A subreddit for discussing the ZeroTier network virtualization platform and all things related.
Do I understand this correctly?
I'm trying to wrap my head around how exactly ZT works, if someone wouldn't mind helping me out. As far as I understand when I create the network all my devices get the ZT interface. When I try to connect between clients is the ZT server only there in order to setup a connection between my two clients and then the traffic becomes P2P? The way I'm thinking about it is that the ZT server sets up an encrypted tunnel between the two endpoints and then hands that tunnel over to the clients to use, is that correct?
As an aside, I don't allow UPnP and all that on my network and instead I opened port 9993 to my one client. What happens if you have multiple clients on your LAN? I assume maybe it's better to setup ZT on the router in that case so that the router becomes the endpoint and everything behind it will just need to be routed to from there?
Thank you!
Dont listen to the others; You do need to have port 9993 open
https://zerotier.atlassian.net/wiki/spaces/SD/pages/6815768/Router+Configuration+Tips
I cant help with the actual background on how ZT works, but here is the docs on that. You might get a good understanding reading in there
https://docs.zerotier.com/zerotier/ztintro
You don’t need UPnP turned on, nor do you need to open 9993.
Each device with Zerotier installed sees itself as on a LAN of the Zerotier IP address range your Zerotier network has created. This works even if they are on physically separate LANs miles apart and behind separate routers (my Raspberry Pis are networked that way across 2 locations). If you want to access devices without Zerotier installed (for example because it cannot run on them) you can “bridge” to the local LAN via Zerotier.
If you have multiple clients on your LAN, it is way less effort - and ongoing management effort - to just set up a gateway to the zeroTier SD-WAN. Grab a Pi, install the ZT client and setup IP routing, add static routes on your primary gateway as appropriate for the address space(s).
I have a second home that I am renovating, I have a Pi on my LAN at home and on the remote one. The Pis route traffic from their respective Local ethernet interface to the virtual zeroTier one. The routers at each location have static routes to route to the address space of the other location and also the zeroTier LAN.
The whole thing took me about an hour to set up from start to finish and has been working completely transparently for months. I have to say out of all of the various network fiddling around I have done over the years, this has been the least amount of effort/most reliable.
<edit> oops - this ended up in the wrong place - should have been in response to the question about multiple clients..
Little note I didn't see in the comments:
outgoing udp needs to be allowed. If only allow 9993 out, you'll only be able to peer with things that are listening on 9993. So basically only the roots.
Anything behind a NAT is going to be mapped through some random port.
Even the my.zerotier.com controllers are not on 9993.