Page cover

Unleashing Zerotier for homelab

Background

For many tech enthusiasts, the journey of building a homelab often begins with the desire to self-host services. This typically means running your own applications and servers at home, gaining full control over your data, and learning valuable networking and system administration skills. However, the path from a private homelab to a publicly accessible, yet secure, collection of services is a winding one, often involving an evolution of approaches to connectivity and security.

The Genesis: Local Homelab Services

Initially, my self-hosted services like a personal media server (e.g., Plex, Jellyfin), a file sync solution (e.g., Nextcloud), or a home automation hub (e.g., Home Assistant) are confined to the local area network (LAN). Access is straightforward: any device connected to my home Wi-Fi or wired network can reach these services directly via my internal IP addresses. This provides a safe sandbox for experimentation and learning without the complexities or security risks of public exposure.

The Leap: Exposing to the Public-Facing Internet

The next natural step is often the desire to access these services from anywhere – whether on the go, from a friend's house, or while traveling. This necessitates exposing my homelab to the public-facing internet. The simplest, though often least secure, method is port forwarding on my home router. This involves configuring my router to direct specific incoming traffic from the internet to a particular device and port within my DMZ network. While seemingly convenient, this approach significantly increases the attack surface, making my homelab vulnerable to various threats if not meticulously secured.

To mitigate these risks, several more robust solutions come into play, primarily revolving around Virtual Private Networks (VPNs) and overlay networks.

Traditional VPNs: IPsec and SSL VPNs

Historically, two common VPN protocols for remote access to private networks are IPsec and SSL VPNs (often leveraging OpenVPN).

  • IPsec (Internet Protocol Security): IPsec is a suite of protocols that provides cryptographic security for IP communications. It can be used for site-to-site VPNs (connecting two networks) or remote access VPNs (connecting individual users to a network). IPsec offers strong encryption and authentication, but its configuration can be complex, often requiring specific client software and detailed firewall rules.

  • SSL VPN (Secure Sockets Layer VPN): SSL VPNs, prominently exemplified by OpenVPN, utilize the SSL/TLS protocol for secure communication. They are generally easier to set up and manage than IPsec, often relying on a single port (typically TCP 443, the same as HTTPS), which makes them effective at traversing firewalls. OpenVPN clients are widely available across various platforms, making it a popular choice for remote access to homelabs.

Both IPsec and SSL VPNs create a secure tunnel between my remote devices and my homelab, effectively making my remote devices appear as if it's directly on my home network. This allows me to access all my internal services securely.

The Rise of Modern VPNs: WireGuard

WireGuard emerged as a game-changer in the VPN landscape. Designed for simplicity, speed, and modern cryptography, WireGuard boasts a significantly smaller codebase compared to OpenVPN, making it easier to audit and generally faster. Its "cryptokey routing" approach simplifies configuration, and it often provides better performance and lower latency. For homelab users, WireGuard quickly became a preferred choice for its ease of deployment and efficiency in creating secure tunnels for remote access.

Navigating the Challenges: CGNAT

A common hurdle for self-hosters is Carrier-Grade NAT (CGNAT). Many Internet Service Providers (ISPs) implement CGNAT to conserve IPv4 addresses, sharing a single public IP address among multiple customers. This "double NAT" scenario prevents direct incoming connections to my home network, effectively blocking traditional port forwarding and making direct VPN connections difficult or impossible without additional workarounds.

The Overlay Network Evolution: Tailscale and ZeroTier

To address the complexities of CGNAT and simplify secure remote access, overlay networks like Tailscale and ZeroTier have become incredibly popular. These services build a virtual network on top of the existing internet infrastructure, allowing devices to communicate directly and securely regardless of their physical location or underlying network topology (including CGNAT).

  • Tailscale: Built on WireGuard, Tailscale simplifies the creation of a secure mesh network. It handles NAT traversal, key exchange, and IP address management automatically, often allowing direct peer-to-peer connections even behind multiple NAT layers. If direct connections aren't possible (e.g., due to strict firewalls or symmetric NAT), Tailscale intelligently routes traffic through its global network of relay servers (DERP servers), ensuring connectivity. Users authenticate with their identity provider (e.g., Google, GitHub), making user management incredibly easy.

  • ZeroTier: Similar to Tailscale, ZeroTier creates a virtual Ethernet switch that spans across any physical network boundaries. It operates on a "de-perimeterisation" principle, where every authorised device can communicate directly and securely with any other device on the ZeroTier network. ZeroTier also excels at NAT traversal, and if direct connections fail, it utilizes its own root servers to relay traffic. It offers a high degree of control over network configuration and can be used to build complex, distributed networks.

