This guide will walk you through the process of creating a Zerotier exit gateway in a Debian 10 LXC container to enable communication between networks.

I made this using an Ubuntu 22.04 LXC template.

- A Debian 10 container placed on the same vmbr as the network you want to reach.

1. Create a Debian 10 container and place it on the same vmbr as the target network.

2. Add the following line to your container's configuration:

lxc.mount.entry: /dev/net dev/net none bind,create=dir

3. Edit /etc/sysctl.conf and uncomment the line net.ipv4.ip_forward=1.

4. Apply the IP forwarding changes by running: sysctl -p

5. Install the required packages: apt update && apt install curl gnupg iptables iptables-persistent

6. Install Zerotier with the following command:

curl -s https://install.zerotier.com | bash

7. Join the Zerotier network using the network ID: zerotier-cli join <networkid>

8. Accept the client in Zerotier Central.

9. In Zerotier Central, add a route to the local network you want to reach via Zerotier. Set the “Destination” field to your local network address (e.g., 192.168.1.0/24) and the “Via” field to the Zerotier IP address of the LXC container.

10. Create and edit the file /etc/iptables/rules.v4 and paste the following iptables rules:

iptables
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s <ZerotierNetwork>/24 -j SNAT --to-source <ContainerIPAddress>
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s <ZerotierNetwork>/24 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d <ZerotierNetwork>/24 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Replace all instances of `<ZerotierNetwork>` with your Zerotier network.

Replace `<ContainerIPAddress>` with the IP address of the LXC container in your local network.

e.g.

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.188.250
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 10.241.0.0/16 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

11. Run iptables-restore < /etc/iptables/rules.v4 to apply the iptables rules.

12. Add the route “dst: 10.10.0.0/16 gateway: «lxc container local address, e.g. 192.168.188.250» .If the LXC container exists on a different VLAN and you need to enable traffic masquerading, this will enable to reach the VPN network from a different VLAN. Use the following rule:

• chain: src-nat
• action: masquerade
• Destination Address: 10.10.0.0/16 (your VPN network)
• Out Interface: 'LXC Container VLAN'

By following these steps, you should have successfully set up a Zerotier exit gateway in your Debian 10 LXC container to facilitate communication between networks.

Resources: https://www.reddit.com/r/Proxmox/comments/jctd6x/comment/g93vloi/?utm_medium=android_app&utm_source=share&context=3

Summary of IPTables Configuration for Gateway Setup

We configured IPTables to allow `srv05` to act as a gateway between the `10.241.0.0/16` network (Zerotier subnet) and `192.168.88.0/24` (homelab subnet). Key adjustments included using network addresses rather than specific interface names to facilitate flexible routing and translation between subnets.

### IPTables Rules Configuration

The configuration is as follows:

# Generated by iptables-save v1.8.10 (nf_tables) on Sun Oct 27 21:46:33 2024
*filter
:INPUT ACCEPT [27860:3271118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 6162 -m comment --comment "Veeam transport rule" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6160 -m comment --comment "Veeam deployment rule" -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o lxcbr0 -s 10.241.0.0/16 -j SNAT --to-source 192.168.88.84
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -s 10.241.0.0/16 -d 192.168.88.0/24 -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -d 10.241.0.0/16 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

• Routing: By using network address-based rules instead of specific interfaces, the configuration is more adaptable to interface changes, simplifying maintenance.
• SNAT Rule: The POSTROUTING rule in the *nat table ensures that traffic originating from the `10.241.0.0/16` network and routed through `lxcbr0` is translated to the source IP `192.168.88.84`.
• Unprivileged LXC Consideration: If switching to unprivileged LXC containers, additional permissions or network namespace adjustments may be required, as unprivileged containers have restricted access to networking by default.

When troubleshooting connectivity between an LXC bridge (lxcbr0) and a ZeroTier VPN interface, follow these steps to ensure proper forwarding of traffic.

Yes, you can enable logging in iptables to capture details about forwarded packets and potentially see why pings from your router aren’t reaching the ZeroTier VPN.

Here’s a basic process to enable logging and capture relevant details:

### Step 1: Add a Logging Rule in `iptables` You can add a logging rule before the DROP rule on the FORWARD chain. Here’s how:

# Log all forwarded packets
sudo iptables -I FORWARD 1 -j LOG --log-prefix "FORWARD DROP: " --log-level 4

This command inserts a logging rule at the top of the FORWARD chain with:

1. –log-prefix “FORWARD DROP: ” to make it easy to identify in the logs.
2. –log-level 4 to set the logging priority (INFO level).

After adding the logging rule, you can view logged packets in the system log files, typically in `/var/log/syslog` or `/var/log/messages`, depending on your system configuration.

Use this command to see recent logs:

tail -f /var/log/syslog | grep "FORWARD DROP:"

This will show only the logs with the prefix `FORWARD DROP:`, making it easier to analyze just the forwarded traffic.

In the log, you should see details like the source and destination IP addresses, ports, and interfaces involved. If the packets are getting dropped, `iptables` might be blocking them for one of the following reasons:

• A DROP rule after your LOG rule.
• Missing MASQUERADE/SNAT rule (for forwarding between interfaces).
• Routing issues on the router or VPN settings.

Once you've found the issue, remember to remove the logging rule to avoid excessive log entries:

sudo iptables -D FORWARD -j LOG --log-prefix "FORWARD DROP: " --log-level 4

If you’re still having issues, it might help to check if the NAT configuration is correct for forwarding traffic from your router to ZeroTier.

Allow traffic from lxcbr0 (LXC bridge) to reach the ZeroTier interface (e.g., ztkse3ixxp):

 sudo iptables -I FORWARD 2 -i lxcbr0 -o ztkse3ixxp -j ACCEPT 

Add a reverse rule to allow return traffic from ZeroTier to the LXC bridge:

 sudo iptables -I FORWARD 2 -i ztkse3ixxp -o lxcbr0 -j ACCEPT 

Enable NAT to allow traffic between ZeroTier and 192.168.88.0/24 if required:

 sudo iptables -t nat -A POSTROUTING -o ztkse3ixxp -s 192.168.88.0/24 -j MASQUERADE 

Check and enable IP forwarding if not already active:

 sysctl net.ipv4.ip_forward sudo sysctl -w net.ipv4.ip_forward=1 

To persist this change, add net.ipv4.ip_forward=1 to /etc/sysctl.conf.

After applying these configurations, test connectivity and monitor the syslog for any packets dropped by the FORWARD chain. Reviewing logs can help identify further firewall adjustments if needed.