No of course you need to use the ZeroTierOne IP address… how else can it connect?
Say for instance mt ZT1 network is on 172.x.x.0/24 and my HA is 172.x.x.3
Internally I would access HA maybe via 10.90.x.100:8123 (if I run a 10.90.x.0/24 subnet but via ZT1 that might be 172.x.x.3:8123
1 Like
As I understand you don’t need to forward ports if you have a OpenVPN client. If you run a server then yes, you definitely need to forward ports. Or am I wrong in understanding this?
Also, thank you very much for helping out.
You really are a fan of ZeroTier One 
It’s one of my options, it’s in the list in my first post in this thread so if there is no other solution I’ll probably end up using it. I was looking forward playing around with VPNs a bit as I never set up one myself (only for privacy concerns / location restricted content access).
Also, thank you very much for giving me a hand.
My router also has a VPN server (IPSec) which I can use as well. The router opens the necessary ports and then when you connect to the VPN you are effectively on your LAN network
1 Like
I’ll look into it, so you are saying that instead of having only the Raspberry PI on a VPN I can place all the home network traffic on a VPN. I’d prefer having the control to select which devices I place on teh VPN, but I will have a look, thanks.
Yes. Most routers have a VPN server built into them these days. You will get an IP address on your internal network when you connect to it and you will be able to access everything on your internal network. You aren’t placing any specific device on the VPN it just that when you connect to the VPN you are effectively connected directly to your LAN network.
1 Like
I was inspired by this to complete my zerotier one setup. Very nice.
2 Likes
ZT1 is a VPN.
Not really like most people see VPNs though… you dont provide the endpoint yourself… the client connects to the ZT server and it tells all the clients how to find the other ones and it is then a direct connection so fas as I understand it anyway.
Is wireguard not better then. HA Add-on installed. Config it. Start.
Other devices install wireguard as well. connect to it. Then you can use your local IP numbers inside the network.
Then you have a network without a external server like zerotier.
Depends what you want. With ZeroTier you won’t have issues with CGNAT and you don’t need to open any ports. The best solution is whatever meets your needs.
Thanks for your input @poudenes
The issue is that I need to have an external server because of the NAT and that’s what I’m able to achieve. As stated in the title, the HA server needs to be a client in the VPN network, not a server. Is teh WireGuard addon able to run in a client only mode?
EDIT: Just realized I double asked this, sorry for spamming you.
1 Like
I’m not sure. I think HA is not part of the wireguard.
So it’s not connect as client too.
But never tried it. Will test this to see if I can access device connected via wireguard
Jumping on this thread.
Similar request. HA to have some sort of VPN Client capability (PPTP or L2TP)
My scenario differs slightly. I’m running a site completely on LTE.
It looks like the ISP has some double NATs and making ZT on some occasions slow and unreliable.
I do work from that remote location and can confirm outgoing VPNs are basically unhindered.
I’ve spoken with the ISP and obviously as the LTE plan I am using is consumer grade ($) ; the only way I can have inbound VPN to that site is a LTE cellular plan ($$$$$)
So having HA be able to VPN to an external server (hosted on one of my locations on stock standard FTTH) will allow me remote management without the need for ZT. Bonus ask : Direct Internet Access and Split Tunneling capabilities would be great too ! Wouldn’t want to backhaul everything.
If anyone has thoughts on how to accomplish this on HassOS or if anyone knows of some add-on that can help would be great !
Nabu Casa not working for you?
Hey,
I’m currently using ngrok as a temporary workaround: GitHub - dylrio/hassio-addons: A collection of addons for Hass.io that I've created or modified. (thx @sheminasalam) and using the Terminal & SSH add-on to ssh into other devices on the network. I’m planning to put the devices/services I’d like to access remotely on a VPN (played around with OpenVPN, but their Android app had troubles connecting - maybe an issue with the VPN server, but the Windows client worked fine). Still also thinking about setting up a custom VPS and SSH tunnel.
Oh it would work. Actually have 2 separate Nabu Casa instances where Alexa and Google Home integration is necessary and doing it manually is just not scalable or worth the hassle.
However, for this remote LTE site, I have no need for the nifty features NC offers. Literally just need this for remote management and ZT was my go to solution but caveat was the ISP.
I feel that going with another NC instance just for the remote management piece isn’t worth it for me.
Although have seen multiple asks for a “Pro” version of NC. Pay X amount for Y instances. Wouldn’t mind going on a plan like that.
Yes that would be excellent.
Unfortunately “inbound” connections to this site is not allowed. Hence I won’t be able to setup a VPN server for this site.
Again, outbound is unrestricted.
Similar situation as @Tamadite seen here Client OpenVPN to connect server outside my network - #24 by Tamadite
Actually to be more specific, Pay X amount for Y instances consolidated under 1 account. Would be great for scalability if you’re a MSP. Or a PAYG option 