This is an old revision of the document!
Table of Contents
Setting up a Zerotier Exit Gateway in a Debian 10 LXC Container
This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.
I made this using an Ubuntu 22.04 LXC template.
Prerequisites
- A Debian 10 container placed on the same vmbr as the network you want to reach.
Step 1: Prepare the Container
1. Create a Debian 10 container and place it on the same vmbr as the target network.
2. Add the following line to your container's configuration:
lxc.mount.entry: /dev/net dev/net none bind,create=dir
Step 2: Enable IP Forwarding
3. Edit /etc/sysctl.conf and uncomment the line net.ipv4.ip_forward=1.
4. Apply the IP forwarding changes by running: sysctl -p
Step 3: Install Necessary Packages
5. Install the required packages: apt update && apt install curl gnupg iptables iptables-persistent
Step 4: Install Zerotier
6. Install Zerotier with the following command:
curl -s https://install.zerotier.com | bash
Step 5: Join Zerotier Network
7. Join the Zerotier network using the network ID: zerotier-cli join <networkid>
8. Accept the client in Zerotier Central.
Step 6: Add a Route
9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the “Destination” field to your local network address (e.g., 192.168.1.0/24) and the “Via” field to the Zerotier IP address of the LXC container.
Step 7: Configure iptables
10. Create and edit the file /etc/iptables/rules.v4 and paste the following iptables rules:
iptables *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress> COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT -A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT
Replace all instances of `<ZerotierNetwork>` with your Zerotier network.
Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.
e.g.
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] -A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT -A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT :OUTPUT ACCEPT [0:0] COMMIT
Step 8: Apply iptables Rules
11. Run iptables-restore < /etc/iptables/rules.v4 to apply the iptables rules.
Step 10: Enable Traffic Routing and Masquerading (if needed)
12. Add the route “dst: 10.10.0.0/16 gateway: «lxc container local address, e.g. 192.168.188.250» .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule:
- chain: src-nat
- action: masquerade
- Destination Address: 10.10.0.0/16 (your VPN network)
- Out Interface: 'LXC Container VLAN'
By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.