Layer 2 Bridging with LEDE/OpenWRT

Owned by Grant Limberg
Last updated: Mar 12, 2019 by Travis LaDuke
3 min read

Here we'll explain how to join your ZeroTier network with your office or home LAN so you can access your private servers and services securely from anywhere in the world. You don't even need to install ZeroTier on the servers connected to the LAN. Just on your router.


See also: https://github.com/mwarning/zerotier-openwrt/wiki for the Layer 3 version.

Assumptions

You have a router capable of running LEDE or OpenWRT and have it installed.

On LEDE, ZeroTier 1.1.4 is available in the Stable channel, and 1.2.4 is available in the Development Snapshot channel.  For OpenWRT, you must use the Development Snapshot channel.

For simplicity's sake, we're going to join two adjacent Class C network blocks.

The Local LAN will be 10.99.4.0/24. The ZeroTier network will be 10.99.5.0/24.

Preparing your ZeroTier network

If you have not done so already, sign up for an account on https://my.zerotier.com and create a network.

Open the network to edit it.  In the Managed Routes section and enter 10.99.5.0/23.  Leave the field that says "(LAN)" alone and then click the + button.  Your Managed Routes section should now look like this:

Next, check the IPv4 Auto-Assign checkbox and go to the advanced tab.  Add an auto-assign pool and set the range to 10.99.5.1 - 10.99.5.254.

Installing ZeroTier On Your Router

Open your web browser to the router configuration page.  In the System menu select Software.  Find ZeroTier in the Available packages list and hit the install link.

Once installed, you'll need to open an SSH connection to your router.  Using your favorite editor, edit /etc/config/zerotier.  By default it should look something like this:

config zerotier 'default'
        option enabled '1'
        option interface 'wan'
        list join '8056c2e21c000001'
        option secret 'some_really_long_hex_string'

Replace 8056c2e21c000001 with your network ID.  Save and close the file, then reboot your router.  (Yes, you must actually reboot your router here).

Once your router is back up and running, it will be trying to join your ZeroTier network.  Go to https://my.zerotier.com and authorize it to join the network.  Additionally, you will have to click the Tool icon next to the authorization checkbox and enable Allow Ethernet Bridging

Configuring your Router

Now it's time to back to the web interface for your router.  In the Network menu, select Interfaces and click the 'Add new interface' button.  Configure the interface like so:

If zt0 is not in the interface list, select Custom Interface and enter zt0 into the text box.  Hit submit and go back to the Interface list page.

Next we want to edit the existing LAN bridge.  This interface was auto created by LEDE and bridged the switch and wireless radios.

On the General Setup page, set the IPv4 address to 10.99.4.1, and IPv4 netmask to 255.255.254.0.

On the Physical Settings tab, ensure zt0 is checked in the interface list.

Click the "Save & Apply" button and your router will be configured.  On the device you're working from, you'll likely need to release and renew your DHCP assigned address at this point.

Done!

Your local LAN and ZeroTier are now bridged together as one network and you'll be able to access your local LAN behind the router from wherever your other ZeroTier enabled devices are!