...
The Linux kernel can't do this, or at least can't for every IP in your /64 without manually specifying each. Luckily there is a nice little project on GitHub called ndppd that can do this for you.
Your distribution may have a package.
| Code Block | ||
|---|---|---|
| ||
apt install ndppd |
If your distro doesn't have the package: Install gcc, g++, and make on your gateway and then:
| Code Block |
|---|
git clone https://github.com/DanielAdolfsson/ndppd cd ndppd make sudo make install |
Your distribution may have a package. Check before doing the build.
Now you'll want to copy ndppd ndpd.conf-dist from the ndppd source tree to /etc/ndppd.conf and edit it. We just had to edit the prefix under their example rule entry:
...
That tells nndpd to answer NDP requests for the entire /80 from which we'll be assigning IPv6 addresses to our devices. Obviously you will need to change that IP prefix to your own.
Then you'll There is a handy program to help you with ip subnetting: apt install ipcalc
The rule should use the static or iface option. We saw some flakiness with auto.
Then you'll want to start nndpd and tell it to start on boot. It doesn't come with init/systemd scripts so we just did this:
| Code Block |
|---|
sudosystemctl start chmodndppd a+x /etc/rc.local |
Then edited /etc/rc.local to add:
| Code Block |
|---|
/usr/local/sbin/ndppd -d |
Running that command with sudo will start nndpd manually.
systemctl enable ndppd |
Once nndpd is running try ping6 ipv6.google.com again from one of your devices. For us it worked right away!
Congratulations! You now have a global IPv6 address for every device on your virtual network.
Step 4f: IPv6 Security (optional)
...
| Code Block |
|---|
curl -4 ifconfig.co
curl -6 ifconfig.co |
Should return your ZeroTier gateway addresses.
Step 4f: IPv6 Security (optional)
This configuration gives every device on your ZeroTier network a real globally reachable IPv6 address. This is wonderful but also possibly a little bit dangerous.
...
| Code Block | ||
|---|---|---|
| ||
*filter :INPUT ACCEPTDROP [0:0] :FORWARD DROP [0:0] -A FORWARD -i zt+ -s 2001:19f0:6001:01a6::/64 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A FORWARD -i $ZT_IFACE -o $WAN_IFACE -j ACCEPT -A FORWARD -i $WAN_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT |
FreeBSD
The allowDefault=1 setting on FreeBSD clients can't work. See this github issue for a work-around https://github.com/zerotier/ZeroTierOne/issues/580.
We've disable the Allow Default setting on FreeBSD starting on versions newer than 1.10.6 until we can find a solution.
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...