Instructions for Zerotier exit Gateway in a Debian 10 lxc Container (copied from here)
-
Create Debian 10 container and put it on the same vmbr as the network you want to reach
-
Add this to your Container Config (if running from proxmox):
lxc.mount.entry: /dev/net dev/net none bind,create=dir -
Enable ip forwarding by editing
/etc/sysctl.confand uncommentingnet.ipv4.ip_forward=1 -
Run
sysctl -pto apply ip forwarding (it should read the line back to you) -
install curl pgp iptables and iptables-persistent with
apt update && apt install curl pgp iptables iptables-persistent -
install zerotier with
curl -s https://install.zerotier.com | bash -
join zerotier network with
zerotier-cli join <networkid> -
Accept client in zerotier central
-
Add a Route to the Local Network you want to reach via zerotier in zerotier central (set the "Destination" Field to your local network address for example 192.168.1.0/24 and set the "Via" Field to the Zerotier ipaddress of the LXC Container)
-
Edit The File /etc/iptables/rules.v4 and paste the following:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -s 192.168.193.0/24 -j SNAT --to-source 192.168.1.1
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i zt+ -s 192.168.193.0/4 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD -i eth0 -s 0.0.0.0/0 -d 192.168.193.0/0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT
-
Replace all instances of 192.168.193.0/24 with your Zerotier network.
-
Replace 192.168.1.1 with the ipaddress of the lxc container in your local network
-
Run iptables-restore < /etc/iptables/rules.v4
You should now be able to reach the clients in your local network from your Zerotier network. If you have any question just ask.