David Ramsden
4Dec/17

Building a ZeroTier Bridged Network

I was listening to a recent Packet Pushers Priority Queue podcast called Meet ZeroTier – Open Source Networking and decided to give ZeroTier a go, to see if it really worked as described. TL;DR: Yes it really does work as described! If you're unfamiliar with ZeroTier I highly recommend listening to this podcast to understand why, what and how. If you're unsure on the why, what and how, this blog post probably isn't for you (yet!).

One of the obvious issues with ZeroTier is that for devices to talk to each other, they need a ZeroTier client installed. For laptops, mobile devices and even some NAS devices this isn't a problem because there are clients in existence already. But what about using ZeroTier to extend an entire Layer 2 network? This is what the ZeroTier Edge device will do but it is entirely possible to configure a Linux host as an edge gateway device to do exactly this.

The following notes are based on a Linux host running Debian 8 and some of the notes will be specific to Debian and other such derivatives (e.g. Ubuntu).

If you've not done so already start by installing the Linux ZeroTier client. ZeroTier have also made this stupidly easy to do (ensure you have curl and gpg installed):

 

Now install the Linux bridge utilities:

 

Edit the network configuration ( /etc/network/interfaces ) to bridge the Ethernet adapter and ZeroTier adapter together, giving the bridge interface (br0) the IP configuration from the Ethernet adapter. For example:

Note: The post-up directive is only required if you have other Layer 3 routable networks on your LAN. If you don't, you don't need this.

 

One gotchya is that the network service will start before the ZeroTier service meaning that the zt0 interface will not be present when the bridge interface is formed. A quick and dirty way around this is to add an entry to root's crontab ( sudo crontab -e  or edit you could edit /etc/crontab ) to restart networking after a reboot:

 

Next move on to your ZeroTier network. Login to ZeroTier Central. If you've not done so already create a new network. Your ZeroTier network wants to use the same Layer 3 addressing as the network you're bridging to. In my example this means the ZeroTier network will use 192.168.0.0/24 because my LAN is 192.168.0.0/24. Add this in to the Managed Routes section of your ZeroTier network and enable the Auto-Assign from Range option. Select Advanced and in the Auto-Assign Pool, set a range of IPs to assign to your ZeroTier clients that's not used on your Layer 2 network, e.g. a range of IPs outside of your DHCP scope range so that no IP conflicts arise.

Back on the Linux host, use the zerotier-cli  command to request to join the host to your ZeroTier network:

Note: When the Linux host joins the ZeroTier network it will likely drop off your LAN until all the configuration is completed. Ensure you have console access.

 

Now edit the /var/lib/zerotier-one/networks.d/<network id>.local.conf  file and set allowManaged  to 0.

On ZeroTier Central the host should now appear as a Member of your network and will need to be authorised to join it. In addition you'll need to edit the properties of this member and enable Allow Ethernet Bridging and Do Not Auto-Assign IPs. Delete any IPs associated with the member and set a manual IP. This should be the same IP as used on the br0 interface on the Linux host (in my example this would be 192.168.0.3).

Reboot the Linux host. After it has rebooted you should see br0 is up with the correct IP configured ( ifconfig br0 ) and the bridge should contain your Ethernet adapter (eth0 in this example) and the ZeroTier adapter (zt0). Check using brctl show .

If everything is correct your Linux host will be now be acting as an Ethernet (Layer 2) bridge between your LAN and your  ZeroTier network. Install tcpdump to see what's happening (e.g. tcpdump -n -i br0 'not host 192.168.0.3' ) and from another ZeroTier client on your ZeroTier network attempt to access a non-ZeroTier client on your LAN (like your toaster, because you know, everything is IoT now).

If you've got other Layer 3 (routable) networks on your LAN you can easily make this accessible from your ZeroTier network simply by adding the network to the Managed Routes section of your ZeroTier network via ZeroTier Central. This requires IP forwarding to be enabled on the Linux bridge so if you removed the post-up directive mentioned earlier, you'll need to add this back in.