reCIPHER-SOHO™ - Install Zerotier on reCIPHER™ & GliNet Routers without Zerotier GUI

Using ZeroTier on reCIPHER™ & GliNet Routers gives you freedom whilst maintaining Security! In this guide, we set up ZeroTier on GL.iNet's mini-routers and Ubuntu as a ZeroTier Client

 · 3 min read

SOURCE:  https://kysonlok.gitbook.io/blog/vpn/zeretier


Using ZeroTier on GL.iNet's mini-routers


Presentation

In this test, we set up Zerotier on GL.iNet's mini-routers and an Ubuntu VPS so that they can access each other. To use ZeroTier service, you need to create your own ZeroTier account. Sign up for an account here: https://my.zerotier.com/login.

Important: Stop other VPN service on the router before you start is recommended

Login your ZeroTier account. Go to Network menu and click on Create button to create a new network.

Next you should see the configuration page of your network. Please jot down the Network ID which will be used later.


Setup ZeroTier on router


Installation

SSH to the router, and execute the following commands to install ZeroTier package:

Copy

opkg update
opkg install zerotier


Configuration


ZeroTier

You should edit the configuration file /etc/config/zerotier to enable ZeroTier and join into a network. It looks like:

Copy

# cat /etc/config/zerotier
config zerotier 'sample_config'
    option enabled '1'
    list join 'd5e5fb6537869a7d'

Please replace the code above d5e5fb6537869a7d with your own Network ID.


Firewall(optional)

If you want to access the router's LAN, you have to configure the firewall as well. Please edit the firewall configuration file /etc/config/firewall. Add below lines into it.

Copy

config zone 'vpn_zone'
    option name 'zerotier'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option device 'zt+'
    option masq '1'
    option mtu_fix '1'
config forwarding
    option dest 'zerotier'
    option src 'lan'
config forwarding
    option dest 'lan'
    option src 'zerotier'


Start ZeroTier Service

Copy

/etc/init.d/zerotier restart
/etc/init.d/firewall restart

Go back to your Zerotier's web console and you will see the device which you just joined. Check the checkbox of "Auth?", otherwise, your device may not be able to get an IP address from ZeroTier.

After authentication, the network interface will obtain an IP address. Check it out via ifconfig, it looks like:

Copy

# ifconfig 
ztwdjh372k Link encap:Ethernet  HWaddr 7E:BD:F0:B6:4E:87  
          inet addr:10.241.143.3  Bcast:10.241.255.255  Mask:255.255.0.0
          inet6 addr: fdd5:e5fb:6537:869a:7d99:9327:7681:2b7c/88 Scope:Global
          inet6 addr: fce2:6361:1827:7681:2b7c::1/40 Scope:Global
          inet6 addr: fe80::7cbd:f0ff:feb6:4e87/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:2800  Metric:1
          RX packets:39 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1638 (1.5 KiB)  TX bytes:4368 (4.2 KiB)


Managed Routes(optional)

You can manage route in ZeroTier's web console. For example, I add a static route on Managed Routes, so that I can access the router's LAN.


Setup ZeroTier on Ubuntu


Installation

Install ZeroTier and join the network which you created before.

Copy

curl -s https://install.zerotier.com/ | sudo bash
sudo zerotier-cli join d5e5fb6537869a7d

Please replace the code above d5e5fb6537869a7d with your own Network ID.

You need to check the checkbox of "Auth?" in ZeroTier's web console as well.

After authentication, the network interface will obtain an IP address. Check it out via ifconfig, it looks like:

Copy

# ifconfig 
ztwdjh372k: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 10.241.116.0  netmask 255.255.0.0  broadcast 10.241.255.255
        inet6 fe80::7cce:ffff:fee0:638c  prefixlen 64  scopeid 0x20<link>
        inet6 fdd5:e5fb:6537:869a:7d99:9354:79d7:677  prefixlen 88  scopeid 0x0<global>
        inet6 fce2:6361:1854:79d7:677::1  prefixlen 40  scopeid 0x0<global>
        ether 7e:ce:ff:e0:63:8c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 85  bytes 4266 (4.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Testing

The router and the Ubuntu VPS are able to ping each other.

Copy

kyson@ip-172-31-34-95:~$ ping 10.241.143.3
PING 10.241.143.3 (10.241.143.3) 56(84) bytes of data.
64 bytes from 10.241.143.3: icmp_seq=1 ttl=64 time=1143 ms
64 bytes from 10.241.143.3: icmp_seq=2 ttl=64 time=132 ms
64 bytes from 10.241.143.3: icmp_seq=3 ttl=64 time=65.6 ms
64 bytes from 10.241.143.3: icmp_seq=4 ttl=64 time=65.7 ms
64 bytes from 10.241.143.3: icmp_seq=5 ttl=64 time=65.8 ms

Copy

root@GL-AR300M:/# ping 10.241.116.0
PING 10.241.116.0 (10.241.116.0): 56 data bytes
64 bytes from 10.241.116.0: seq=0 ttl=64 time=66.097 ms
64 bytes from 10.241.116.0: seq=1 ttl=64 time=66.264 ms
64 bytes from 10.241.116.0: seq=3 ttl=64 time=65.377 ms
64 bytes from 10.241.116.0: seq=4 ttl=64 time=65.222 ms

The Ubuntu VPS can reach router's LAN if you configure the route.

Copy

kyson@ip-172-31-34-95:~$ ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=65.7 ms
64 bytes from 192.168.8.1: icmp_seq=2 ttl=64 time=66.0 ms
64 bytes from 192.168.8.1: icmp_seq=3 ttl=64 time=65.6 ms
64 bytes from 192.168.8.1: icmp_seq=4 ttl=64 time=65.8 ms
64 bytes from 192.168.8.1: icmp_seq=6 ttl=64 time=65.2 ms


Troubleshooting

If everything is fine, but you can't reach the router from Ubuntu VPS. It usually caused by mwan3, you can try to stop and remove it.

Copy

mwan3 stop
opkg remove mwan3 --force-depends


Published on
24hourITSupport.AU

reCIPHER™ Group is a Microsoft Partner located minutes from the Melbourne CBD. Established in 2012. reCIPHER Group P/L consists of a number of Small Technology Businesses servicing IT, Cyber Security, Internet, Voice, CCTV, and Solution Architecture. Our first business was established in an apartment in 2001. Since then we have developed and aquired the following subsidiaries: - reCIPHERgroup.com - reCIPHER Group company website - reCIPHER.com™ - Registered Internet & Voice Service Provider] - reCIPHER.AU - Company website targeted for Australian audience - 24hourITSupport.com - 24hourITSupport.AU - CompleteInternetServices.com.au/ We maintain a strong Microsoft Engineering Team, ranging from Desktop Support to Level 4 Microsoft Architecture and ongoing Proactive Monitoring & Management. Over 21+ years, we have serviced Companies ranging from only 2 staff members to Companies of 1500+ staff spanning 3 continents.

No comments yet.

Add a comment
Ctrl+Enter to add comment