Setup a VPN using Zerotier and a Raspberry Pi


Posted on 2020-05-16

764 words



This post aims to document a project that I setup and use every day. It is primarily to help me in the future when I want to set it up again! I hope you find it useful for your own projects.

I run a Pihole ad blocker on my home network, and it is great. It blocks a ton of crap at the network level including ads, telemetry and other nasties. It stops working when I leave home which isn’t great. I used to run an OpenVPN server which was fine but I don’t have a static IP. This meant it regularly broke for my wife so I had to find a new solution…

I found a P2P VPN application called Zerotier that creates a secure, encrypted virtual LAN (local area network) over the internet. **This means I can connect to my ZeroTier network via the iOS / Android / Windows / iOS apps and effectively be on my home network, therefore the PiHole is available to all my devices as long as they’re connected to ZeroTier.

With a bit of routing magic via iptables on the Pi I can direct all my traffic via ZeroTier and out to the internet via my home connection.

To get started, install ZeroTier on the computer you’re going to leave on at home all the time. My Pihole was already running on a Pi3, so I used that. Follow their instructions to create your network - Make sure your ZeroTier network used a range that won’t clash with your existing networks. Once you have basic connectivity working, we can move on to routing packets.

You’ll need to add some routes to your ZeroTier network on my.zerotier.com.

/images/zt-managed-routes.png

0.0.0.0/0 is the default route to the internet, and should point to the ZeroTier IP address belonging to your Pi.

192.168.1.0/24 is the IP range of my home network, and should point to the ZeroTier IP address belong to the Pi.

168.168.8.0/24 is the IP range of my travel router (more on that in another post); this route points to the ZeroTier IP address belonging to the router. I have similar forwarding rules setup on this router, which means anything I connect to it such my Nintendo Switch, or Chromecast are automatically tunneled home via Zerotier. I tested this with Netflix and All4 and both worked perfectly when I was working in France earlier in the year

At this point, you should be able to connect to ZeroTier over mobile data and connect to IP addresses in your local network. Try your router’s admin interface!

Once the routes are setup, it is time to fiddle with iptables. Honestly, it’s best to this connected to the Pi via a serial shell, or just hook up a keyboard/mouse and a screen. You’re gonna mess this up at least once and break connectivity ;)

Begin by enabling IP forwarding on the Pi:

sudo sysctl -w net.ipv4.ip_forward=1

Next, create the forwarding rules on the Pi; These enable forwarding between eth0 on the Pi (you are using ethernet and not wifi, right?) and the Zerotier interface.

Replace ZT_INTERFACE with the local ZeroTier interface name - you can get this from ifconfig. In my case, the interface is called ztrtastctq.

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o ZT_INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i ZT_INTERFACE -o eth0 -j ACCEPT

Once this is done, you should be able to test again. Your traffic should be reaching the interface via your home connection, so connect via mobile data and see what your IP address is.

If this is working, it’s time to save the iptables rules so they persist over the next reboot. To do this, run the following commands:

sudo apt install iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4

To forward your traffic over ZeroTier you need to make sure that “Allow Global” is ticked in your ZeroTier client. This will let your traffic flow!

Allow Detault Option

You could also set your primary DNS to be the ZeroTier address of the Pihole so that your DNS queries are funneled via ZeroTier without the rest of your traffic, this can be useful when using less hostile networks that you still want adblocking enabled.


Start a discussion on Twitter!