A Guide About Installing ZeroTier on ASUS AC68U Router

[MissingTwins]

** Based on Merlin 380.68_4 Firmware, but should be working on any router that supports Entware.(also tested on 386.3_2) **
Added:19/11/26, all "zt0, zt1, ztzlgf7vul" can be replaced by zt+ for wild matching in iptables only!

1. Entware installation.
`$ entware-setup.sh`

2. Then install ZeroTier using Entware:
`$ opkg update`
`$ opkg install zerotier`

3. Start TUN
You might get this error in step 4 `Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)`, then run this at first.
`$ modprobe tun`

4. Start zerotier service
`$ zerotier-one -d`

5. Check service status, should be 200
`$ zerotier-cli info`

6. Joint zerotie network, before run this cmd, make sure you ___don't___ have ___0.0.0.0/0___ in your zerotier ___Managed Routes___, otherwise you will ___get disconnected___ from the Internet.
`$ zerotier-cli join <your network id>`
go to `my.zerotier.com` to enable your new node. `10.9.8.2` is router, `10.9.8.10` is VPS get your network id from `my.zerotier.com` network, it looks like this  `9afac5978a18fe8`

7. Test the network, should not work.
`$ ping 10.9.8.10 -c 4`
ping without '-c 4' or terminated by `ctrl-c` will cause zerotier crashing, if so run `zerotier-one -d` again

8. Add iptables rules
You may run  `iptables -v -L -n --line-numbers` first, get an idea of how your iptables looks. please don't just do copy & paste. ACCEPT all data from zerotier.
`$ iptables -I INPUT  -i zt+ -j ACCEPT`
Restart zerotier
`$ /opt/etc/init.d/S90zerotier-one.sh stop` or `killall zerotier-one`
`$ zerotier-one -d`

9. Test the network, should work this time.
`$ ping 10.9.8.10 -c 4` #Ctrl+C terminates the ping will crash the zerotier be careful

10. Allow FTP, SSH, WEBUI to be accessed from zerotier
`$ iptables -t nat -A PREROUTING -d 10.9.8.2 -p tcp --m multiport --dport 21,22,80 -j DNAT --to-destination 192.168.9.1`
Or alternative way: quote mark (the key next to the ! key on your keyboard ) around nvram get lan_ipaddr is needed.
$ iptables -t nat -I PREROUTING -i zt+ -d 10.9.8.0/24 -p tcp -m multiport --dport 21,22,80 -j DNAT --to-destination `nvram get lan_ipaddr`


11. Create the script to run zerotier: [URL]https://gist.github.com/meoso/b25bd410c8a54a1a013f0cc2d72b12ee[/URL]
`$ nano /opt/etc/init.d/S90zerotier-one.sh`
`$ chmod 755 /opt/etc/init.d/S90zerotier-one.sh`

12. Setup cron, check zerotier each minute
`$ cru a ZeroTierDaemon "* * * * * /opt/etc/init.d/S90zerotier-one.sh start"`

13. Scripts for booting
```
/jffs/scripts/nat-start #Changed from init-start to nat-start
/jffs/scripts/wan-start
/jffs/scripts/firewall-start
/opt/etc/init.d/S90zerotier-one.sh
```

14. Make all scripts excutable
`$ chmod a+rx /jffs/scripts/*`

-------------------------------------------------------

**Use these commands to debug iptables**

Reset Packet Counts and Aggregate Size
`$ iptables -Z`
`$ iptables -Z INPUT`
`$ iptables -Z INPUT 1`

include -v to see the entire rule.
`$ iptables -v -L -n --line-numbers`
`$ iptables -v -L INPUT -n --line-numbers`

see all nat tables
`$ iptables -v -t nat -L -n --line-numbers`

The line numbers help with deleting rules.
`$ iptables -D [INPUT|FORWARD|OUTPUT|myCHAINNAME] [Rule#]`

The -n speeds up the process by not doing hostname lookups
`$ iptables -nvL [INPUT|FORWARD|OUTPUT|myCHAINNAME] --line-numbers`

