This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.

I made this using an Ubuntu 22.04 LXC template.

- A Debian 10 container placed on the same vmbr as the network you want to reach.

1. Create a Debian 10 container and place it on the same vmbr as the target network.

2. Add the following line to your container's configuration:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

3. Edit /etc/sysctl.conf and uncomment the line net.ipv4.ip_forward=1.

4. Apply the IP forwarding changes by running: sysctl -p

5. Install the required packages: apt update && apt install curl gnupg iptables iptables-persistent

6. Install Zerotier with the following command:

curl -s https://install.zerotier.com | bash

7. Join the Zerotier network using the network ID: zerotier-cli join <networkid>

8. Accept the client in Zerotier Central.

9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the “Destination” field to your local network address (e.g., 192.168.1.0/24) and the “Via” field to the Zerotier IP address of the LXC container.

10. Create and edit the file /etc/iptables/rules.v4 and paste the following iptables rules:

iptables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress>
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Replace all instances of `<ZerotierNetwork>` with your Zerotier network.

Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.

e.g.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

11. Run iptables-restore < /etc/iptables/rules.v4 to apply the iptables rules.

12. Add the route “dst: 10.10.0.0/16 gateway: «lxc container local address, e.g. 192.168.188.250» .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule:

• chain: src-nat
• action: masquerade
• Destination Address: 10.10.0.0/16 (your VPN network)
• Out Interface: 'LXC Container VLAN'

By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.

Resources: https://www.reddit.com/r/Proxmox/comments/jctd6x/comment/g93vloi/?utm_medium=android_app&utm_source=share&context=3

Uninstall

apt remove zerotier-one

If you want to blow away the config it created:

dpkg -P zerotier-one

rm -rf /var/lib/zerotier-one/