[TUTORIAL] ZeroTier + Proxmox PVE

Sep 26, 2019
169
14
23
59
St Louis
katycomputer.com
ZeroTier + Proxmox

We have been using ZeroTier over a year, when it came time to use it with Proxmox, I wasted hours due to my desire to over-complicate things. This four step process will let you access your containers and VMs remotely via the ZeroTier D-WAN / VPN

My goal is to configure several containers and vms on 10.101.101.0/24 on vmbr2

To do so:
1. Login to your ZeroTier account, add a network - we'll use 10.255.0.0/24
2. Join your remote workstation & PVE node to the network, assign the PVE node's IP address, we'll use 10.255.0.110
3. In my.zerotier.com add 10.101.101.0/24 as a managed route
4. Add route to 10.101.101.0/24 on vmbr2
5. When building / modifying containers, use vmbr2 10.101.101.0/24
6. For system updates, you will want to enable masquerading

/etc/network/interfaces
Code:
auto lo
iface lo inet loopback

auto eno5
iface eno5 inet manual

auto eno6
iface eno6 inet manual

iface eno7 inet manual

iface eno8 inet manual

auto enp193s0f4u4
iface enp193s0f4u4 inet dhcp

auto vmbr0
iface vmbr0 inet static
        address 2.6.170.42/30
        gateway 2.6.170.41
        bridge-ports eno5
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 0
        post-up ip route add 3.3.199.160/29 dev vmbr0

auto vmbr1
iface vmbr1 inet static
        address 192.168.101.32/24
        bridge-ports eno6
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 3

auto vmbr2
iface vmbr2 inet static
        address 10.101.101.1/24
        bridge-ports ztzlgi8qn1
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 3
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.101.101.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.101.101.0/24' -o vmbr0 -j MASQUERADE


grep -ris "vmbr2" /etc/pve:
Code:
/etc/pve/nodes/vm101-01/qemu-server/103.conf:net0: e1000=F2:4E:F9:60:9A:40,bridge=vmbr2,firewall=1
/etc/pve/nodes/vm101-01/lxc/102.conf:net0: name=eth0,bridge=vmbr2,firewall=1,gw=10.101.101.1,hwaddr=86:11:17:5B:76:07,ip=10.101.101.10/24,type=veth
/etc/pve/nodes/vm101-01/lxc/100.conf:net1: name=eth1,bridge=vmbr2,firewall=1,gw=192.168.101.32,hwaddr=AE:79:8E:AD:E7:9D,ip=10.101.101.11/24,type=veth


my.zerotier.com:
1602380334585.png
 
Sep 26, 2019
169
14
23
59
St Louis
katycomputer.com
Thanks. I have default gw on lxc-102 set to 10.101.101.1 - I think that's correct, but what's odd is that from within lxc-102, I cannot ping 10.101.101.1, I suspect if I resolve this issue things will work correctly.

I know it's something silly stupid, but not sure what it is - I suppose it will be the last thing I check :cool:
 

guletz

Famous Member
Apr 19, 2017
1,546
243
83
Brasov, Romania
Hi,

Check in lxc-102:

Code:
arp -an
: if you can see any ARP for 10.101.101.1
check if you have any firewall rule(including on PMX node) that could block your icmp
try to use traceroute 10.101.101.1 instead of ping

Good luck / Bafta!
 

kozaks

Member
Feb 23, 2017
1
0
21
32
Thanks. I have default gw on lxc-102 set to 10.101.101.1 - I think that's correct, but what's odd is that from within lxc-102, I cannot ping 10.101.101.1, I suspect if I resolve this issue things will work correctly.

I know it's something silly stupid, but not sure what it is - I suppose it will be the last thing I check :cool:
Did you fix your problem?
 

jamest65

Member
Apr 29, 2021
36
5
8
57
I gave up.
I have built a recent proxmox lab and got zerotier working through a NAT setup inside my VM's using the standard NAT config as per the instructions. I just have to work out a rule to allow the ports to get out from the VM. I can ssh from the outside into my VM from my laptop which is really awesome. I have posted this to see if anyone is interested to explore this any further.
 
Last edited:

crazy_otto

New Member
May 12, 2021
8
0
1
55
I have built a recent proxmox lab and got zerotier working through a NAT setup inside my VM's using the standard NAT config as per the instructions. I just have to work out a rule to allow the ports to get out from the VM. I can ssh from the outside into my VM from my laptop which is really awesome. I have posted this to see if anyone is interested to explore this any further.
Yes, please!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!