Put print debug info into syslog
`echo "$(date) Started ZeroTier-One" | logger -t "$(date) Started ZeroTier-One" -p user.notice ;`

List all known nodes
`$ arp -a`

-------------------------------------------------------

**All scripts

/jffs/scripts/nat-start

#!/bin/sh
modprobe tun

/jffs/scripts/wan-start

#!/bin/sh
cru a ZeroTierDaemon "* * * * * /opt/etc/init.d/S90zerotier-one.sh start"

/jffs/scripts/firewall-start

#!/bin/sh
logger -t "custom iptables" "Enter" -p user.notice
iptables -C INPUT -i zt+ -j ACCEPT
if [ $? != 0 ]; then
    iptables -I INPUT -i zt+ -j ACCEPT
    iptables -t nat -I PREROUTING -i zt+ -d 10.9.8.0/24 -p tcp -m multiport --dport 21,22,80 -j DNAT --to-destination `nvram get lan_ipaddr`
    logger -t "custom iptables" "rules added" -p user.notice
else
    logger -t "custom iptables" "rules existed skip" -p user.notice
fi

/opt/etc/init.d/S90zerotier-one.sh

#! /bin/sh

case "$1" in
  start)
    if lsmod | grep -q tun ;
    then echo "mod tun ready" ;
    else
        modprobe tun;
        logger -t "zerotier" -c "modprobe tun started, zerotier-one should start in one minute" -p user.notice ;
        exit 0;
    fi
    if ( pidof zerotier-one )
    then echo "ZeroTier-One is already running."
    else
        echo "Starting ZeroTier-One" ;
        /opt/bin/zerotier-one -d ;
        echo "$(date) ZeroTier-One Started" | logger -t "zerotier" -c "Started" -p user.notice ; #>> /opt/var/log/zerotier-one.log ;
    fi
    ;;
  stop)
    if ( pidof zerotier-one )
    then
        echo "Stopping ZeroTier-One";
        killall zerotier-one
        echo "$(date) ZeroTier-One Stopped" | logger -t "zerotier" -c "Stopped" -p user.notice ; #>> /opt/var/log/zerotier-one.log
    else
        echo "ZeroTier-One was not running" ;
    fi
    ;;
  status)
    if ( pidof zerotier-one )
    then echo "ZeroTier-One is running."
    else echo "ZeroTier-One is NOT running"
    fi
    ;;
  *)
    echo "Usage: /etc/init.d/zerotier-one {start|stop|status}"
    exit 1
    ;;
esac
exit 0

Updated 2019/11/05

If you experienced issues with zerotier ssh and webui. Such as putty hangs with outputting 10+ lines.
Try to change MTU from default 2800 to this or smaller value `ifconfig ztzlgf7vul mtu 1388`

Updated 2019/12/06
Removed the confusion over the iptables rules.

Updated 2021/12/22
Formatting

Updated 2022/09/01
Add warning about 0.0.0.0/0 in Managed Routes will cause losing the Internet.

Updated 2023/10/03, fixed typo(10/11)
Uploaded all scripts to github

https://github.com/MissingTwins/merlin_zerotier

 

[HRearden]

Thanks!

 

[corgan2222]

perfect! tnxs!

 

[javirnof]

hi. I've a problem. I've configured zerotier on asus router and I can ping from router to others zerotier clients and viceversa. But when i try to ping from LAN (pc connected to router), not works. Maybe i need to route zerotier range? Thanks

 

[MissingTwins]

hi. I've a problem. I've configured zerotier on asus router and I can ping from router to others zerotier clients and viceversa. But when i try to ping from LAN (pc connected to router), not works. Maybe i need to route zerotier range? Thanks

Try this, 10.9.8.0/24 is my zerotier network, 192.168.9.1 is my router LAN address.
The rule says that packets coming from 10.9.8.0/24 network and exiting via br0 will get the source ip-address set to 192.168.9.1.

