Home Assistant Community Add-on: ZeroTier One

Some folks have asked questions about bridging to their LAN using ZeroTier. I have done this using a Pi, but not by using the add-on. It is necessary for the device acting as the bridge to do ip forwarding. I don’t know how the add-on can be configured to do that. I have left a request for that support to be added.

Here’s what I did to a Pi running Raspbian (and hass.io, but that is irrelevant):

  • Install ZeroTier (curl -s https://install.zerotier.com/ | sudo bash).
  • Connect the Pi to your ZT network (zerotier-cli join 1d71939404xxxxxx).
  • At https://my.zerotier.com/network/1d71939404xxxxxx authorize the Pi and note its ZT IP (mine was 192.168.195.xxx). Click the wrench and select “Allow Ethernet Bridging”. Only the Pi should be so designated.
  • Connect and authorize your workstation on ZT. Note its IP.
  • Make sure Pi and workstation can ping each other on ZT.
  • At https://my.zerotier.com/network/1d71939404xxxxxx add a Managed Route. Destination = LAN subnet (192.168.0.0/24 for me). VIA = Pi ZT IP (192.168.195.xxx).
  • On Pi, edit sysctl.conf (nano /etc/sysctl.conf), uncomment or add:
    net.ipv4.conf.all.forwarding=1
    net.ipv4.conf.default.forwarding=1
    net.ipv6.conf.all.forwarding=1
    net.ipv6.conf.default.forwarding=1
  • Reboot the Pi.
  • On the Pi’s network router, add a static route to the ZeroTier network using the Pi’s local IP as the gateway (Destination LAN=192.168.195.0 [ZT], Subnet Mask=255.255.255.0, Gateway=192.168.0.xxx [Pi], Interface=LAN & WLAN).
  • Switch your workstation to another network (xfinitywifi). Reconnect your workstation to ZT. You should be able to access (ping) your LAN devices at their LAN ips.
3 Likes

First, it’s not https it’s just http. The whole host is available so any other containers you have will be accessible. Make sure your clients are authorised on the ZeroTier site for your network

Hi, thanks a lot for your instructions, I am trying it right now (after a series of unsuccesfull attempts).

My router (flashed with ASUSWRT) in interface has not the option of LAN&WAN but only: LAN or MAN or WAN, do you know what shall I put?

I hope the rest I put is ok (192.168.1.xxx is my local LAN, 192.168.192.xxx is my ZT1 LAN), so I put as Network/Host IP the address of the PI as I saved it under ZeroTier

I guess in Network/Host IP I need to put 192.168.192.0

EDIT: well now I can access::

  • all my ZT1 clients at 192.168.192.xxx (those that have a ZT app)
  • my PI with its local address 192.168.1.238 and also of course at 192.168.192.238 (I put all my ZT devices with same ending IP 192.168.1.yyy ==> 192.168.192.yyy so that are easy to remember)
  • but all my other local IP (192.168.1.xxx) are still not accessible

I think I am close to solution, but still not working: I tried also to put WAN in static route

Don’t know Asus. MAN is “Metropolitan Area Network” (a limited version of WAN). I would think you want WAN.
Insure only the pi is designated as bridged.
Reboot Pi and router.
When accessing remotely for test how are you connecting?

Seems like remotely you should see not be able to see any 192.168.1.x addresses unless the bridge was working. Can you ping router?

Remove static route, reboot router, and test remotely. Then add static route WAN, reboot router, and test remotely (to gather information). Repeat LAN if necessary.

Good luck.

Ok, thanks a lot, will do as suggested.

Currently I was testing connecting with an Android phone with ZeroTier1 app correctly installed (and phone registered in ZT1 network) under 4G, with it I can access

  • all my ZT1 clients at 192.168.192.xxx (those that have a ZT app)
  • my PI with its local address 192.168.1.238 and also of course at 192.168.192.238 (I put all my ZT devices with same ending IP 192.168.1.yyy ==> 192.168.192.yyy so that are easy to remember)
  • but all my other local IP (192.168.1.xxx) are still not accessible

Beeing able to access 192.168.1.238 remotely means the bridge is partially working, I guess, but only to this host not the rest …? I have to check further

I’ve read posts elsewhere about problems with phones and bridging ZT. My directions specify workstation and were not tested with a phone. Is your phone simultaneously connected to your LAN and 4G?

You might get it working as I did (via pc/mac), then move to phone.

