[TUTORIAL] ZeroTier + Proxmox PVE

KatyComputer

Active Member
Sep 26, 2019
193
16
38
61
St Louis
katycomputer.com
ZeroTier + Proxmox

We have been using ZeroTier over a year, when it came time to use it with Proxmox, I wasted hours due to my desire to over-complicate things. This four step process will let you access your containers and VMs remotely via the ZeroTier D-WAN / VPN

My goal is to configure several containers and vms on 10.101.101.0/24 on vmbr2

To do so:
1. Login to your ZeroTier account, add a network - we'll use 10.255.0.0/24
2. Join your remote workstation & PVE node to the network, assign the PVE node's IP address, we'll use 10.255.0.110
3. In my.zerotier.com add 10.101.101.0/24 as a managed route
4. Add route to 10.101.101.0/24 on vmbr2
5. When building / modifying containers, use vmbr2 10.101.101.0/24
6. For system updates, you will want to enable masquerading

/etc/network/interfaces
Code:
auto lo
iface lo inet loopback

auto eno5
iface eno5 inet manual

auto eno6
iface eno6 inet manual

iface eno7 inet manual

iface eno8 inet manual

auto enp193s0f4u4
iface enp193s0f4u4 inet dhcp

auto vmbr0
iface vmbr0 inet static
        address 2.6.170.42/30
        gateway 2.6.170.41
        bridge-ports eno5
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 0
        post-up ip route add 3.3.199.160/29 dev vmbr0

auto vmbr1
iface vmbr1 inet static
        address 192.168.101.32/24
        bridge-ports eno6
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 3

auto vmbr2
iface vmbr2 inet static
        address 10.101.101.1/24
        bridge-ports ztzlgi8qn1
        bridge-stp off
        bridge-fd 0
        bridge-maxwait 3
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.101.101.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.101.101.0/24' -o vmbr0 -j MASQUERADE


grep -ris "vmbr2" /etc/pve:
Code:
/etc/pve/nodes/vm101-01/qemu-server/103.conf:net0: e1000=F2:4E:F9:60:9A:40,bridge=vmbr2,firewall=1
/etc/pve/nodes/vm101-01/lxc/102.conf:net0: name=eth0,bridge=vmbr2,firewall=1,gw=10.101.101.1,hwaddr=86:11:17:5B:76:07,ip=10.101.101.10/24,type=veth
/etc/pve/nodes/vm101-01/lxc/100.conf:net1: name=eth1,bridge=vmbr2,firewall=1,gw=192.168.101.32,hwaddr=AE:79:8E:AD:E7:9D,ip=10.101.101.11/24,type=veth


my.zerotier.com:
1602380334585.png
 
It seems my tutorial is flawed.

lxc-102 cannot ping 8.8.8.8, so I tried 10.101.101.1, no joy.

Yet vm101 can ping 10.101.101.10 and I can ping 10.101.101.10 remotely using ZeroTier.

Anyone know what I may have missed?
 
Thanks. I have default gw on lxc-102 set to 10.101.101.1 - I think that's correct, but what's odd is that from within lxc-102, I cannot ping 10.101.101.1, I suspect if I resolve this issue things will work correctly.

I know it's something silly stupid, but not sure what it is - I suppose it will be the last thing I check :cool:
 
Hi,

Check in lxc-102:

Code:
arp -an
: if you can see any ARP for 10.101.101.1
check if you have any firewall rule(including on PMX node) that could block your icmp
try to use traceroute 10.101.101.1 instead of ping

Good luck / Bafta!
 
Thanks. I have default gw on lxc-102 set to 10.101.101.1 - I think that's correct, but what's odd is that from within lxc-102, I cannot ping 10.101.101.1, I suspect if I resolve this issue things will work correctly.

I know it's something silly stupid, but not sure what it is - I suppose it will be the last thing I check :cool:
Did you fix your problem?
 
I gave up.
I have built a recent proxmox lab and got zerotier working through a NAT setup inside my VM's using the standard NAT config as per the instructions. I just have to work out a rule to allow the ports to get out from the VM. I can ssh from the outside into my VM from my laptop which is really awesome. I have posted this to see if anyone is interested to explore this any further.
 
Last edited:
I have built a recent proxmox lab and got zerotier working through a NAT setup inside my VM's using the standard NAT config as per the instructions. I just have to work out a rule to allow the ports to get out from the VM. I can ssh from the outside into my VM from my laptop which is really awesome. I have posted this to see if anyone is interested to explore this any further.
Yes, please!
 
If anybody is interested I think I have it worked out or at least it works for my proxmox server----if you need help get back to me
 
Install ZeroTier bridge host PVE
https://www.prochor.ru/content/nashi-stati/proxmox-ve/content11/proxmox-ve-zerotier-one.html

PorxmoxZerotier-06.png
 
Hello,
tried very hard to get my setup working. But so far I did not manage to get it working.
In Zerotier I set up the routing:
192.168.131.0/24 via 10.147.20.131

From my PC (KINGLOUIE) I was able to ping 192.168.131.204. That is the IP Adress of the proxmox installation and on which I installed Zerotier.

What I did not manage so far is to ping the other things in the 192.168.131.0/24 network.
How do I check what is wrong?
Proxmox Zerotier.png
 
What I did not manage so far is to ping the other things
While I won't dig into the details of your topology: in my personal experience I struggle most often by forgetting to configure the route back from the destination to the source. The relevant routers need to know which route to forward packages to - from any point of the topology map. So... check your routing tables for packages coming from those destination systems back to you (and possibly fail).

Good luck
 
  • Like
Reactions: struland

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!