My Remote Access Journey Continues

The progression from simply self-hosting locally to leveraging advanced overlay networks like Tailscale and ZeroTier reflects a continuous effort to make homelab services accessible and secure in an increasingly complex internet landscape. Each step in this evolution - from port forwarding to IPsec, SSL VPNs, WireGuard, and finally, these modern mesh VPN solutions - offers different trade-offs in terms of complexity, performance, and security. For a homelab enthusiast like me, understanding these options is key to building a robust, flexible, and secure personal infrastructure that truly puts me in control of my digital life.

My self-hosting journey, like many others, has been a continuous adaptation to the ever-changing landscape of home internet connectivity. For a long time, I enjoyed the simplicity and power of a static public IP, allowing me to easily host VPN servers directly within my homelab. This setup provided seamless remote access to all my services – from media servers to other useful self-hosted services – with full control and excellent performance.

However, that changed when my ISP, without warning, revoked my static public IP and placed me behind Carrier-Grade NAT (CGNAT). This was a significant blow, as it meant I could no longer receive direct incoming connections from the internet. My carefully crafted VPN server, which relied on direct inbound traffic, was rendered useless for remote access.

It was then that I discovered Tailscale, and honestly, it felt like magic. Tailscale, with its foundation in WireGuard and its intelligent NAT traversal capabilities, effortlessly created a secure mesh network among my devices, regardless of the CGNAT. I could access my homelab from anywhere, and it felt like my devices were all on the same local network. The setup was incredibly simple, the performance was fantastic, and the "MagicDNS" feature made accessing services by name a breeze. I became a huge advocate, singing its praises to anyone grappling with CGNAT.

But the world of ISPs and network policies is a fickle one. Just last week, I hit another frustrating roadblock. My ISP, in what I can only assume is an attempt to further restrict non-standard internet usage or perhaps due to misconfigurations, started actively blocking *.tailscale subdomains. This meant that my devices could no longer initiate connections or authenticate against the Tailscale control plane. The seamless connectivity I had come to rely on was suddenly interrupted, leaving me disconnected from my homelab. It was a stark reminder of the inherent vulnerability of relying on a third-party service, especially when your ISP decides to interfere.

The frustration was palpable. Having already moved past the direct VPN server phase due to CGNAT, and now facing a new barrier with Tailscale, I was compelled to explore yet another alternative. This led me to ZeroTier.

Switching to ZeroTier has been a revelation, providing a much-needed lifeline for my remote access needs. While it operates on a slightly different principle (creating a virtual Ethernet switch across devices rather than a pure Layer 3 mesh like Tailscale), it has proven equally effective at bypassing CGNAT and establishing secure connections. The setup process was different, requiring me to join my devices to a ZeroTier network ID and authorise them, but it was straightforward enough.

What I particularly appreciate about ZeroTier in this context is its decentralised nature and the flexibility it offers. It doesn't rely on a central domain for its core functionality in the same way Tailscale does for its control plane. This seems to have made it more resilient to the kind of targeted domain blocking I experienced with Tailscale. My homelab is once again accessible remotely, and the peace of mind that comes with reliable connectivity is invaluable.

The journey from a locally hosted lab to navigating the complexities of public internet exposure, CGNAT, and now ISP-level blocking, truly highlights the dynamic nature of self-hosting. Each obstacle has pushed me to learn new technologies and adapt my approach, ultimately making my homelab setup more resilient and versatile. For now, ZeroTier has become my trusted companion in this ongoing quest for seamless and secure remote access until the next unforeseeable roadblock ahead of me.

Steps

Setting up a ZeroTier network is a straightforward process, but it does involve a few key steps:

  • creating your network on the ZeroTier Central website,

  • installing the ZeroTier client on your devices,

  • joining and authorising those devices to your network.

Here's a step-by-step guide to get your ZeroTier network up and running:

Step 1: Create Your ZeroTier Network

  • Go to ZeroTier Central: Open the web browser and navigate to my.zerotier.com.

  • Sign Up or Log In: If you don't have an account, you'll need to sign up. You can use an email address or a social login like Google or GitHub. If you already have an account, simply log in.

  • Create a New Network: Once logged in, you'll see your networks dashboard. Click the "Create a Network" button.

  • Note the Network ID: A new network will be created, and you'll immediately see a 16-digit Network ID. This ID is crucial – it's how your devices will identify and connect to your specific virtual network. Copy this ID and keep it handy.

Step 2: Configure Your Network Settings (Optional but Recommended)

Click on the newly created network to configure its settings. Here are some important options you might want to adjust:

  • Network Name & Description: Give your network a meaningful name (e.g., "My Homelab Network," "Family Access") and an optional description for easy identification.

