...
You’re doing this on your home network and can log in to your router and find the DHCP settings.
You have a keyboard, monitor, and ethernet cable plugged into your Pi. Chances are high we’ll break networking and lose access to the Pi.
You’re somewhat familiar with the command line, ssh.
We’re going to use systemd networking for this. You could probably adapt the concepts to a different linux network configuration system if you have opinions about systemd.
We used a raspberry Pi 2 while writing this, but a Pi 3 or 4 should work fine. Anything running a Debian 10 based distro should be fine. It doesn’t have a be a raspberrypi, but some of these instructions might be raspbian specific.
Please don’t do this at work without asking your friendly network administrator. They will probably get a notification and come take away your Pi.
Prepare this information:
Physical LAN Subnet
Physical LAN DHCP Range
ZeroTier Auto-Assign Range
Default Gateway IP Address (the router)
Bridge IP Address (will be statically assigned)
Create a new ZeroTier network and get the ID. Keep the an old one network around for secondary way to connect any devices already using ZeroTier.
The DHCP range and ZeroTier Auto-Assign range should be in the same subnet, but not overlap. You’d probably base this off what is already configured on your router.
An example plan:
Name | Value | Referred to below as |
---|---|---|
Physical LAN Subnet | 192.168.192.0/24 |
|
Physical LAN DHCP RANGE | 192.168.192.65 through 192.168.192.126 |
|
ZeroTier Auto-Assign Range | 192.168.192.129 through 192.168.192.190 | $ZT_POOL |
ZeroTier Managed Route | 192.168.192.0/23 | $ZT_ROUTE |
Default Gateway IP Address | 192.168.192.1 | $GW_ADDR |
Bridge IP Address | 192.168.192.2/24 (or use DHCP) | $BR_ADDR |
ZeroTier Network ID | d5e04297a19bbd70 | $NETWORK_ID |
ZeroTier Network Interface Name | zt3jnwghuq | $ZT_IF |
Get your bridge device up and running.
...
Code Block |
---|
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf; sudo systemctl enable systemd-networkd; sudo systemctl enable systemd-resolved; sudo systemctl enable systemd-timesyncd; |
Configure interfaces
Code Block sudo zerotier-cli set $NETWORK_ID allowManaged=0
Write Network Configuration files. Puts ethernet and zerotier into the bridge, configures the bridge with a static IP. See below for DHCP configuration on the bridge.
Code Block cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0.network [Match] Name=$BR_IF [Network] Address=$BR_ADDR Gateway=$GW_ADDR DNS=1.1.1.1 EOF cat << EOF | sudo tee /etc/systemd/network/br0.netdev [NetDev] Name=$BR_IF Kind=bridge EOF cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0-zt.network [Match] Name=$ZT_IF [Network] Bridge=$BR_IF EOF cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0-en.network [Match] Name=eth0 # might be en* [Network] Bridge=$BR_IF EOF
Review configuration
Code Block tail -n+0 /etc/systemd/network/*
If needed, edit the files with the editor of your preference.
If it looks good:
Code Block sudo reboot
You should be able to, from the physical LAN, connect to the Pi via $BR_ADDR
If it takes a long time waiting for the network during boot.
...
Test it with your phone on mobile data
Join your other ZeroTier networks
Secure the Pi to your liking https://www.raspberrypi.org/documentation/configuration/security.md We’d probably skip adding the firewall.
Make a backup of the sd card?
Appendix
Configure bridge with DHCP
Code Block cat << EOF | sudo tee /etc/systemd/network/25-bridge-br0.network [Match] Name=$BR_IF [Network] DHCP=yes EOF
I can ping the bridge, but not behind it
...
https://serverfault.com/questions/162366/iptables-bridge-and-forward-chain
FAQ
Why is the Managed Route /23 and the LAN subnet /24?
Say you have a laptop that is on the ZeroTier network and you bring it home. Now it’s WiFi address and ZeroTier address are in the same subnet. Which interface/address should your laptop use for internet access? https://en.wikipedia.org/wiki/Longest_prefix_match
Why is an app on my phone not working over ZeroTier?
Unfortunately the iOS and Android VPN APIs won’t let ZeroTier use multicast/broadcast. These are typically how apps auto-discover services on the LAN. 😭 Stay tuned for an article on bridging a ZeroTier network and a WiFi access point.
References
...