Layer 2 Bridging of Ethernet and ZeroTier Networks on Linux

Original credit to feliksik on our old community portal.

If you want to join a number of systems in a VPN, but you are unable or unwilling to install ZeroTier on all nodes, one option is to set up an IP (layer 3) router. Another option is to simply bridge physical networks to ZeroTier networks at the Ethernet level (layer 2). This option is in some ways simpler than layer 3 routing and has the advantage of passing broadcast and multicast traffic, but it can be somewhat more confusing and challenging to set up. Some amount of Linux network administration expertise is required.

We explain here how to connect your road warrior laptops to an office LAN, making all machines appear in one single ethernet network. You will even be able to reach Office computers that are completely unaware of ZeroTier.

Assumptions

 These instructions are for Debian and Ubuntu, but should be easily adaptable to other distributions.

Your office LAN has maybe 10 nodes, and 6 people want to work remotely with their laptops at home. The office LAN is 10.0.0.0/16. We assume you have one server/VM at the Office that you will install ZeroTier on. This server has 2 NICs:

  • eth0 receives an IP address on the LAN in the said subnet. This interface is also used for the default route and internet connectivity.
  • eth1 is not receiving an IP address, but is solely used to function as a Layer2 bridge between the ZeroTier VPN and the LAN.

It is possible to set things up with a single NIC, but this is trickier to manage/debug as you are likely to break things temporarily and lock yourself out of the management network.

Installing ZeroTier

Configure the DHCP Server in the Office LAN to give leases in the range 10.0.0.100-10.0.0.200.

Configure the ZeroTier portal to manage IP addresses in the range range 10.0.1.100-10.0.1.200. Note how the address ranges are in the same10.0.0.0/16 subnet, but have a unique pool of IP addresses.

Pick one server/VM in the Office that you want to function as your bridge device. On this server and on all your laptop clients, you install zerotier and join the network:

# fill in your network id appropriately
NETWORK_ID=ABCDEF1234567890
VERSION=1.0.5
wget https://download.zerotier.com/dist/zerotier-one_${VERSION}_amd64.deb
dpkg -i zerotier-one_${VERSION}_amd64.deb
service zerotier-one restart 
zerotier-cli join $NETWORK_ID

Then in the my.zerotier.com portal, you allow all nodes. Only the bridging server will receive the 'bridge' checkmark.

We now have to set up the networking in the bridge server properly. Log in via the ip address of eth0 or via an attached keyboard (not the eth1 interface). Make sure bridge-utils is installed with sudo apt-get install -y bridge-utils, and configure your /etc/network/interfaces as follows:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface you use for the basic connectivity of the server
auto eth0
iface eth0 inet dhcp

# the interface you use purely as a bridge (consider it a switch port); it does not get an IP address. 
auto eth1
iface eth1 inet manual

auto br0
iface br0 inet manual
    bridge_ports eth1 zt0
    bridge_fd 0
    bridge_maxage 0

You should now be able to get the interfaces up with sudo ifup eth1; sudo ifup br0.

Notes

Note that the non-bridging ZeroTier instances get a IP address from the ZeroTier Portal, but that they do not actually actually use DHCP to get it. That is, this tutorial does not assume you configure your zt0 interface on the laptops to request a DCHP address, or that you run sudo dhclient zt0. You can do this, in which case you should receive a DHCP Reply from the DHCP server in your Office network. However, this approach may have its own disadvantages.