  • Access Control:

    • Private (Recommended): By default, new networks are "Private." This means that any device attempting to join your network will require explicit authorisation from you via the ZeroTier Central interface. This is the most secure option.

    • Public: If you set it to "Public," any device with your Network ID can join without authorisation. This is generally not recommended for homelabs due to security risks.

  • IPv4 Auto-Assign:

    • Enable "Auto-Assign from Range": This is highly recommended. ZeroTier will automatically assign IP addresses to devices joining your network from a specified private range (e.g., 10.147.17.0/24). You can choose from pre-defined ranges or define your own. This simplifies IP management significantly.

    • Disable if you prefer manual IP assignment: If you have specific needs for manual IP addressing, you can disable auto-assignment, but this adds complexity.

  • Managed Routes (Advanced):

    • This is where you tell ZeroTier how to reach devices that are not directly on the ZeroTier network but are accessible through a ZeroTier member. For example, if you have a ZeroTier member in your homelab that also acts as a gateway to your local LAN (e.g., 192.168.1.0/24), you would add a managed route here:

      • Destination: 192.168.1.0/24 (or your actual LAN subnet)

      • Via: The ZeroTier IP address of your homelab gateway device.

    • This allows remote ZeroTier members to access your non-ZeroTier LAN devices.

Step 3: Install ZeroTier Client on Your Devices

You need to install the ZeroTier client software on every device you want to connect to your ZeroTier network.

  • Windows:

    • Download the installer from www.zerotier.com/download.

    • Run the installer and follow the prompts.

    • After installation, find the ZeroTier icon in your system tray (bottom-right). Right-click it to access options.

  • macOS:

    • Download the .pkg installer from www.zerotier.com/download.

    • Run the installer and follow the prompts.

    • The ZeroTier app will appear in your menu bar (top-right). Click it to access options.

  • Linux (Debian/Ubuntu/CentOS/Fedora/RHEL):

    • Open a terminal.

    • Run the ZeroTier installation script (recommended for easy setup):

    curl -s 'https://install.zerotier.com/' | sudo bash

    • Once installed, you'll use the zerotier-cli command-line tool.

  • Android/iOS:

    • Download the ZeroTier app from the Google Play Store or Apple App Store.

    • Open the app to add and manage networks.

  • Mikrotik RouterOS 7 (ARM/ARM64 platform only):

    • Check RouterOS Version and Architecture: Before you start, verify your MikroTik router's RouterOS version and architecture. You can do this via WinBox or the command line.

      • WinBox: Go to System > Resources.

      • CLI:

      /system resource print
/system package print

    • Ensure your RouterOS version is 7.x and the architecture is arm or arm64.

    • Go to the official MikroTik Downloads page: https://mikrotik.com/download

    • Find the RouterOS v7.x downloads for your specific router model's architecture (ARM).

    • Look for the "Extra packages" section. Download the ZIP archive that matches your RouterOS version.

    • Extract the downloaded ZIP file. Inside, you'll find various .npk packages. Locate the zerotier-*.npk file (e.g., zerotier-arm-7.XX.npk).

    • Upload the .npk file to the router:

      • Using WinBox: Drag and drop the zerotier-*.npk file directly into the "Files" section of WinBox (Files).

      • Using SCP/SFTP: Use a client like WinSCP or scp from your terminal to upload the .npk file to the root directory of your MikroTik router.

    • Reboot Your MikroTik Router: After uploading the package, your MikroTik router needs to be rebooted for the new package to be installed.

      • WinBox: Go to System > Reboot.

      • CLI:

      /system reboot

    • Wait for the router to restart. Once it's back online, you should see "ZeroTier" as a new menu item in WinBox or zerotier commands available in the CLI.

  • NAS (Synology, QNAP, etc.): Check your NAS manufacturer's app store or community packages. Many NAS devices have official or unofficial ZeroTier packages available.

  • Other Platforms (FreeBSD, OpenWrt, Docker, etc.): Refer to the ZeroTier download page or documentation for specific installation instructions.

Step 4: Join Devices to Your ZeroTier Network

Once the client is installed on a device, you need to tell it to join your network using the Network ID you copied earlier.

  • Windows/macOS:

    • Right-click the ZeroTier icon (system tray/menu bar).

    • Select "Join Network..."

    • Enter your 16-digit Network ID and click "Join."

  • Linux:

    • Open a terminal.

    • Run the command:

    sudo zerotier-cli join <Your_16_Digit_Network_ID>

    • You should see output similar to 200 join OK.

