====== Setting up a Zerotier Exit Gateway in a Debian 10 LXC Container ======


This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.

I made this using an Ubuntu 22.04 LXC template.

===== Prerequisites =====

- A Debian 10 container placed on the same vmbr as the network you want to reach.

===== Step 1: Prepare the Container =====

1. Create a Debian 10 container and place it on the same vmbr as the target network.

2. Add the following line to your container's configuration: 
  lxc.mount.entry: /dev/net dev/net none bind,create=dir

===== Step 2: Enable IP Forwarding =====

3. Edit ''/etc/sysctl.conf'' and uncomment the line ''net.ipv4.ip_forward=1''.

4. Apply the IP forwarding changes by running: ''sysctl -p''

===== Step 3: Install Necessary Packages =====

5. Install the required packages: ''apt update && apt install curl gnupg iptables iptables-persistent''

===== Step 4: Install Zerotier =====

6. Install Zerotier with the following command: 
<code>curl -s https://install.zerotier.com | bash</code>

===== Step 5: Join Zerotier Network =====

7. Join the Zerotier network using the network ID: ''zerotier-cli join <networkid>''

8. Accept the client in Zerotier Central.

===== Step 6: Add a Route =====

9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the "Destination" field to your local network address (e.g., 192.168.1.0/24) and the "Via" field to the Zerotier IP address of the LXC container.

===== Step 7: Configure iptables =====

10. Create and edit the file ''/etc/iptables/rules.v4'' and paste the following iptables rules:

<code>
iptables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress>
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT
</code>

Replace all instances of `<ZerotierNetwork>` with your Zerotier network.

Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.

e.g.

<code>
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT
</code>

===== Step 8: Apply iptables Rules =====

11. Run ''iptables-restore < /etc/iptables/rules.v4'' to apply the iptables rules.

===== Step 10: Enable Traffic Routing and Masquerading (if needed) =====

12. Add the route "dst: 10.10.0.0/16 gateway: <<lxc container local address, e.g. 192.168.188.250>> .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule: 
  * chain: src-nat 
  * action: masquerade
  * Destination Address: 10.10.0.0/16 (your VPN network)
  * Out Interface: 'LXC Container VLAN'


By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.

Resources: https://www.reddit.com/r/Proxmox/comments/jctd6x/comment/g93vloi/?utm_medium=android_app&utm_source=share&context=3


----