Skip to main content

#009 - MikroTik ZeroTier as a VPN Tunnel

·1181 words·6 mins· loading · loading ·

Preparing MikroTik for Integration with ZeroTier
#

Hardware Limitations
#

As of the publication date, ZeroTier is available for the following devices:

RB4011

RB3011

RB1100AHx4

RB450Gx4

Audience

hAP ac³ (non LTE)

RouterOS Version
#

You need RouterOS version greater than 7.1. To avoid losing the current configuration in case something goes wrong during the upgrade, you should back up your MikroTik.

Backup - Execution Order
#

You can create a backup by connecting to the router via Winbox. Go to Files -> click -> Backup -> set the name -> and/or password for the file. The created backup will be visible in the “File List”. Right-click on it and select “Download”. This will save the backup file to your local disk.

Note that the backup created in the above step can only be restored on the same model of MikroTik with the same version of ROS installed - therefore it is advisable to include information about the model and ROS version in the file name.

We will also create a configuration file in text format - this is a dump of all the commands needed to restore the current settings via the terminal. This option allows you to restore the current configuration on another model. You will just need to adjust the configuration to the new model, e.g., change the number of Ethernet ports, the number of radio modules, etc.

Open the terminal (this can be done in Winbox by clicking “New Terminal”). Execute the command:

export terse file="ExportFileName"

The file will have the extension “.rsc” and you will find it in the “File List”. Right-click on the file and select “Download”. Save it to your local disk.

Upgrade to Version 7.1
#

The simplest way is to click in Winbox -> System -> Package List -> Check For Updates. Here you will see the version you currently have and the available versions.

Although version 7.1 has been classified as “stable” on the MikroTik website, to see it here you need to select “testing” (as of the publication date).

So select “testing” and click “Download&Install”. The router will download the update, install it, and restart.

If everything went smoothly - you can log into the router.

Preparing ZeroTier for Integration with MikroTik
#

Creating an Account on ZeroTier
#

If you haven’t created an account before, go to zerotier.com -> then “Sign Up” -> and create a free account on ZeroTier.

After completing the registration and logging into the ZeroTier panel, click “Create A Network”.

Network ID
#

Network ID

Network ID is the address of your network - a string that you will enter into your clients on PCs, MikroTik, and/or smartphones. This number uniquely identifies your network on ZeroTier. If you want it to be private, do not publish this code anywhere. However, if your network is meant to be publicly accessible, you can give this key to new users.

Access Control
#

Access Control

In the “Access Control” section, select “public” - after connecting all devices, switch this parameter to “private”.

This section defines whether simply entering the network ID is enough to join your network or if you need to accept/confirm that a given device can join your network. For sensitive solutions, work/production connections, always choose “private”. But, for example, to create an open network for high school students from around the world who want to exchange materials directly from their drives, this setting can be set to “public”.

IPv4 Auto-Assign
#

IPv4 Auto-Assign

In this section, select “Auto-Assign from Range”. I recommend switching to “Advanced” mode and manually setting “Add IPv4 Address Pools”. Sample ranges (for “home” use we won’t need a large number of addresses - you need to know how many devices you want to “connect” to your network):

start 10.147.18.1 end 10.147.18.254
start 172.25.0.1 end 172.25.0.254
start 192.168.195.1 end 192.168.195.254

Managed Routes
#

Managed Routes

We will return to this section after adding devices - it is crucial. Here we will set all traffic from our ZeroTier network going to the internet to pass through a specific device. This is the key setting to qualify our actions with ZeroTier as creating a VPN.

Adding Devices to the ZeroTier Network
#

Komputer z systemem Windows 10
#

Download the client for Windows 10 from zerotier.com/download/ . Install it. Open the “ZeroTier Control Panel”. In the field next to the “Join Network” button, paste your “Network ID” from the ZeroTier site.

ZeroTier Control Panel

Click “Join Network”. You will be connected to your ZeroTier network. You will see your device in the panel on the site in the “Members” section. If you previously selected your network type as “private”, you need to check the box next to your device to allow it access to the network. If you see an unknown device, do not accept it or allow it access to the network.

After connecting, expand the connection card by clicking the arrow.

ZeroTier Control Panel Network Properties

Check all four boxes - this will allow us to route all outgoing traffic to the internet through our ZeroTier network.

ZeroTier Control Panel Override All Routes

Configuring MikroTik to Connect to the ZeroTier Network
#

Checking if ZeroTier is Installed on MikroTik
#

Go to “System” -> “Packages”. Check if the “zerotier” package is in the “Packages List”.

MikroTik Package List
If it is not on the list, you need to install it. To do this, follow these steps:

  1. Go to the MikroTik - download page
  2. From the “ARM” section, download “Extra packages”
  3. Unpack the downloaded file.
  4. Copy the “zerotier***.npk” package to “Files” on MikroTik
  5. Perform a “Reboot”
  6. After the restart, you should see the package in the “Package List”

Configuration
#

Unfortunately, at this moment, all ZeroTier settings on MikroTik must be done through the command line - future versions will likely add support to Winbox. If you have a blank MikroTik installation, you need to execute two commands. The first will add your MikroTik to your ZeroTier network. The second will allow outgoing traffic from the ZeroTier network to the internet through your MikroTik.

Adding ZeroTier to MikroTik
#

/zerotier/interface> add network=NetworID instance=NaszaNazwaInterfejsu
/zerotier>enable NaszaNazwaInterfejsu

Adding ZeroTier Interface to the WAN List
#

/interface/list/member> add list=WAN interface=NaszaNazwaInterfejsu

Checking the Settings
#

If you have correctly added the ZeroTier interface to MikroTik, you should see the address assigned to you from the previously specified pool in ZeroTier.

MikroTik Adress List

Your MikroTik should also be visible in the ZeroTier panel.

Adding to the WAN list correctly looks as follows:

MikroTik Interface List

Redirecting All Outgoing Traffic Through MikroTik
#

This configuration element is the “cherry on top”. Go back to the ZeroTier panel, in the “Managed Routes” section, add the default route (“Add Routes”):

0.0.0.0/0 via 172.23.0.1

172.23.0.1 - example IP address, you should enter the IP address MikroTik received in ZeroTier.

Verifying the Entire Configuration
#

On a computer located elsewhere than MikroTik, check your external IP, e.g., ip.me. If this address matches the address users directly connected to MikroTik receive, it means everything is working! Additionally, you can check which DNS servers you are currently using - DNS leak.

Sources
#

The following entry is based on materials from the sources below and my own experience.

Pomoc MikroTik

Forum MikroTik

Informacje na stronie ZeroTier