  • Android/iOS:

    • Open the ZeroTier app.

    • Tap the "+" icon to add a new network.

    • Enter your 16-digit Network ID and toggle the network "On."

  • Mikrotik RouterOS7 (ARM/ARM64 platform only):

    • MikroTik's ZeroTier implementation has an "instance" that needs to be enabled.

      • WinBox: Go to ZeroTier > Instances. Select the default instance (usually 0) and click "Enable".

      • CLI:

      /zerotier instance enable 0

    • Join Your ZeroTier Network from MikroTik: Now, tell your MikroTik router to join the ZeroTier network you created.

      • WinBox: Go to ZeroTier > Interfaces. Click the blue + button to add a new interface.

        • For Network ID, paste your 16-digit ZeroTier Network ID.

        • You can give it a Name (e.g., zerotier1).

        • Click "OK".

      • CLI:

      /zerotier interface add network=<YOUR_16_DIGIT_NETWORK_ID> name=zerotier1

      Replace <YOUR_16_DIGIT_NETWORK_ID> with your actual Network ID.

Step 5: Authorise Devices on ZeroTier Central

This step is only necessary if your network's Access Control is set to "Private" (which it should be for security).

  • Go back to ZeroTier Central: Refresh the page for your network.

  • Locate Members Section: Scroll down to the "Members" section.

  • Authorise Devices: You will see a list of devices that have attempted to join your network. Each device will have a unique "Managed IP" (its ZeroTier IP) and a "Physical IP" (its public IP at the time it connected).

    • Crucially, there will be a checkbox under the "Auth" column. Check this box for each device you want to allow onto your network.

    • You can also give each device a "Name" and "Description" here for easier identification (e.g., "Main PC," "Homelab Server," "Phone").

Step 6: Configure IP Forwarding and iptables rules

Ubuntu/Debian Linux

Since I use Ubuntu/Debian alike Linux distributions mostly, here is how we can configure a Zerotier client as an exit node for routing traffic for LAN access and the Internet.

  • Open the sysctl configuration file:

    sudo vi /etc/sysctl.conf

  • Uncomment the forwarding line: Find the line #net.ipv4.ip_forward=1 and remove the # symbol at the beginning, so it reads:

     net.ipv4.ip_forward=1

  • Save and close the file

  • Apply the change immediately: sudo sysctl -p. This command will load the new sysctl settings without requiring a reboot.

Now, we'll set up firewall rules (iptables) on the client to handle Network Address Translation (NAT) and allow traffic to flow between your ZeroTier network and the public internet.

  • Identify your network interfaces: Replace YOUR_PHYSICAL_INTERFACE and YOUR_ZEROTIER_INTERFACE with the actual names of your Ubuntu/Debian client's physical internet-facing interface (e.g., eth0, enpXsX) and its ZeroTier interface (which usually starts with zt). You can find these by running ip a.

    PHY_IFACE=YOUR_PHYSICAL_INTERFACE
ZT_IFACE=YOUR_ZEROTIER_INTERFACE

    Example:

    PHY_IFACE=eth0
ZT_IFACE=ztabcdefghijklmnop # Replace with your actual ZeroTier interface name

  • Add iptables rules: These commands will configure NAT (Masquerading) so that traffic leaving your Ubuntu/Debian client for the internet appears to come from your client's public IP, and they'll allow traffic to be forwarded.

    sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT

  • Make iptables rules persistent: By default, iptables rules are reset on reboot. Install iptables-persistent to save them.

    sudo apt install iptables-persistent

    During installation, you'll be prompted to save the current IPv4 and IPv6 rules. Select "Yes" for both to ensure your new rules are saved. If you're not prompted, or if you make changes later, you can manually save them:

    sudo sh -c 'iptables-save > /etc/iptables/rules.v4'

Mikrotik RouterOS 7 (ARM/ARM64 only)

By default, MikroTik's firewall will likely block incoming connections on the ZeroTier interface. You need to add rules to allow traffic.

  • Allow ZeroTier Traffic (Basic Access): These rules will allow devices on your ZeroTier network to access services directly on your MikroTik router.

    • WinBox: Go to IP > Firewall > Filter Rules. Click + to add new rules.

      • Rule 1 (Allow input to router):

        • Chain: input

        • In. Interface: zerotier1 (or whatever you named your ZeroTier interface)

        • Action: accept

        • Drag this rule to the top of your input chain, before any "drop all" rules.

      • Rule 2 (Allow forwarding if you want to access LAN behind MikroTik):

        • Chain: forward

        • In. Interface: zerotier1

        • Action: accept

        • Drag this rule to the top of your forward chain.

