For minimal operation, outbound UDP on port 9993 (and reply packets) should be allowed to ZeroTIer's root servers. Allowing other UDP is ideal since it allows peer to peer connectivity, but these IPs on 9993 are the minimal requirement for ZeroTier to work:
root-ams-01.zerotier.com has address 195.181.173.159 root-ams-01.zerotier.com has IPv6 address 2a02:6ea0:c024:: root-sea-01.zerotier.com has address 50.7.73.34 root-sea-01.zerotier.com has IPv6 address 2001:49f0:d002:6::2 root-mia-01.zerotier.com has address 103.195.103.66 root-mia-01.zerotier.com has IPv6 address 2605:9880:400:c3:254:f2bc:a1f7:19 root-sgp-01.zerotier.com has address 50.7.252.138 root-sgp-01.zerotier.com has IPv6 address 2001:49f0:d0db:2::2 root-alice-sfo-01.zerotier.com has address 107.170.197.14 root-alice-sfo-01.zerotier.com has IPv6 address 2604:a880:1:20::200:e001 root-bob-dfw-01.zerotier.com has address 45.32.198.130 root-bob-dfw-01.zerotier.com has IPv6 address 2001:19f0:6400:81c3:5400:ff:fe18:1d61
These are Amsterdam, Seattle, Miami, and Singapore
We've also created a DNS record:
host root.zerotier.com
These IPs are subject to change and new root points of presence could be added or removed.