This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.

I made this using an Ubuntu 22.04 LXC template.

- A Debian 10 container placed on the same vmbr as the network you want to reach.

1. Create a Debian 10 container and place it on the same vmbr as the target network.

2. Add the following line to your container's configuration:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

3. Edit /etc/sysctl.conf and uncomment the line net.ipv4.ip_forward=1.

4. Apply the IP forwarding changes by running: sysctl -p

5. Install the required packages: apt update && apt install curl gnupg iptables iptables-persistent

6. Install Zerotier with the following command:

curl -s https://install.zerotier.com | bash

7. Join the Zerotier network using the network ID: zerotier-cli join <networkid>

8. Accept the client in Zerotier Central.

9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the “Destination” field to your local network address (e.g., 192.168.1.0/24) and the “Via” field to the Zerotier IP address of the LXC container.

10. Create and edit the file /etc/iptables/rules.v4 and paste the following iptables rules:

iptables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress>
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Replace all instances of `<ZerotierNetwork>` with your Zerotier network.

Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.

e.g.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

11. Run iptables-restore < /etc/iptables/rules.v4 to apply the iptables rules.

12. Add the route “dst: 10.10.0.0/16 gateway: «lxc container local address, e.g. 192.168.188.250» .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule:

• chain: src-nat
• action: masquerade
• Destination Address: 10.10.0.0/16 (your VPN network)
• Out Interface: 'LXC Container VLAN'

By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.

Resources: https://www.reddit.com/r/Proxmox/comments/jctd6x/comment/g93vloi/?utm_medium=android_app&utm_source=share&context=3

Uninstall

apt remove zerotier-one

If you want to blow away the config it created:

dpkg -P zerotier-one

rm -rf /var/lib/zerotier-one/

Problem: After migrating an LXC container with ZeroTier from a Proxmox environment to an Ubuntu Hyper-V setup, ZeroTier failed to start, logging the following error:

ERROR: unable to configure virtual network port: could not open TUN/TAP device: No such file or directory

This error suggested that ZeroTier was unable to open a TUN/TAP device, which it requires for creating virtual network interfaces.

1. Configuration Comparison:

Compared the original Proxmox LXC configuration with the new setup. Verified that the TUN device was mounted with the line:

    `lxc.mount.entry = /dev/net dev/net none bind,create=dir`

1. Verification of `/dev/net/tun`:

Checked within the container to confirm that `/dev/net/tun` was present. However, access permissions were limited.

1. Adjusting Permissions:

Set permissions on the TUN device with:

    `chmod 0666 /dev/net/tun`

1. LXC Configuration Adjustments:

Ensured the configuration included the following settings:

1. `lxc.mount.entry = /dev/net dev/net none bind,create=dir`
2. `lxc.apparmor.allow_nesting = 1`

1. Network Configuration Clarification:

Noted that the `lxcbr0` bridge had a standard IP (`10.0.3.x/24` from `lxc-net`) and that the container's `eth0` address was `192.168.88.84/24`. Multiple addresses on `lxcbr0` could interfere with routing for ZeroTier.

1. `lxc-net` and `dnsmasq` Review:

Confirmed that `lxc-net` was set to use `dnsmasq` for DHCP:

    `USE_LXC_BRIDGE="true"`
  No additional configurations in `/etc/default/lxc-net` pointed to multiple IP assignments.

The TUN/TAP issue appears to be due to sandboxing of `/dev/net/tun` within the Ubuntu environment. Planned further steps:

• Restart LXC services to ensure TUN/TAP stability.
• Monitor `/var/log/syslog` for recurring errors after each change.
• Consider testing on Debian as the host OS to identify any host OS limitations affecting `/dev/net/tun` sandboxing in Ubuntu.

This setup and troubleshooting can serve as a reference for similar ZeroTier and TUN/TAP issues within LXC containers.