This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.

I made this using an Ubuntu 22.04 LXC template.

- A Debian 10 container placed on the same vmbr as the network you want to reach.

1. Create a Debian 10 container and place it on the same vmbr as the target network.

2. Add the following line to your container's configuration:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

3. Edit /etc/sysctl.conf and uncomment the line net.ipv4.ip_forward=1.

4. Apply the IP forwarding changes by running: sysctl -p

5. Install the required packages: apt update && apt install curl gnupg iptables iptables-persistent

6. Install Zerotier with the following command:

curl -s https://install.zerotier.com | bash

7. Join the Zerotier network using the network ID: zerotier-cli join <networkid>

8. Accept the client in Zerotier Central.

9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the “Destination” field to your local network address (e.g., 192.168.1.0/24) and the “Via” field to the Zerotier IP address of the LXC container.

10. Create and edit the file /etc/iptables/rules.v4 and paste the following iptables rules:

iptables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress>
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Replace all instances of `<ZerotierNetwork>` with your Zerotier network.

Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.

e.g.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

11. Run iptables-restore < /etc/iptables/rules.v4 to apply the iptables rules.

12. Add the route “dst: 10.10.0.0/16 gateway: «lxc container local address, e.g. 192.168.188.250» .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule:

• chain: src-nat
• action: masquerade
• Destination Address: 10.10.0.0/16 (your VPN network)
• Out Interface: 'LXC Container VLAN'

By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.

Resources: https://www.reddit.com/r/Proxmox/comments/jctd6x/comment/g93vloi/?utm_medium=android_app&utm_source=share&context=3

Summary of IPTables Configuration for Gateway Setup

We configured IPTables to allow `srv05` to act as a gateway between the `10.241.0.0/16` network (Zerotier subnet) and `192.168.88.0/24` (homelab subnet). Key adjustments included using network addresses rather than specific interface names to facilitate flexible routing and translation between subnets.

### IPTables Rules Configuration

The configuration is as follows:

# Generated by iptables-save v1.8.10 (nf_tables) on Sun Oct 27 21:46:33 2024
*filter
:INPUT ACCEPT [27860:3271118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 6162 -m comment --comment "Veeam transport rule" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6160 -m comment --comment "Veeam deployment rule" -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o lxcbr0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.88.84
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -s 10.241.0.0/16 -d 192.168.88.0/24 -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

• Routing: By using network address-based rules instead of specific interfaces, the configuration is more adaptable to interface changes, simplifying maintenance.
• SNAT Rule: The POSTROUTING rule in the *nat table ensures that traffic originating from the `10.241.0.0/16` network and routed through `lxcbr0` is translated to the source IP `192.168.88.84`.
• Unprivileged LXC Consideration: If switching to unprivileged LXC containers, additional permissions or network namespace adjustments may be required, as unprivileged containers have restricted access to networking by default.

When troubleshooting connectivity between an LXC bridge (lxcbr0) and a ZeroTier VPN interface, follow these steps to ensure proper forwarding of traffic.

To allow traffic from lxcbr0 (LXC bridge) to reach the ZeroTier interface (e.g., ztkse3ixxp), add an iptables rule in the FORWARD chain:

sudo iptables -I FORWARD 1 -i lxcbr0 -o ztkse3ixxp -j ACCEPT

This command permits traffic from lxcbr0 to the ZeroTier VPN interface.

To allow return traffic from ZeroTier to the LXC bridge, add a reverse rule:

sudo iptables -I FORWARD 1 -i ztkse3ixxp -o lxcbr0 -j ACCEPT

This allows responses from ZeroTier-connected devices to reach devices on the lxcbr0 network.

If the ZeroTier network doesn’t natively recognize the 192.168.88.0/24 network, enable NAT to masquerade the source IP for outgoing packets. This ensures return traffic finds its way back to the originating network:

sudo iptables -t nat -A POSTROUTING -o ztkse3ixxp -s 192.168.88.0/24 -j MASQUERADE

This step is essential if routing between networks is not configured.

Check if IP forwarding is active:

sysctl net.ipv4.ip_forward

If the output is 0, enable IP forwarding temporarily with:

sudo sysctl -w net.ipv4.ip_forward=1

To make this change persistent across reboots, add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward=1

After applying these configurations, test connectivity (e.g., with ping) and monitor the syslog or dmesg for any FORWARD DROP entries.