Configure older ZeroTier on OpenWrt
Warning: This guide is for ZeroTier version 1.14.0 or earlier. If your ZeroTier version is later than 1.14.0 (for example 1.14.1 and later) see guide Configure ZeroTier on OpenWrt.
To avoid problems all ZeroTier configuration is done from command line for this you must access your router via SSH.
Log into your router and run opkg update and opkg install zerotier to
install ZeroTier as shown below:
root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install zerotier
Installing zerotier (1.14.0-1) to root...
Installing libstdcpp6 (13.3.0-4) to root...
Installing kmod-tun (6.6.51-1) to root...
Installing ip-tiny (6.9.0-1) to root...
Installing libminiupnpc (2.2.8-1) to root...
Installing libnatpmp1 (20230423-1) to root...
Installing libatomic1 (13.3.0-4) to root...
Configuring kmod-tun.
Configuring libstdcpp6.
Configuring ip-tiny.
Configuring libminiupnpc.
Configuring libnatpmp1.
Configuring libatomic1.
Configuring zerotier.
disabled in /etc/config/zerotier
Note that both versions and dependencies may vary slightly depending on the version of ZeroTier or OpenWrt.
To configure ZeroTier in the router you must first create the network. If
you have not done so, consult the Create a network in ZeroTier
Central guide to do it. In our example the ZeroTier network
identifier is 8ad5123ed69d6f69, this value will be different in your case.
If we look at the configuration with uci of ZeroTier just installed we
will see something like this:
root@OpenWrt:~# uci show zerotier
zerotier.sample_config=zerotier
zerotier.sample_config.enabled='0'
zerotier.sample_config.join='8056c2e21c000001'
Or if you read the config file:
root@OpenWrt:~# cat /etc/config/zerotier
config zerotier sample_config
option enabled 0
# persistent configuration folder (for ZT controller mode)
#option config_path '/etc/zerotier'
#option port '9993'
# Generate secret on first start
option secret ''
# Join a public network called Earth
list join '8056c2e21c000001'
#list join '<other_network>'
This is only a sample config that show you all options that you can configure. To join your network let's create a new simple configuration:
uci set zerotier.openwrt_network=zerotier
uci add_list zerotier.openwrt_network.join='8ad5123ed69d6f69'
uci set zerotier.openwrt_network.enabled='1'
uci commit zerotier
If we now check the configuration, we should see something similar to the
following in the file /etc/config/zerotier:
root@OpenWrt:~# cat /etc/config/zerotier
config zerotier 'sample_config'
option enabled '0'
list join '8056c2e21c000001'
config zerotier 'openwrt_network'
list join '8ad5123ed69d6f69'
option enabled '1'
As you can see, the sample_config is not enabled while
openwrt_network is enabled.
If it looks similar on your end, reboot your router. (Yes, you must actually reboot your router here)
root@OpenWrt:~# reboot
Tip about networks
The zerotier.openwrt_network.join config variable is a so called list. You can add more networks with following commands:
uci add_list zerotier.openwrt_network.join='<network id to add to join list>'
uci commit zerotier
If you want to remove a network ID from the list use the following commands:
uci del_list zerotier.openwrt_network.join='<network id to remove from join list>'
uci commit zerotier
After the reboot, re-login using SSH and verify that the ztXXXXXXXX
interface is up and running. The XXXXXXXX is generated based on the
network ID:
root@OpenWrt:~# ip a
... (several networks)
7: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 02:86:64:98:4b:6d brd ff:ff:ff:ff:ff:ff
inet6 fe80::86:64ff:fe98:4b6d/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
Your ZeroTier client should be in state online:
root@OpenWrt:~# zerotier-cli info
200 info 866484a9af 1.14.0 ONLINE
If now we take a look to our config we must have a new option called secret:
root@OpenWrt:~# uci show zerotier
zerotier.sample_config=zerotier
zerotier.sample_config.enabled='0'
zerotier.sample_config.join='8056c2e21c000001'
zerotier.openwrt_network=zerotier
zerotier.openwrt_network.join='8ad5123ed69d6f69'
zerotier.openwrt_network.enabled='1'
zerotier.openwrt_network.secret='6b3a5d8678:0:...'
The zerotier.global.secret is the content of
/var/lib/zerotier-one/identity.secret. If for some kind of problem you do
not have this secret in the configuration you can add it with the following
command:
uci set zerotier.openwrt_network.secret="$(cat /var/lib/zerotier-one/identity.secret)"
uci commit zerotier
After some time, your OpenWrt router should appear within your controller (my.zerotier.com or on your self-hosted one).
Make sure you Authorize the client, so it can pickup an IP from your
network. Because we want to later route all traffic of all members of our
ZeroTier Network ID into our LAN we make sure, that the ZeroTier IP address
of our OpenWRT router is fixed to 172.28.28.1 by setting it up manually
within the ZeroTier controller (eg. my.zerotier.com). Also make sure that
you have checked the Allow Ethernet Bridging option.
Warning: If you change any network settings for the ZeroTier client running on your OpenWrt router you should reboot the router because it will sometimes not pick up the changed configuration.
After authorization of the OpenWrt router as a ZeroTier client, the router
should pickup the config of your network (eg IP address) for its
ztXXXXXXXX interface:
root@OpenWrt:~# ip a
... (several networks)
7: ztXXXXXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 02:86:64:98:4b:6d brd ff:ff:ff:ff:ff:ff
inet 172.28.28.1/24 brd 172.28.28.255 scope global ztXXXXXXXX
valid_lft forever preferred_lft forever
inet6 fe80::86:64ff:fe98:4b6d/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
You need configure your firewall to permit incoming UDP connections to port 9993 to get better performance.
Just execute the following commands:
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-ZeroTier-Inbound'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='9993'
uci commit firewall
And restart the firewall to apply the changes:
/etc/init.d/firewall restart
This should create an entry similar to this in /etc/config/firewall:
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'udp'
option dest_port '9993'
option name 'Allow-ZeroTier-Inbound'
option src '*'
Note: The option enabled '1' is optional.
At this point the ZeroTier network is configured and you should be able to communicate from your router to any host on the network and vice versa. If you also want any host in your local network to be able to communicate with any host in your ZeroTier network take a look at the Configure ZeroTier routing in OpenWrt guide.
It is now a good time to backup the configuration of your OpenWrt router.