    • CLI:

    /ip firewall filter
add action=accept chain=input in-interface=zerotier1 comment="Allow ZeroTier to Router"
add action=accept chain=forward in-interface=zerotier1 comment="Allow ZeroTier to LAN (if routing)"

    Place these rules at the beginning of their respective chains using place-before=0 if you have existing rules.

  • (Optional) For full internet gateway functionality: If you want your MikroTik to act as the internet gateway for all ZeroTier clients (similar to your Ubuntu/Debian setup), you'll need additional NAT and routing configuration.

    • Managed Route in ZeroTier Central: Add 0.0.0.0/0 via your MikroTik's ZeroTier IP in the ZeroTier Central "Managed Routes" section.

    • NAT Rule on MikroTik: You'll need a NAT rule on your MikroTik to masquerade traffic coming from the ZeroTier interface out to your WAN interface.

    /ip firewall nat
add chain=srcnat action=masquerade out-interface=<YOUR_MIKROTIK_WAN_INTERFACE> src-address=<YOUR_ZEROTIER_NETWORK_SUBNET>

    Replace <YOUR_MIKROTIK_WAN_INTERFACE> (e.g., ether1-wan) and <YOUR_ZEROTIER_NETWORK_SUBNET> (e.g., 10.147.17.0/24).

Optionally, you need to tell your ZeroTier network that all internet traffic (the 0.0.0.0/0 route) should be directed through your Ubuntu/Debian client's or Mikrotik router's ZeroTier IP address if desired.

  • Go to ZeroTier Central: Log in to my.zerotier.com and navigate to your network's settings.

  • Locate the "Managed Routes" section.

  • Add a new route:

    • Destination: Enter 0.0.0.0/0 (this represents all internet traffic).

    • Via: Enter the ZeroTier IP address of your Zerotier client (the device you just configured). You can find this IP address in the "Members" section of your ZeroTier network settings, next to your Debian client's entry.

Step 7: Verify Connectivity

After authorising, your devices should now be connected to your ZeroTier network.

  • Check IP Addresses: On each device, you should see a new network adapter (e.g., "ZeroTier One") with an IP address from the range you configured in ZeroTier Central (e.g., 10.147.17.x).

  • Ping Test: From one ZeroTier-connected device, try to ping the ZeroTier IP address of another connected device.

    • For example, if your homelab server's ZeroTier IP is 10.147.17.10 and your laptop's ZeroTier IP is 10.147.17.20, you should be able to ping 10.147.17.10 from your laptop.

  • Access Services: If you've set up managed routes, and configured your exit node properly for IP Forwarding and iptables rules, you should now be able to access services on your local homelab network (e.g., 192.168.1.x) by addressing them via your homelab's ZeroTier gateway device.

  • Verify Internet Gateway (if configured): If you set up an exit node for internet traffic, from a remote ZeroTier client, visit https://whatismyipaddress.com/. The displayed IP address should match the public IP address of your ZeroTier gateway (Ubuntu/Debian client or MikroTik router).

That's it! we've successfully set up our ZeroTier network, allowing secure and direct communication between your devices, regardless of their physical location or underlying network obstacles like CGNAT.

Conclusion: The Horizon of Connectivity

The journey of the homelab enthusiast is one of continuous evolution, a relentless pursuit of control and accessibility in an ever-changing digital landscape. I started with the simple confines of a local network, ventured into the complexities of public exposure, navigated the historical terrain of IPsec and SSL VPNs, embraced the efficiency of WireGuard, and deftly sidestepped the formidable barrier of CGNAT. My personal odyssey, marked by the unexpected blocking of Tailscale, underscores a fundamental truth: the quest for resilient connectivity is never truly over.

This is where ZeroTier steps in, not just as an alternative, but as a powerful, flexible solution for building my own secure, decentralised network fabric. It’s a testament to my ability to adapt, to overcome, and to leverage innovation when traditional methods fall short. With ZeroTier, my homelab is no longer tethered by the whims of my ISP or the limitations of my physical location. It transforms into a truly global, yet intensely private, resource accessible from anywhere, on any authorised device.

So, as my embark on, or continue, my self-hosting adventure, embrace the power of ZeroTier. It's more than just a tool; it's a declaration of digital sovereignty, empowering me to build the connected world I envision, one secure node at a time. The path ahead may still hold unforeseen challenges, but with ZeroTier in my arsenal, I'm better equipped than ever to conquer them. What will you build next with your newly unleashed homelab?

PreviousSSH key authentication on WindowsNextMikroTik networking lab setup with Containerlab

Last updated

Was this helpful?