I finally got ZeroTier to launch inside an LXC and create the ztxxxxxx interface, and the container is joining the network fine. But I still can’t get forwarding/routing working so my remote ZeroTier clients can access anything on the Proxmox LAN. ZeroTier web UI my route is pushed, for my Proxmox LAN, other hosts traceroute to the LXC container but nothing past.
I followed this Proxmox thread:
https://forum.proxmox.com/threads/enabling-tun-by-default-when-starting-a-ct-image-to-get-zerotier-working.122151/
And I added the required settings to /etc/pve/lxc/ID.conf:
features: keyctl=1,nesting=1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
ZeroTier starts perfectly and the interface shows up.
Inside the guest I enabled forwarding:
Since its debian 13 I also added full nftables forwarding + postrouting MASQUERADE inside the LXC (/etc/nftables.conf):
What am i missing?
I followed this Proxmox thread:
https://forum.proxmox.com/threads/enabling-tun-by-default-when-starting-a-ct-image-to-get-zerotier-working.122151/
And I added the required settings to /etc/pve/lxc/ID.conf:
features: keyctl=1,nesting=1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
ZeroTier starts perfectly and the interface shows up.
Inside the guest I enabled forwarding:
sysctl -w net.ipv4.ip_forward=1Since its debian 13 I also added full nftables forwarding + postrouting MASQUERADE inside the LXC (/etc/nftables.conf):
Code:
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oif "eth0" masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
# Allow ZeroTier traffic to LAN
iif "zt..." oif "eth0" accept
# Allow LAN replies back to ZeroTier
iif "eth0" oif "zt...." ct state related,established accept
}
chain output {
type filter hook output priority filter; policy accept;
}
}
}
Last edited: