DokuWiki

Document Source https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode

sudo curl -s https://install.zerotier.com | sudo bash

Join Network

sudo zerotier-cli join 98e7278b055e3ea9

This command may do something but I didn't have any luck actually saving the iptables file.

sudo apt-get install iptables-persistent

In this example the $ZT_IFACE was obtained with the following command after adding the Debian machine to the Zero Tier network:

sudo ifconfig

Edit the following file /etc/sysctl.conf and uncomment the following variables and change rp_filter to =2:

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=2

The only rules that were actually added to the /etc/iptables/rules.v4 file below are as follows:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i $ZT_IFACE -o $WAN_IFACE -j ACCEPT
-A FORWARD -i $WAN_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [0:0]
COMMIT

Actual file contents.

# Generated by iptables-save v1.6.0 on Mon Feb 14 17:45:54 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
-A FORWARD -i ztcprhtnnm -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ztcprhtnnm -m state --state RELATED,ESTABLISHED -j ACCEPT
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [2317:604411]
:FORWARD ACCEPT [1467:325076]
:OUTPUT ACCEPT [1385:221951]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 655 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 655 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Feb 14 17:45:54 2022
# Generated by iptables-save v1.6.0 on Mon Feb 14 17:45:54 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
:PREROUTING ACCEPT [408:64692]
:INPUT ACCEPT [6:631]
:OUTPUT ACCEPT [140:11637]
:POSTROUTING ACCEPT [542:75698]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 655 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p udp -m udp --dport 655 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 655 -j DNAT --to-destination 172.17.0.2:655
-A DOCKER ! -i docker0 -p udp -m udp --dport 655 -j DNAT --to-destination 172.17.0.2:655
COMMIT
# Completed on Mon Feb 14 17:45:54 2022

Document Source https://pimylifeup.com/raspberry-pi-wifi-bridge/
Remember to do this tutorial you will need either a WiFi dongle or a Raspberry Pi 3 with the inbuilt WiFi module.

1. Before we get started with installing and setting up our packages, we will first run an update on the Raspberry Pi by entering the following two commands into the terminal.

sudo apt-get update

sudo apt-get upgrade

2. With that done we can now install the one and only package we will be utilizing, run the following command to install dnsmasq.

sudo apt-get install dnsmasq

If there are issues installing this package run it again with - -fix-missing option

sudo apt-get install dnsmasq --fix-missing

3. Before we get too far ahead of ourselves, we should setup the wlan0 connection that we plan on using. If you have already setup your wireless connection then you can skip ahead to step 5. Otherwise open up the wpa_supplicant file by running the following command:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

4. Within this file add the following, making sure you replace the ssid with the name of the network you want to connect to and replace the psk value with the password for that network.

network={
     ssid="yournetworkname"
     psk="yournetworkpassword"
}

Use the following coding if there is no passcode and is an unsecured network

network={
     ssid="Deacon-5CCF7FD38507"
     key_mgmt=NONE
}

5. With the wireless network now setup to correctly connect we can proceed with setting up our eth0 interface. This will basically force it to use a static IP address, not setting this up can cause several issues. To do this we need to modify the dhcpcd.conf file by running the following command:

sudo nano /etc/dhcpcd.conf

Important Note: If you’re on Raspbian stretch then wlan0 and eth0 may need to be changed. Use the ifconfig command to see the new names, they’re likely quite long and will contain the MAC address. Make sure you update these for all the commands in this tutorial.

6. Within this file we need to add the following lines, make sure you replace eth0 with the correct interface of your ethernet. Raspbian Stretch uses what is known as predictable names, so they may differ from this tutorial. To find out what your interfaces are you can utilize the ifconfig command.

interface wlan0
static ip_address=192.168.10.50/24
static routers=192.168.10.1

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter.

7. With our changes made to dhcpcd configuration we should now restart the service by running the following command:

sudo service dhcpcd restart

8. Before we get started with modifying dnsmasq configuration we will first make a backup of the original configuration by running the following command.

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig

9. With the original configuration now backed up and moved out of the way we can now move on and create our new configuration file by typing the command below into the terminal.

sudo nano /etc/dnsmasq.conf

10. Now that we have our new file created we want to add the lines below, these lines basically tell the dnsmasq package how to handle DNS and DHCP traffic.

interface=eth0       # Use interface eth0  
listen-address=192.168.10.50   # Specify the address to listen on  
bind-interfaces      # Bind to the interface
server=8.8.8.8       # Use Google DNS  
domain-needed        # Don't forward short names  
bogus-priv           # Drop the non-routed address spaces.  
dhcp-range=192.168.10.50,192.168.10.150,12h # IP range and lease time

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter.

11. We now need to configure the Raspberry Pi’s firewall so that it will forward all traffic from our eth0 connection over to our wlan0 connection. Before we do this we must first enable ipv4p IP Forwarding through the sysctl.conf configuration file, so let’s begin editing it with the following command:

sudo nano /etc/sysctl.conf

12. Within this file you need to find the following line, and remove the # from the beginning of it. Find:

#net.ipv4.ip_forward=1

Replace with:

net.ipv4.ip_forward=1

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter.

13. Now since we don’t want to have to wait until the next reboot before the configuration is loaded in, we can run the following command to enable it immediately.

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

14. Now that IPv4 Forwarding is enabled we can reconfigure our firewall so that traffic is forwarded from our eth0 interface over to our wlan0 connection. Basically this means that anyone connecting to the ethernet will be able to utilize our wlan0 internet connection. Run the following commands to add our new rules to the iptable:

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT

Note: If you get errors when entering the above lines simply reboot the Pi using sudo reboot.

15. Of course iptables are flushed on every boot of the Raspberry Pi so we will need to save our new rules somewhere so they are loaded back in on every boot. To save our new set of rules run the following command:

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

16. Now with our new rules safely saved somewhere we need to make this file be loaded back in on every reboot. The most simple way to handle this is to modify the rc.local file. Run the following command to begin editing the file:

sudo nano /etc/rc.local

17. Now we are in this file, we need to add the line below. Make sure this line appears above exit 0. This line basically reads the settings out of our iptables.ipv4.nat file and loads them into the iptables. Find exit 0 and add the following above it:

iptables-restore < /etc/iptables.ipv4.nat

Now we can save and quit out of the file by pressing Ctrl+X then pressing Y and then Enter.

18. Finally all we need to do is start our dnsmasq service. To do this, all you need to do is run the following command:

sudo service dnsmasq start

19. Now you should finally have a fully operational Raspberry Pi WiFi Bridge, you can ensure this is working by plugging any device into its Ethernet port, the bridge should provide an internet connection to the device you plugged it into. To ensure everything will run smoothly it’s best to try rebooting now. This will ensure that everything will successfully re-enable when the Raspberry Pi is started back up. Run the following command to reboot the Raspberry Pi:

sudo reboot

This tutorial is fully compatible with the basic VPN router tutorial. However there is one small change you will have to make in step 13, rather than using the commands showcased there, run the commands below. Basically the main change you will see here is that instead of redirecting the traffic from wlan0 through the tunnel we will be redirecting the traffic from our eth0 connection to the tunnel.

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -o ztcprhtnnm -j MASQUERADE
sudo iptables -A FORWARD -i ztcprhtnnm -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o ztcprhtnnm -j ACCEPT

The rest of the VPN Access Point tutorial can be done without any other changes. Hopefully by now you should have a fully operational Raspberry Pi WiFi Bridge.