ZeroTier as VPN replacement

I’d like to be able to access my home network (which is running on UniFi equipment) from my laptop and phone while I’m away from home.

With ZeroTier, the straightforward way to do this would be load ZeroTier on my laptop and my phone, but then also every other device on my home network that I may want to access.

I’m wondering if there is a way to load ZeroTier only on my remote devices (Laptop, Phone, etc) and then just a single device at home like a Raspberry Pi, which would then in turn let me access my printer, NAS, ip cams, workstation, etc?

I could easily load ZeroTier on my workstation and it looks like my NAS (Unraid) has a ZeroTier plugin… but I’m positive I will not be able to load ZeroTier on my printer or my IP cameras.

Is this possible? If so, what configurations would I make on ZeroTier and/or the Raspberry Pi as far as networks and routing goes?

You could use the bridging function in ZeroTier
https://zerotier.atlassian.net/wiki/spaces/SD/pages/7471125/Layer+2+Bridging+of+Ethernet+and+ZeroTier+Networks+on+Linux

1 Like

Thanks.

That says it can be done with a single NIC but recommends 2.
I’m curious, if I used a server with 2 NICs, would I even plug anything into the 2nd NIC?

Also, I found this which seems to explain how to do it with just one NIC (i.e. a Raspberry Pi).
https://www.reddit.com/r/zerotier/comments/9714a2/easy_way_of_bridging_lan_for_remote_access/
It says to enable ip forwarding, is that only because it has 1 NIC instead of 2? With the 2 NICs I wouldn’t need ip forwarding?

There are other differences as well. The ZeroTier wiki is using a single network with ZeroTier managing one pool of IPs and the LAN managing another pool, but still a single (though large) subnet.
The Reddit article is suggesting using two different networks altogether.
I guess you could set it up either way? Not sure if one has advantages over the other as far as broadcasting goes.

I think in both cases the roaming ZeroTier clients would be able to access LAN clients because ZeroTier knows the routes, but would LAN resources be able to access ZeroTeir clients? How does that work? Would a server on the LAN be able to reply on a connection, but not be able to establish one? Without setting up routes how would LAN resources know to even route through that bridge server?

As for my specifics, I plan on using a Raspberry Pi 4 which I ordered last night. It has a single NIC so I’m leaning toward following the Reddit post. I’m not sure if I want to create a separate network or have the ZeroTier network be the same as my LAN (10.9.8.1/24). My DHCP range is .100 to .254. I only have a handful of things assigned within the .1 to .99 range (network equipment starting from bottom .2, .3, etc and servers starting from top .99, .98, etc). So I could have ZeroTier auto-assign from .30 to .50 or something. Or… should I create a completely separate network?

Side note: I ordered the $20 PoE hat since I have a Unifi PoE switch and the hat includes a fan… thought it was worth it. Excited to see how it works. If it works well, I may buy another 1 or 2 and run PiHole on a real physical PoE pi rather than the Unraid docker container I have PiHole running in now.
Perhaps 3 Raspberry Pi’s… 1) ZeroTier bridge, 2) PiHole, 3) WAN failover (usb tether to phone).