iptables -t nat -A POSTROUTING -o br0 -s 10.9.8.0/24 -j SNAT --to-source 192.168.9.1
iptables -I FORWARD -i zt+ -d 192.168.9.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -d 10.9.8.0/24 -j ACCEPT

Or alternative way

iptables -t nat -A POSTROUTING -o br0 -s 10.9.8.0/24 -j SNAT --to-source `nvram get lan_ipaddr`
iptables -I FORWARD -i zt+ -d `nvram get lan_ipaddr`/24 -j ACCEPT
iptables -I FORWARD -i br0 -d 10.9.8.0/24 -j ACCEPT

Then add a route table to you `my.zerotier.com/network/`
192.168.9.0/24 via 10.9.8.4

My router's zerotier address is 10.9.8.4 LAN IP is 192.168.9.1

Ping 192.168.9.6(my NAS) from my PC using cell phone network, this should be working.

$ ping 192.168.9.6

Pinging 192.168.9.6 with 32 bytes of data:
Reply from 192.168.9.6: bytes=32 time=69ms TTL=127
Reply from 192.168.9.6: bytes=32 time=74ms TTL=127

$ tracert -d 192.168.9.6

Tracing route to 192.168.9.6 over a maximum of 30 hops

  1    83 ms    66 ms    84 ms  10.9.8.4
  2   114 ms    72 ms    73 ms  192.168.9.6

Trace complete.

Changed on 2019/12/06:
Deleted a typo "-i br0 -s -d 10.9.8.0/24"

Changed on 2021/12/22:
Formatting

 

[Max Pixel]

drop ping from WAN... `$ iptables -I INPUT 1 -i ppp0 -p icmp -j DROP`

What is the purpose of this step? Why would I want to drop ping from WAN, and what does that have to do with ZeroTier?

I'm also wondering why I don't see a `ppp0` interface from `ifconfig` on my AC3100. Is it expected that I wouldn't see it, or does your AC68U have an interface that my AC3100 lacks?

index position is crucial! insert the rule at a specific position, run `iptables -v -L -n --line-numbers` first, get an idea of how your iptables looks. please don't just do copy & paste.
...
you should change the number 1.
ACCEPT all data from zerotier, you need change the number 8.
`$ iptables -I INPUT 8 -i zt0 -j ACCEPT`

What do I need to change the numbers 1 and 8 to? I see this from your suggested iptables command:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
2    17212 4088K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3      302 23218 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
4    21455 5317K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
5     5012  916K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
6     5012  916K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
7    20959 5259K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
8      496 58094 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
9        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
10       0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
11     496 58094 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

So, running the same command as you without changing 8 would insert before OVPN, after the series of "ACCEPT all someinterface". What are the ramifications of that? What do I need to be looking for or thinking about in order to know which idex is "correct"?

 

[MissingTwins]

What is the purpose of this step? Why would I want to drop ping from WAN, and what does that have to do with ZeroTier?

Has nothing to do with ZeroTier, you may ignore `$ iptables -I INPUT 1 -i ppp0 -p icmp -j DROP`.

What do I need to change the numbers 1 and 8 to? I see this from your suggested iptables command:

In your case, ACCEPT all data from zerotier should be put above the `DROP all `
This `$ iptables -I INPUT -i zt+ -j ACCEPT` would work.

So, running the same command as you without changing 8 would insert before OVPN, after the series of "ACCEPT all someinterface". What are the ramifications of that?

As long as your zt+ are private networks(not the earth network) , and controlled by yourself, you will be safe.
My purpose of number 8 was hoping that the firewall rules would come first and filtered out the junk packets before it reached our rules .

What do I need to be looking for or thinking about in order to know which idex is "correct"?

If you do this `$ iptables -A INPUT -i zt+ -j ACCEPT`. It will be added at the bottom of the list and Firewall rules comes the first , also DROP ALL will be more prioritized, then you will receive zero packets from zt+.

 

[Max Pixel]

Thanks for the clarification, MissingTwins (and thanks for this guide in the first place, forgot to mention that in my first post). I'm trying to truly understand the mechanics and logic behind this.

Regarding order, I see two "DROP all" items in there, @ 3 with a STATE INVALID filter, and @ 11 as what seems to simply be end-of-the-line. Before the second one, because the first one only drops invalid packets and we don't want those regardless of whether or not they're from ZeroTier, right? Or before the first one because all ZeroTier packets will come through as invalid?

How can you tell which ones are the firewall rules?


I did go ahead and try doing it with indices 1 and 8 respectively, and was then able to ping between router and external ZT client. Not between LAN machines and ZT clients, though, just like Javirnof described, so I followed the recommendation you gave to them. I ran into the `-s` typo and tried removing the `-s`, which it appears was the correct solution. I was then able to ping LAN machines from ZT clients, but not the other way around, and I wasn't able to successfully establish an RDP connection despite being able to ping. I'll take another look at it tomorrow or this weekend - I think I'll have to look into how to effectively debug IPTables.

 

[MissingTwins]

How can you tell which ones are the firewall rules?

You may try to turn off the Firewall in WebGUI and see what will happen to the INPUT filter.

Before the second one, because the first one only drops invalid packets and we don't want those regardless of whether or not they're from ZeroTier, right? Or before the first one because all ZeroTier packets will come through as invalid?

@ 3 just filters bad and invalid packets, you'd better put zt+ after that, so as to not flood the system with junk data.
You may give it a try by youself, just put zt+ either after @ 3 or after @11, run this to clear the counters `iptables -Z INPUT`.
Access you router ZeroTier address by browser or curl and `iptables -nL INPUT -v` to see how those counters changes.

I was then able to ping LAN machines from ZT clients, but not the other way around, and I wasn't able to successfully establish an RDP connection despite being able to ping.

Your problem seems at this rule. Or maybe your ZT clients block ICMPs.
`iptables -I FORWARD -i br0 -d 10.9.8.0/24 -j ACCEPT`

Try to run a simple HTTP_SERVER on your ZT clients, and test again.
https://github.com/http-party/http-server

I suggest using curl when debugging the iptables.

 

[Dagger]

Hi MissingTwins. Thanks a lot for your guide. It really helped me as I'm behind a CG-NAT and I dind't know that ZeroTier could be configured on asuswrt.

The thing is that in my case sometimes it works and sometimes it doesn't.

I'm using a double WAN (in case it matters) and the routers of my providers are located at: 192.168.1.1 and the other one at 192.168.8.1

My asuswrt LAN is at 192.168.0.1 (all the computer printers, etc have an ip of 192.168.0.X).
The assigned IP for my router at ZeroTier is 192.168.10.1
The assigned IP for the computer at my work (in a totally different network and location) is 192.168.10.250

My Zerotier Managed Routes are:

192.168.0.0/24      via       192.168.10.1
192.168.10.0/24

My Zerotier Assigned IP are:

Router 192.168.10.1
Work computer   192.168.10.250

I ended up running these iptable scripts at firewall-start:

iptables -I INPUT -i zt+ -j ACCEPT
iptables -t nat -I PREROUTING -d 192.168.10.1 -j DNAT --to-destination `nvram get lan_ipaddr`
iptables -t nat -I POSTROUTING -o br0 -s 192.168.10.0/24 -j SNAT --to-source `nvram get lan_ipaddr`
iptables -I FORWARD -i zt+ -d `nvram get lan_ipaddr`/24 -j ACCEPT
iptables -I FORWARD -i br0 -d 192.168.10.0/24 -j ACCEPT

And this is my iptables

admin@RT-AC68U-F708:/jffs# iptables -v -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       32  2814 ACCEPT     all  --  zt+    *       0.0.0.0/0            0.0.0.0/0
2      411 87132 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
3     6327  855K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        7   434 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5     1130  252K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
6      458 33771 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
7      458 33771 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
8     1122  251K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
9        8   552 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
11       8   552 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-F708:/jffs# iptables -v -L FORWARD -n --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            192.168.10.0/24
2        0     0 ACCEPT     all  --  zt+    *       0.0.0.0/0            192.168.0.0/24
3      320 16928 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
4    12811 7975K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
6        0     0 other2wan  all  --  !br0   eth3    0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
8        0     0 ACCEPT     all  --  br0    br0     192.168.0.0/24       192.168.1.0/24
9        1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
10    1046 69882 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
12       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
13       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-F708:/jffs# iptables -v -t nat  -L PREROUTING -n --line-numbers
Chain PREROUTING (policy ACCEPT 1673 packets, 188K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       0.0.0.0/0            192.168.10.1         to:192.168.0.1
2       12   672 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.2
3       20  1224 VSERVER    all  --  *      *       0.0.0.0/0            192.168.8.100
admin@RT-AC68U-F708:/jffs# iptables -v -t nat  -L POSTROUTING -n --line-numbers
Chain POSTROUTING (policy ACCEPT 658 packets, 67843 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 SNAT       all  --  *      br0     192.168.10.0/24      0.0.0.0/0            to:192.168.0.1
2      992 74399 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
3      533 41416 PUPNP      all  --  *      eth3    0.0.0.0/0            0.0.0.0/0
4      791 54327 MASQUERADE  all  --  *      eth0   !192.168.1.2          0.0.0.0/0
5      241 14546 MASQUERADE  all  --  *      eth3   !192.168.8.100        0.0.0.0/0
6       48 10033 MASQUERADE  all  --  *      br0     192.168.0.0/24       192.168.0.0/24
admin@RT-AC68U-F708:/jffs#

From Home:
From the router I can ping the machine at my work but from my personal computer at home I can't unless I install the ZeroTier app and assign an IP for it

From work:
I cannot ping the router or access to the web management (192.168.10.1 or 192.168.0.1). I can't ping any machine in the network aswell

Is there something I'm missing? I would love to access my local network from work and my work computer from home without installing the ZeroTier app
I've managed to do it once but sometimes after I reboot it stops working and after a lot of trials I didn't managed to succeed anymore.

Thanks a lot!!

EDIT: I disabled the dual wan and it seems to work fine so it looks as the issues are related with it

This is the ip tables when dual wan is disabled

admin@RT-AC68U-F708:/jffs# iptables -v -L INPUT -n --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      251 21923 ACCEPT     all  --  zt+    *       0.0.0.0/0            0.0.0.0/0
2     1549  328K INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
3     9514 1845K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
5     5086 1136K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
6     1575  279K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
7     1575  279K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
8     5073 1134K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
9       13  1369 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
11      13  1369 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-F708:/jffs# iptables -v -L FORWARD -n --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     all  --  br0    *       0.0.0.0/0            192.168.10.0/24
2        2   120 ACCEPT     all  --  zt+    *       0.0.0.0/0            192.168.0.0/24
3     9928 3171K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
4        0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  br0    br0     192.168.0.0/24       192.168.1.0/24
7        8   380 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
8     4233  289K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
9        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
10       0     0 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
11       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
admin@RT-AC68U-F708:/jffs# iptables -v -t nat  -L PREROUTING -n --line-numbers
Chain PREROUTING (policy ACCEPT 518 packets, 36122 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        5   260 DNAT       all  --  *      *       0.0.0.0/0            192.168.10.1         to:192.168.0.1
2       91  5737 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.2
admin@RT-AC68U-F708:/jffs# iptables -v -t nat  -L POSTROUTING -n --line-numbers
Chain POSTROUTING (policy ACCEPT 137 packets, 14679 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1    60 SNAT       all  --  *      br0     192.168.10.0/24      0.0.0.0/0            to:192.168.0.1
2     4931  357K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
3     4184  287K MASQUERADE  all  --  *      eth0   !192.168.1.2          0.0.0.0/0
4      248 47350 MASQUERADE  all  --  *      br0     192.168.0.0/24       192.168.0.0/24

 

[MissingTwins]

EDIT: I disabled the dual wan and it seems to work fine so it looks as the issues are related with it

1. Asuswrt Dual WAN is causing a lot of problems.
2. Use this to check your route tables, make sure your packets entering and exiting through the same gateway.
`ip route`
3. If you really want to use the second WAN, I recommend that you manually configure route table for specific ip range to utilize the second WAN.

 

[Pradrone]

How to perform following steps .
go to `my.zerotier.com` to enable your new node. `10.9.8.2` is router, `10.9.8.10` is VPS get your network id from `my.zerotier.com` network, it looks like this `9afac5978a18fe8`
To enable new node - do we need to create manually for router and VPS ?

Right now at step 6. Joint zerotie network
`$ zerotier-cli join <your network id>` [got the network id after register to my.zerotier.com]
also it is display "One device has joined this network."
And are manage routes are different than `10.9.8.2` is router, `10.9.8.10` is VPS ?
Please advice

 

[MissingTwins]

How to perform following steps .
go to `my.zerotier.com` to enable your new node. `10.9.8.2` is router, `10.9.8.10` is VPS get your network id from `my.zerotier.com` network, it looks like this `9afac5978a18fe8`
To enable new node - do we need to create manually for router and VPS ?

Right now at step 6. Joint zerotie network
`$ zerotier-cli join <your network id>` [got the network id after register to my.zerotier.com]
also it is display "One device has joined this network."
And are manage routes are different than `10.9.8.2` is router, `10.9.8.10` is VPS ?
Please advice

Scroll down to the page
https://my.zerotier.com/network/<your network id>
You will see a title bar like this:

Auth? Address Name/Description Managed IPs Last Seen Version Physical IP

Under the AUTH? tag, there is a checkbox, check it to enable your node. You need to execute 'zerotier-cli join <your network id>' before you can see this checkbox.

10.9.8.x is my choice, you can pick up whatever private address you like such as 192.168.x.x, as long as it does not overlap with your current network. You may manually assign Managed IPs to you node at this page, https://my.zerotier.com/network/<your network id>

 

[Pradrone]

Scroll down to the page
https://my.zerotier.com/network/<your network id>
You will see a title bar like this:

Auth? Address Name/Description Managed IPs Last Seen Version Physical IP

Under the AUTH? tag, there is a checkbox, check it to enable your node. You need to execute 'zerotier-cli join <your network id>' before you can see this checkbox.

10.9.8.x is my choice, you can pick up whatever private address you like such as 192.168.x.x, as long as it does not overlap with your current network. You may manually assign Managed IPs to you node at this page, https://my.zerotier.com/network/<your network id>

Perfect!, thanks a-lot. With above steps, I am able to access router from outside. Do u have any idea how to further use it as VPN i.e connect mobile network/ open wifi hotspots to connect home router and access internet safely?

 

[MissingTwins]

Perfect!, thanks a-lot. With above steps, I am able to access router from outside.

You're welcome.

Do u have any idea how to further use it as VPN

I linked all my home computers into a VPN, I can access them from anywhere.
Also installed on my VPSs and SSH them only through zerotier.
It's especially handy for accessing maintenance WebUI in all kind of services.

i.e connect mobile network/ open wifi hotspots to connect home router and access internet safely?

For that kind of usages, I recommend checking out shadowsocks-libev & shadowsocks-android or Quantumult for iOS.

 

[Pradrone]

You're welcome.


I linked all my home computers into a VPN, I can access them from anywhere.
Also installed on my VPSs and SSH them only through zerotier.
It's especially handy for accessing maintenance WebUI in all kind of services.


For that kind of usages, I recommend checking out shadowsocks-libev & shadowsocks-android or Quantumult for iOS.

Thanks, but I was thinking why can't we utilize inbuild openvpn/pptp servers?
Also if I use android zerotier app with 'Route via zeroTier' check box enabled, it was working fine wrt router access/usb access except not able to access internet.

 

[MissingTwins]

Thanks, but I was thinking why can't we utilize inbuild openvpn/pptp servers?
Also if I use android zerotier app with 'Route via zeroTier' check box enabled, it was working fine wrt router access/usb access except not able to access internet.

OpenVPN is blocked by some hotels, PPTP is obsolete.
OpenVPN is also hard to configure.

None of them supports advanced net filters and custom route decisions. Shadowsocks based clients support all those features. Also it is very hard to be censored or blocked.

it was working fine wrt router access/usb access except not able to access internet.

That's what I was talking about. With shadowsocks and zerotier combined, you can access your VPN while surfing the Internet.

 

[Pradrone]

OpenVPN is blocked by some hotels, PPTP is obsolete.
OpenVPN is also hard to configure.

None of them supports advanced net filters and custom route decisions. Shadowsocks based clients support all those features. Also it is very hard to be censored or blocked.



That's what I was talking about. With shadowsocks and zerotier combined, you can access your VPN while surfing the Internet.

Thank you so much, but I tried to look into shadowsocks server setup for asus merlin Ac68u but seams like it doesn't have any active support for merlin version and only openwrt supported.
https://shadowsocks.org/en/download/servers.html
https://shadowsocks.org/en/spec/Implementations.html
Do you have reference for asus merlin setup steps?

 

[MissingTwins]

Thank you so much, but I tried to look into shadowsocks server setup for asus merlin Ac68u but seams like it doesn't have any active support for merlin version and only openwrt supported.

Actually it does.

Do you have reference for asus merlin setup steps?

**Based on Merlin 384.14_0 Firmware kernel 2.6.36.4 , but should be working on any router that supports Entware.**

1. Entware installation.
$ entware-setup.sh

2. Then install ss-server using Entware:
$ opkg update
$ opkg list shadowsocks*
$ opkg install shadowsocks-libev-ss-server

3. Start tmux, you can connect back with `tmux a -dt0`, or start a new one
$ tmux

4. Start shadowsocks-libev server on Merlinwrt, this will work when you at both inside and outside of your router.
$ ss-server -s `nvram get lan_ipaddr` -p 8388 -k YOURPASSWORD -m chacha20-ietf-poly1305 -u --reuse-port --no-delay -v

5. Add an iptables rule, open udp/tcp ports on your wan, add them to your \jffs\scripts\firewall-start
$ iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8388 -j DNAT --to-destination `nvram get lan_ipaddr`
$ iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 8388 -j DNAT --to-destination `nvram get lan_ipaddr`
$ iptables -I INPUT -i ppp0 -p tcp --destination-port 8388 -j ACCEPT
$ iptables -I INPUT -i ppp0 -p udp --destination-port 8388 -j ACCEPT

6. Add a deamon for your ss-server at \jffs\scripts\wan-start
cru a SSServerDaemon "*/1 * * * * /opt/etc/init.d/S22ss-server-deamon.sh start"

----------------------------------------------
# If you want to confige it as a background service.

7. Scripts for shadowsocks-server configuation, don't forget to change the server IP address 192.168.x.1
```
shadowsocks-server.json
{
"server":"192.168.x.1",
"server_port":8388,
"password":"YOURPASSWORD",
"timeout":60,
"mode": "tcp_and_udp",
"method":"chacha20-ietf-poly1305"
}
```

8. Service shell in \opt\etc\init.d\S22shadowsocks-server
```
#!/bin/sh

ENABLED=yes
PROCS=ss-server
ARGS="-c /opt/etc/shadowsocks-server.json"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[ -z "$(which $PROCS)" ] && exit 0

. /opt/etc/init.d/rc.func
```

9. S22ss-server-deamon.sh
```
#! /bin/sh

case "$1" in
start)

if ( pidof ss-server )
then echo "ss-server is already running."
else
echo "Starting ss-server" ;
/opt/etc/init.d/S22shadowsocks-server start ;
echo "$(date) ss-server Started" | logger -t "ss-server" -c "Started" -p user.notice ; #>> /opt/var/log/ss-server.log ;
fi
;;
stop)
if ( pidof ss-server )
then
echo "Stopping ss-server";
killall ss-server
echo "$(date) ss-server Stopped" | logger -t "ss-server" -c "Stopped" -p user.notice ; #>> /opt/var/log/ss-server.log
else
echo "ss-server was not running" ;
fi
;;
status)
if ( pidof ss-server )
then echo "ss-server is running."
else echo "ss-server is NOT running"
fi
;;
*)
echo "Usage: /opt/etc/init.d/S22ss-server-deamon.sh {start|stop|status}"
exit 1
;;
esac

exit 0
```

 

[Pradrone]

Actually it does.