What app on the phone are you using for the connection testing?

No, when I do testing I turn off WiFi on my Android phone.
Currently I do not have any workstation connected to the Internet outside of my LAN for testing (I would need to wait the next business trip with my Windows 10 laptop).

On the phone I used Chrome browser (and zerotier app active).

In the meantime I had to disable everything, since all my IOT WiFi devices refused to connect to the internal WiFI, very strange (while phone was connecting without problems).

I guess my networking knowledge is not sufficient for this task, although I followed each step as you described (the only guide I found so complete)

Can’t you connect your laptop to xfinitywifi or some other wifi hotspot? How about the library? Neighbor?

Are you using the laptop or the phone to make the router changes?

On my setup, with workstation connected to xfinitywifi, I can ping my workstation (192.168.195.x1) and my pi (192.168.195,x2). If the static route is active from the pi (192.168.0.x2) to the ZT net (192.168.195.0) I can ping my internal lan addresses (192.168.0.xxx). If the static route is deleted I can ping the ZT ips and only 192.168.0.x2 (the pi).

The above is consistent with your results, but suggests to me that your static route was not in effect.

I still suggest initial testing via workstation, rather than phone, but think you should focus on the static route.

These are probably correct, but check that at zerotier your pi is the only bridged node, and that you have a managed route to your internal lan (192.168.1.0/24) via your pi’s ZT ip (192.168.192.238). I guess you should also check sysctl.conf for the ip forwarding entries.

I find that when switching wifi networks I always have to reconnect my WS to ZT, and sometimes the Pi as well. If they can’t ping each other, obviously the rest won’t work.

FYI for Community.
Per ZeroTier Support here are the implications of the ZT One connection options:

allowManaged – If true, ZT-managed IPs and routes are assigned (default on)
allowGlobal – If true, ZT-managed IPs and routes can overlap public IP space (def off)
allowDefault – If true, network can override system default route (full tunnel) (def off)

Aha, yes I get this, but I don’t understand why all my ESPhome devices, Yeelight light and Google Home stopped connecting to WiFi.

On static route I guess I need to use the option LAN

Hi, so I am trying again. I did everything as you said, and I think that the problem is is the static route. I tried both LAN or WAN option but it does not work (BTW with the static route set all my WiFi devices stop connecting to the router, very strange)

Do you have any idea if I should put something in METRIC (I put nothing) ?

Please describe how you are testing and what “does not work”.

:tada: v0.3.0

Full Changelog

This add-on upgrades the internals of the add-on.
No breaking changes.

Changed

  • :arrow_up: Upgrades linux-headers to 4.19.36-r0
  • :arrow_up: Upgrades git to 2.22.0-r0
  • :arrow_up: Upgrades add-on base image to v4.0.1
  • :pencil2: Maintaince -> Maintenance
  • :sparkles: Adds FUNDING.yml

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

I had the same issues. I just found a way to enable all my LAN devices for ZeroTier access via this addon. I wrote down my way of achieving this here:

2 Likes

Hey guys,

I have hassio with Zero Tier addon running but I can’t access the frontend through the zero tier “vpn”.
SSH (Port 22) and Pi-hole work fine but when I try to go to zerotier_address.ip:8123 (192.168.192.10:8123) the page just keeps loading and I don’t know why.

I’ve also scanned the ports of the hassio instance over zero tier and 8123 is open.

the log of the zero tier addon seems fine:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 

 Add-on version: 0.3.0
 You are running the latest version of this add-on.
 System: HassOS 2.12  (armv7 / raspberrypi3)
 Home Assistant version: 0.95.4
 Supervisor version: 167

[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] zerotier.sh: executing... 
[22:49:43] INFO: ZeroTier node address: ##########
[22:49:43] INFO: Configuring network: ################
[cont-init.d] zerotier.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[22:49:44] INFO: Starting ZeroTier One...

Anybody an idea?

:tada: Release v0.3.1

Full Changelog

This is a maintenance release.

Changed

  • :arrow_up: Upgrades add-on base image to v4.0.2

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

:tada: Release v0.3.2

Full Changelog

This is a maintenance release.

Changed

  • :arrow_up: Upgrades add-on base image to v4.0.3

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

:tada: Release v0.4.0

Full Changelog

This release upgrades ZeroTier One to v1.4.0.1

Changed

  • :arrow_up: Upgrades ZeroTier One to v1.4.0.1

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck