Help with ZeroTier routing between GL.iNet devices

I have two devices. I have a Brume 2 plugged into a LAN port on my home router. I have enabled ZeroTier on this device, and WAN port sharing (plugged into router via local WAN). Within the ZeroTier portal, I have a managed route of via (Brume 2 device). On my cell phone, I have the ZeroTier app, and when I enable “route all traffic through ZeroTier.”, I successfully show my home IP address on my cell phone. I also have a Beryl AX router for travel purposes, and have connected it to the ZeroTier network. However, for the life of me, I can’t accomplish the “route all traffic through ZeroTier” in similar fashion. I am not really a networking guy, and I can’t for the life of me figure out how to route this traffic successfully. I know I need to get some static routes configured in advanced config, but despite ChatGPT and some tinkering, I am failing to get this to work. Any suggestions/recommendations?

I added this to local startup commands (luci gui) to make it work on x750:
/usr/sbin/mwan3 stop

I have resolved this via “tunnel in a tunnel” method. After Zerotier is established, I am enforcing a Wireguard connection as well, and leveraging Wireguard’s native traffic protection features in order to accomplish what I want.

I am trying to do the same thing as you. I would like to work remotely thru my home router. And also go to certain websites as they are set up to only be accessed thru my home ip location.

I have two Beryl Ax routers. One set up at home, connected from the T-mobile Home router to the wan port of the Beryl Ax. I have set up ZeroTier on the Beryl Ax and enabled LAN on the Beryl Ax home router. Entered and saved the two ip Addresses displayed on the Zero Tier Page on the Beryl Ax home router in the Managed Routes setting on

Next I did the same on the “travel” router but added WAN connection (instead of LAN) on the ZeroTier travel router page and added the displayed ip Addresses to the Managed routes.

What else do I have to do (or you did) to connect remotely to my home router via any devices connected to my travel router and browse the internet as if I were home.

I am not a techie so the more details/critique you can give me is greatly appreciated.

Note: TMobile Home Internet Router can not be changed, no port forwarding hence I’m trying to accomplish this via ZeroTier.

On your “home” beryl AX router, you will need to enable the “WAN” checkbox for Zerotier. On your “travel” Beryl AX router, you will NOT need any additional checkboxes enabled. That should complete the Zerotier configuration. After that, setup a Wireguard server on your “home” Beryl AX, then export the config file. Import the config file into your travel Beryl AX router under the Wireguard client (add a “New Group”, then add the config after that). Before importing the config file, I modified the config file so it uses the internal/Zerotier IP of the home router, since I believe it will default to your public IP at home, and you want the traffic to route over your Zerotier network (only). After that, you are more or less done, just go to the VPN dashboard to enable the connection. As mentioned earlier, on your travel router, you will want to set “block non-vpn traffic” as well under “Global Options”, otherwise you will likely accidentally leak your local IP if the internet blips or the tunnel goes down. This setting will ensure your network DROPS instead of leaking your location. After that you are bullet proof! Any LAN traffic (wired or wireless) will be funneled through your Zerotier and Wireguard-protected network. This combo is great since you can really configure 99% of this right through the Glinet GUI, and won’t really need to mess with scripting or anything custom at all. The only “modification” is the IP adjustment on the Wireguard config file when importing. I hope that helps!

1 Like

Here are some screenshots that may help. Here is my “home configuration”. I have Remote Access LAN enabled as well, but that is not necessary.

Here is my travel router setup:

Notice how I have the config updated to my internal/Zerotier IP address for my home router, and not a public IP address.

Lastly, here is the route I added to Zerotier:

If you can follow these instructions and screenshots, this should get you where you want to go! Happy nomading!

1 Like

The T-Mobile Home router does not allow port forwarding. Is that a problem with setting up a wireguard server on the home router?

Also I do not know how to export and or import files from the routers. I could use a MacBook Pro to do this? And if yes, can I use Terminal App or do I need other software.

You’ve been very generous with your explanations already. Your screenshots are great. Thank you so much.

This is the purpose of Zerotier. Long story short, it allows you to build an “internal network” over the internet, so port forwarding will be a non issue. For the Wireguard configuration, screenshots below for export process:

After you download that configuration file, change the “endpoint IP” from your home’s public IP address to the Zerotier IP address in a text editor. You should then be able to use that file to import into your travel router via the GUI in order to complete the configuration.

Thank you Sir. Followed all your instructions which were easy to follow. Both the Wireguard Server and the Wireguard client are showing green on the home and travel router respectively. (I also printed them just in case).

Just a few curiosity questions? How can I test this at home? I do not have an “independent” internet connection to test.

Also, when everything is active and you’re not traveling, do you disconnect the wireguard server and the ZeroTier connection? Wondering if those connections slow down the internet speed.

Thanks again for working with me.

The best way to test this is to A) leave your home with your laptop and travel router and actually test “in vivo” or B) tether your travel router to your cell phone (either via USB cable or wirelessly). But yes, you should test this OUTSIDE of your house if you plan to use this setup. I wouldn’t want to fly to another country only to learn I messed up a minor config :wink: I leave the Wireguard server and Zerotier connection up at all times. Granted, my “home router” is a Flint 2, and not a Beryl AX. Obviously, you will be proxying your connection off of your home internet, so whatever traffic you use “remotely” will be consumed at home. But I live/work remotely full time, and keep everything on at all times on the home router/server. I have a 500/500 Mbps connection at my house, and that is sufficient for my remote working, AND powering all the wireless devices for my house and my tenants (I manage a rental property). YMMV. I would say, if you are using a Beryl AX as a “home router”, you would probably be better off swapping it for a Flint 2. If your “home router” is to ONLY serve as a hardware VPN endpoint, you may be better served with a Brume 2 (no wireless capabilities). My travel router is a Beryl AX, and as mentioned, my home router is a Flint 2. I also gave a buddy a Brume 2 who lives across the country. That way if my house explodes, I have a secondary connection option.

Pro tip: I also recommend making sure your home internet devices (modem/router/glinet stuff) are hooked into a UPS. You don’t want a brown/blackout at your home killing your internet connection while in the middle of a critical call while working remotely.

Pro tip 2: You MAY want to coordinate with a buddy before you attempt any remote firmware upgrades on your home router. I have had glitches occur when remotely upgrading my Flint 2. Luckily, I rent out my “home” to a buddy, who can just reboot the sucker physically if I hit a snag during a firmware upgrade. It sounds like a stupid thing, but coordinating someone to reboot your router when you are half way across the world and have work to do it sort of a PITA :wink:

1 Like

Yes, we have a UPS. The nice thing about a cellular router, cellular hardly ever goes out unless the router hiccups. I have added a “keep connect” device. The router plugs into the keep connect. Keep connect resets the router every night and sends out pings. If no response, the router will be reset.

Disadvantage is the speed of the internet. But it’s just the 2 of us. We’re in our 70’s and 80’s. We’re not on tick tock, just occasionally Facebook, watch/read the news and stream movies.

I feel it may be better for my situation to work remotely on a “specific” website when needed instead of helping via Zoom and or telephone. Very time consuming. So there is a backup …

I tethered my ATT cell phone with wi-fi disabled to the travel router and no fall back on the travel router. Connected to the travel router I was connected to a T-Mobile ip address. Pretty good. :slight_smile:

Fingers crossed.

Thanks again for all your input.

1 Like

Hello Guys I hope you are doing well. I have 2 routers "Home Beryl (AX300)and Slate AXT1800 Traveler) Question Do I have to get from ZeroTier ip Address for each router or just to the "HOME" Router, I just got one Ip Address for the home router, and the wireGuard Client (on traveler router) shows yellow ligth, I am a novice so any help with I would I appreciate it.

You need either ZeroTier on each of your devices + the home router, or on your home router + your travel router.

ZeroTier isn't WireGuard, so you don't need WireGuard then.