How do I allow ZeroTier through my corporate firewall?

There are 3 classes of nodes in a working ZeroTier system: The roots, a controller, and your devices.

Your devices need to be able to communicate directly with each other. ZeroTier users UDP hole punching to do this. It’s a similar process to VoIP STUN/TURN.

The difficulty for strict firewall configurations is: the controllers and your devices are on dynamic IP addresses and are listening on random UDP ports.

Default zerotier-one listening ports are:

  • 9993

  • Secondary Port, randomized each start up and after being “offline” for too long.

  • Random Port for UPnP (UPnP is not required for ZeroTier hole punching to work)


If you allow outgoing 9993 and incoming return traffic, it’ll probably work OK.


For best results, a device needs be able to send to any address, on any UDP port.


If the NAT type is “symmetric” or “strict”, each vendor uses different terminology, it will be difficult to make direct connections. Look for Full Cone NAT, options related to VoIP, persistent NAT, etc…

Ask your vendor. Let us know what works.



See also: