ZeroTier Ras Pi Bridge, How-to

Hi. I’m using ZeroTier successfully and I now need to add a VPN bridge to give layer 2 access for Road Warrior WIN 10 PCs onto my home network, for my small business. There are only 3 or 4 remote devices so capacity is not a problem. Sadly all the material I have read and worked through just doesn’t quite get there.

I’ve studied all these turorials, and others, but without success:

https://zerotier.atlassian.net/wiki/spaces/SD/pages/193134593/Bridge+your+ZeroTier+and+local+network+with+a+RaspberryPi

https://discuss.zerotier.com/t/pi-zero-one-port-linux-bridge/757

My Ras Pi hardware/software is Raspi Model B Rev 2 and Raspberry Pi OS Buster (Debian 10).

I’m pretty OK with understanding networking, Debian command line and Windows configuration but this final piece of my Road Warrior network is just not happening - yet.

Does anybody have a How-to that works?

Tom (Lawrence), how about a YouTube / blog tutorial? All the videos you have made for ZeroTier are great, but we are missing the VPN bridge piece.

As a second step it would be great to force all Internet traffic from the remote machines through the VPN gateway and out through my home network. I use Pi-Hole DNS , then DoH to Cloudflare and would like to have the same when connected remotely. But this is a secondary requirement.

Thanks in advance

1 Like

Hi Andy,

Have you considered OpenVPN on pfsense? I have a small business too and this works really well. I use ZeroTier too, but only from my home to client machines.

With that being said, I too would like to see a video like that if @LTS_Tom would be willing to do one like that about ZeroTier.

Good luck,
Sean

Hi Sean,

Thanks for quick reply. I used OpenVPN in bridged more on Ras Pi (modified PiVPN in bridged mode) but something changed when upgrading to Buster and I can’t find a solution. I have pfsense but as far as I can tell version 2.4.5 has a broken package manager and this means implementing OpenVPN is not possible at the moment. I am waiting for a stable vesrsion 2.5.0 before I can think about it.

ZeroTier has so many appealing features that I’d like to use so Ras Pi bridging is the favourite way forward if only the final piece could be sorted.

Thanks for your suggestion, anyway.

Hi Andy,

I am currently using pfSense 2.4.5-RELEASE-p1. I am having no issues with the package manager. Additionally, I have a road warrior OpenVPN configured, as well as a site-to-site OpenVPN. Both work flawlessly.

Let’s see what Tom has to say.
Sean

Sean,

Then my pfsense probably needs a rebuild. But there are may reports online about package manager being broken for the last few releases. As you say, let’s wait and see whether Tom can help. I would prefer to use ZeroTier and a gateway rather than OpenVPN.

Pfsense 2.4.5 is pretty stable for OpenVPN server and client, don’t have any issues with it or the package manager.

You can always setup the OpenVPN RAS from OpenVPN on another device, you can have I believe 3 clients before you have to pay, if you are having issues with OpenVPN on pfSense.

Thanks, neogrid. I may rebuild pfsense and then use the wizards to build OpenVPN. However Zerotier is a simpler solution if only I could find a working model for a VPN bridge. Rebuilding pfsense will take a half day and my business will be offline for the duration. Alternatively I can wait for pfsense 2.5.0 (due soon) and see if that fixes package installer for me.

Hi Andy,

If you wait until pfSense 2.5, Wireguard will likely be an simple option as well.

Sean

Thanks, Sean. Wireguard supports only Layer 3, Windows 10 devices require Ethernet bridging, layer 2. I already have Wireguard in use (Pi-VPN) for iPhone/iPad use. I may migrate Wireguard to pfsense if it is included in pfsense 2.5.0.

ZeoTier is a better option for Windows 10, particularly as I shall not need to permanently open any router ports.

1 Like

OK. Sorted the first step. Ras Pi operating as a bridge into my network, full functionality achieved on Road Warrior Windows 10 machne working remotely (over mobile network tethered to iPhone, wi-fi and broadband connections).

Next step is to force DNS queries through the gateway to make use of Pi-Hole and DoH to Cloudflare.

@AndyCam instead of using pihole why don’t you just use the pfBlocker with the pihole list ? Doesn’t have the pretty charts but does the same thing without much effort.

@neogrid, as pervious post I have a messed up pfsense firewall running and the package manager is not working. To rebuild from scratch at 2.4.5 will take time I don’t have and it will take my business off the air temporarily. I need to wait until 2.5.0 and do the upgrade/rebuild in one step.

My requirement (short-term) is to send DNS requests from Road Warrior machines to the Pi-Hole on my LAN so I can control what can be reached, plus to use DoH for all queries (I don’t trust my ISP). I’m still researching how that can be achieved.

pfsense is a great one-stop for most networkng needs. My network tools setup has grown piecemeal and I will probably use the release of 2.5.0 to review and rebuild accordingly. Meantime…

Sounds like six of one half a dozen of the other … though you are brave :slight_smile:

If it is business related I would buy a 2nd box for sure if downtime is critical.

It sounds like something is really messed up in your config, I doubt an upgrade will fix it, a rebuild will give you some confidence or at least more.

I do recall when you ssh into pfsense there is a feature that can try to fix a broken install, it’s one of those options, though I have never done it.

When you rebuild you might want to use the backup feature :wink: there is also an automated backup tool that saves encrypted configs to Netgate, it’s running on my box though I have never restored from it.

You just can’t have enough backups :slight_smile:

Good luck!

An update. Ras Pi bridge still all stable. I have entered ZeroTier Search Domain and Server IP adress settings to those for my Pi-Hole. The iPhone and Android client apps both allow DNS Server IP addresses to be entered, which I have done. This all works when the devices are off the LAN. Both benefit from ad blocking, and DNS queries are confirmed by Clodfared as DoH (use https://1.1.1.1/help).

Sadly the facility to set DNS parameters doesn’t seem to be there on the Windows client app. Am I missing something?