ZeroTier Exit Node - BerylAX


I have two BerylAX Routers that I am using (one for home and one for Travel). What I would like to be able to do is use my travel router to route all traffic through my home router IP address.

What I have done thus far is:

  1. Setup new zerotier network
  2. Enable zerotier on both Home and Travel router, joining them to the same ZeroTier Network
  3. On Home router, enable ‘Remote Access WAN’
  4. Set up a managed route in Zerotier: via ZeroTier Managed IP for Home Router

…and this is where I got stuck! Joining the Wi-Fi for the travel router, I get the public IP address of the travel router, not my home router.

Any ideas on how to forward the traffic between travel routers would be appreicated.

Do you not have public IP at your home?

Why not using a simple client/server setup?

Why not use wire guard

See these threads, these two should get you where you want to go. You will likely need to build a “tunnel in a tunnel.” You will want Zerotier to get past your ISP’s CG-NATing and filtering (most home grade internet providers that I know of will NOT let you build a VPN directly, unless you have a business-tier line). Wireguard (over the internal Zerotier IP address) to route traffic and to prevent accidental IP leakage. If you were to rely on Zerotier ONLY, you will need to setup a persistent route in advanced configurations of your travel router, PLUS you might accidentally leak your IP if the persistent route gets flushed, and need to rely on custom scripts. So I STRONGLY recommend the tunnel in a tunnel approach here since it is much more reliable and supportable for 99% of people.

Home Router is behind CG-NAT and this would require port forwarding

I think I may have been able to solve the issue through issuing the following command on my travel router:

sudo zerotier-cli set zerotiernetworkdid allowDefault=1

Still testing to see if this survives a reboot or not!

Zerotier is used to get around the CG-Nating. Yes, you can enforce a persistent route, however you will likely have long term issues if the network blips, or restarts, or a firmware update etc. That is why I recommend layering Wireguard within Zerotier. The performance hit should be very negligible, plus you have a SUPPORTED way to prevent accidental leakage. And assuming you have a reasonably well paid corporate job, they can and WILL detect “accidental blips” (tools like Zscaler cloud, Netskope, Microsoft Conditional Access etc) and build a case on you and terminate you. Trust me, I have been there. You will want a bulletproof and supported way to ensure that you NEVER leak your IP. “Blocking non-vpn traffic” within the Glinet router with Wireguard will mean you will stay safe, even if you fail over to a tethered connection, or your config gets accidentally wiped, and allows you to stay within a SUPPORTED solution from Glinet.