For minimal operation, outbound UDP on port 9993 (and reply packets) should be allowed to ZeroTIer's root servers. Allowing other UDP is ideal since it allows peer to peer connectivity, but these IPs on 9993 are the minimal requirement for ZeroTier to work:
These are Amsterdam, Los Angeles, Miami, Tokyo, San Francisco, and Dallas.
We've also created a DNS record:
These IPs are subject to change and new root points of presence could be added or removed.