Add iptable rules to create route between ZeroTier and private physical network.

Thanks for the ZeroTier to create route between zerotier and private network. This is a modified page of https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks which has a small error in their iptable rules.

This seems to be the simplest pattern for getting remote access to your LAN. It doesn’t require access to the LAN’s router or have some of the pitfalls of bridging. This requires a Linux PC or VM, something that runs iptables, on your LAN. A raspberrypi works. This is a NAT/Masquerade setup.

Possible Disadvantages:

No broadcast/multicast across networks (but the mobile OS’s don’t allow this anyways).
Can’t initiate connections from the LAN to an external ZeroTier client.

Summary

Install ZeroTier
Add a managed route to the ZeroTier network (at my.zerotier.com)
Enable IP Forwarding
Configure iptables

Install ZeroTier

https://www.zerotier.com/download/

sudo zerotier-cli join $NETWORK_ID 
sudo zerotier-cli listnetworks

Authorize it at my.zerotier.com/network/$NETWORK_ID

Configure the ZeroTier managed route

At my.zerotier.com/network/$NETWORK_ID -> Settings -> Managed Routes

This adds another route to every device joined to the ZeroTier network.

Destination	(Via)
$PHY_SUB	$ZT_ADDR

For example:

Destination	(Via)
192.168.0.0/23	192.168.192.36

Configure the destination route as slightly larger than the actual physical subnet, here /23 instead of /24 (a smaller number is a bigger subnet in this notation) This makes devices that are on both the physical and the ZeroTier network prefer the physical connection.

Enable IP forwarding

This can vary depending on linux distribution. Typically:

Edit /etc/sysctl.conf to uncomment net.ipv4.ip_forward. This enables forwarding at boot. And then, configuring the iptables, and save the rules for the next boot.

First, change to the root account of the system.

su root

and input the password.

Then, create a shell file to execute the magnifications.

touch iptables.sh

Paste the following content to the iptables.sh file.

iptables -F
sysctl -w net.ipv4.ip_forward=1
PHY_IFACE=enp5s0; ZT_IFACE=ztbpanwl6z
iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
apt install iptables-persistent
bash -c iptables-save > /etc/iptables/rules.v4

where ZT_IFACE and PHY_IFACE can be found by ifconfig, in this case, they are enp5s0 and ztbpanwl6z respectively.

After that, process the iptables.sh

bash iptables.sh

Test!

Turn off wifi on your phone
Join it to the zerotier network, authorize it
Try to access something on the physical LAN
If not work, you may need to restart your system or network.

PREVIOUSRemove the committed files in the gitignore

NEXTAdd internal mirrors for conda, pip, brew, ubuntu, and transfer python env.