**Based on Merlin 384.14_0 Firmware kernel 2.6.36.4 , but should be working on any router that supports Entware.**

1. Entware installation.
$ entware-setup.sh

2. Then install ss-server using Entware:
$ opkg update
$ opkg list shadowsocks*
$ opkg install shadowsocks-libev-ss-server

3. Start tmux, you can connect back with `tmux a -dt0`, or start a new one
$ tmux

4. Start shadowsocks-libev server on Merlinwrt, this will work when you at both inside and outside of your router.
$ ss-server -s `nvram get lan_ipaddr` -p 8388 -k YOURPASSWORD -m chacha20-ietf-poly1305 -u --reuse-port --no-delay -v

5. Add an iptables rule, open udp/tcp ports on your wan, add them to your \jffs\scripts\firewall-start
$ iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8388 -j DNAT --to-destination `nvram get lan_ipaddr`
$ iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 8388 -j DNAT --to-destination `nvram get lan_ipaddr`

6. Add a deamon for your ss-server at \jffs\scripts\wan-start
cru a SSServerDaemon "*/1 * * * * /opt/etc/init.d/S22ss-server-deamon.sh start"

----------------------------------------------
# If you want to confige it as a background service.

7. Scripts for shadowsocks-server configuation, don't forget to change the server IP address 192.168.x.1
```
shadowsocks-server.json
{
"server":"192.168.x.1",
"server_port":8388,
"password":"YOURPASSWORD",
"timeout":60,
"mode": "tcp_and_udp",
"method":"chacha20-ietf-poly1305"
}
```

8. Service shell in \opt\etc\init.d\S22shadowsocks-server
```
#!/bin/sh

ENABLED=yes
PROCS=ss-server
ARGS="-c /opt/etc/shadowsocks-server.json"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[ -z "$(which $PROCS)" ] && exit 0

. /opt/etc/init.d/rc.func
```

9. S22ss-server-deamon.sh
```
#! /bin/sh

case "$1" in
start)

if ( pidof ss-server )
then echo "ss-server is already running."
else
echo "Starting ss-server" ;
/opt/etc/init.d/S22shadowsocks-server start ;
echo "$(date) ss-server Started" | logger -t "ss-server" -c "Started" -p user.notice ; #>> /opt/var/log/ss-server.log ;
fi
;;
stop)
if ( pidof ss-server )
then
echo "Stopping ss-server";
killall ss-server
echo "$(date) ss-server Stopped" | logger -t "ss-server" -c "Stopped" -p user.notice ; #>> /opt/var/log/ss-server.log
else
echo "ss-server was not running" ;
fi
;;
status)
if ( pidof ss-server )
then echo "ss-server is running."
else echo "ss-server is NOT running"
fi
;;
*)
echo "Usage: /opt/etc/init.d/S22ss-server-deamon.sh {start|stop|status}"
exit 1
;;
esac

exit 0
```

Awesome, Thanks for sharing !

I tried above script and when I'm on my local network I can connect to the shadowsocks server on my router. When I'm outside my local network I cannot connect.

ServerSide/Asus 68u configuration
shadowsocks-server.json
{
"server":"192.168.1.1",
"server_port":8388,
"password":"YOURPASSWORD",
"timeout":60,
"mode": "tcp_and_udp",
"method":"chacha20-ietf-poly1305"
}

\opt\etc\init.d\S22shadowsocks-server
...
PROCS=ss-server
...

Client side
After connecting to zerotier app
install and connect shadowsocks client app with below configuration
Configuration
ServerIP https://my.zerotier.com/manageIP for Asus router
Port 8388
password:"YOURPASSWORD"
encryption:"chacha20-ietf-poly1305"

Please advice!