Simple Zerotier setup on OpenBSD

  • “ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.”*

I personally use Zerotier to share assets between different geographical locations without having to worry about a third-party ddns service, putting holes in firewalls & port forwarding. Perfect for road warrior setups, or sharing a self-hosted Jellyfin server between two households.

Installing

  • Get the latest release from Github https://github.com/zerotier/ZeroTierOne

  • Download the ${version}.tar.gz file from the releases page.

  • First download the latest release from Github

    • cd /tmp
    • wget <https://https://github.com/zerotier/ZeroTierOne/archive/refs/tags/${version}.tar.gz>
    • tar -xvzf ${version}.tar.gz
    • cd ./ZeroTierOne-{$version}

  • Building Zerotier on Openbsd requires GNU Make - gmake(1).

    • gmake install clean
    • This installs the Zerotier-One binary to /usr/local/bin/zerotier-one
    • Additional components such as keys and the daemon configuration are installed to /var/db/zerotier-one

Setting up the Daemon

  • We then need to start the Zerotier daemon; this needs root privileges as it creates a tap(4) adaptor

  • This can be run straight from the shell zerotier-one -d however we’d like this to persist after a reboot. To do this we need to setup a service with rcctl(8)

  • A service file is not created by default, create one in /etc/rc.d/zerotier-one. rc.subr(8) provides information about constructing custom control scripts.

      #!/bin/ksh
  daemon="/usr/local/sbin/zerotier-one -d"
  . /etc/rc.d/rc.subr
  rc_cmd $1

  • change the permissions on the file to read & execute by owner (root). chmod 0500 /etc/rc.d/zerotier-one

  • To start the daemon rcctl start zerotier-one; to persist through reboot rcctl enable zerotier-one

Joining a Network

  • Once the daemon is running we can join an existing Zerotier Network zerotier-cli join ${network_id}
  • Authorise the node, setting an ip address via https://my.zerotier.com.
  • To check, ping another node within the Zerotier network.

PF

  • By default pf will block return traffic on the tap interface.
  • Configure pf.conf(5) using /etc/pf.conf/ to allow traffic. Configuration should be as restrictive as possible to only allow the desired traffic.

In this example I am quite happy to allow all traffic on my Zerotier network.

	pass in log quick on tap from $zerotier_net/24 to $zerotier_addr
	pass out log quick on tap from $zerotier_addr to $zerotier_net/24

You may need to open up tcp/9993 as well to allow communication with Zerotier discovery root servers.