxxxx |
Install Ubuntu Server VM. Assign static IP.
Do all as root
sudo -s
Install ZeroTier
curl -s https://install.zerotier.com | bash
Join the network, and disable managed routes:
zerotier-cli join ab01cd34xxxxx
zerotier-cli set ab01cd34xxxxx allowManaged=0
Establish interface names
ip a
Make notes of the following:
| Parameter | Value |
|---|---|
| Ethernet interface | ens18 |
| ZeroTier interface | ztwf123abc |
On the ZeroTier portal, select the spanner icon next to the gateway to change client options, and check the following and approve the join request:
- Allow Bridging
- Do Not Auto Assign
Now create configuration files.
Connect your LAN interface to the bridge - N.B. change the name to match your LAN interface
nano /etc/systemd/network/25-bridge-br0-en.network
[Match]
Name=ens18
[Network]
Bridge=br0
Define the bridge - this IP configuration will replace your existing IP configuration.
nano /etc/systemd/network/25-bridge-br0.network
[Match]
Name=br0
[Network]
Address=192.168.1.3/24
Gateway=192.168.1.1
DNS=192.168.1.1
Connect the ZeroTier interface to the bridge - N.B. update the interface name
nano /etc/systemd/network/25-bridge-br0-zt.network
[Match]
Name=ztwf123abc
[Network]
Bridge=br0
Create the bridge device
nano /etc/systemd/network/br0.netdev
[NetDev]
Name=br0
Kind=bridge
Now remove the current network configuration defined by netplan. Delete this file if you're feeling brave, move it out to a different directory, or comment it out. I'll move it. N.B. the name of the file may be different.
mv /etc/netplan/00-installer-config.yaml /root
Verify your new network config:
tail -n+0 /etc/systemd/network/*
Now reboot - be prepared to use console access if you have misconfigured your network settings.
reboot
Check that you have LAN connectivity to the gateway. Then join another device to the ZeroTier network (e.g. smartphone via mobile data) and verify connectivity to your LAN over the VPN.
Done!