ZeroTier

ZeroTier provides software-defined networking capabilities that enable creation of virtual Ethernet networks spanning multiple locations without traditional VPN infrastructure. Integrated into RouterOS since v7.1, ZeroTier creates mesh VPN topologies where endpoints can communicate directly with each other, reducing latency and eliminating single points of failure.

Unlike traditional VPNs that require central servers or concentrators, ZeroTier uses a decentralized control plane. Each node connects to the ZeroTier network controller to obtain network membership and peer information, then establishes direct peer-to-peer connections with other members when possible. This architecture provides excellent performance and reliability.

Summary

ZeroTier integrates seamlessly with RouterOS, allowing routers to join ZeroTier virtual networks alongside computers, phones, and other devices. The router can function as a gateway, bridging traffic between the ZeroTier network and local networks, or simply as a participant accessing resources on the virtual network.

The technology uses ZeroTier’s network hypervisor concept, where a unique 40-bit network ID identifies each virtual network. Members receive cryptographic identities and can communicate once authorized to the network. The control plane handles authorization and coordination, while data traffic flows directly between peers.

Key capabilities include:

Peer-to-peer encrypted tunnels
Automatic NAT traversal
Centralized or decentralized network management
Ethernet-level networking (Layer 2)
Bridging support for extending local networks
Support for both IPv4 and IPv6

How ZeroTier Works

Understanding ZeroTier’s architecture helps in deployment and troubleshooting.

Network Architecture

ZeroTier operates on three levels:

The Network represents a virtual Ethernet switch identified by a 16-digit hexadecimal network ID (e.g., a84ac5c21a88c768). All devices joined to the same network can communicate as if connected to the same physical Ethernet segment.

The Node is any device running the ZeroTier client. Each node has a unique 10-digit ZeroTier address (e.g., a84ac5c21a). Nodes authenticate to networks using cryptographic keys.

The Controller manages network membership and distributes network configuration. Self-hosted controllers run on standard hardware, while ZeroTier Central provides cloud-based management for most deployments.

Packet Flow

When a ZeroTier node communicates with another member:

The node checks its peer table for the destination’s current path
If a direct path exists (both behind NAT or with direct connectivity), traffic flows peer-to-peer
If direct connectivity is impossible, traffic routes through transit peers or the controller
All traffic is encrypted using the recipients’s public key

ZeroTier automatically handles NAT traversal using techniques similar to STUN and TURN, enabling connections in most network environments without port forwarding.

ZeroTier vs Traditional VPN

Aspect	ZeroTier	Traditional VPN
Topology	Mesh (any-to-any)	Hub-and-spoke
Central dependency	Minimal	High
Latency	Low (direct paths)	Higher (via concentrator)
Setup complexity	Low	Medium to high
Layer 2 support	Native	Limited

Configuration

Setting up ZeroTier in RouterOS involves installing the package, enabling the service, joining a network, and configuring routing or bridging.

Installation

The ZeroTier package is not included by default. To install it, download the zerotier package (.npk file) matching your RouterOS version and architecture from mikrotik.com/download, then upload it to the router.

Upload via Winbox/WebFig: Drag the .npk file onto the Files window. The router schedules installation on next reboot.

Upload via FTP/SCP then reboot:

/system reboot

Auto-install: Rename the package to zerotier.auto.npk before uploading. The router reboots and installs automatically.

After the router restarts, verify the package is active:

/system package print

Look for zerotier in the list with status enabled.

Enabling the ZeroTier Instance

Before joining any network, enable the ZeroTier instance:

/zerotier enable zt1

RouterOS ships with a default instance named zt1. The instance generates a unique cryptographic identity (node ID) on first run.

Verify the instance is active:

/zerotier print

Joining a Network

Create a ZeroTier interface bound to a 16-digit network ID:

/zerotier interface add name=zerotier1 instance=zt1 network=a84ac5c21a88c768

The network parameter is the 16-digit hex ID of the ZeroTier network to join. The instance parameter specifies which ZeroTier instance manages this connection (use zt1 for the default instance).

On ZeroTier Central (or your self-hosted controller), authorize the router’s node address. The router then receives an IP address from the network’s IP pool.

Interface Behavior Flags

Three flags on the ZeroTier interface control how controller-pushed configuration is applied:

Flag	Default	Description
`allow-managed`	`yes`	Accept IP addresses and routes pushed by the network controller
`allow-default`	`no`	Allow the controller to install a default route (full-tunnel mode)
`allow-global`	`no`	Allow controller-pushed routes to cover public/global address ranges

For most deployments, the defaults work well. To enable full-tunnel routing (all traffic through ZeroTier):

/zerotier interface set zerotier1 allow-default=yes

Verifying Status

Check ZeroTier interface status:

/zerotier interface print detail

The output shows the ZeroTier address, network ID, and connection status:

Flags: X - disabled, I - invalid
 0   I id=a84ac5c21a network=a84ac5c21a88c768
     status=waiting-for-authorization

After authorization, status changes to “online”:

 0   id=a84ac5c21a network=a84ac5c21a88c768
     status=online ip=10.147.17.2/24

Viewing Peers

Check peer connectivity:

/zerotier peer print

This shows all known peers in the network, their latency, and connection paths:

Flags: E - ena
#   ZT-ADDRESS  LATENCY  ROLE    PATH
0 E a84ac5c10a  12ms    LEAF    DIRECT
1 E a84ac5c10b  45ms    LEAF    DIRECT
2 E a84ac5c10c  23ms    LEAF    RELAY

Configuring Managed Routes

ZeroTier supports two complementary approaches to routing between local networks over the virtual network: controller-pushed managed routes and manually configured static routes on each router.

Controller-Side Managed Routes

Managed routes are configured in ZeroTier Central (or a self-hosted controller) and pushed to all authorized members. Each member’s ZeroTier client installs these routes automatically.

In ZeroTier Central, navigate to Network → Routes and add entries like:

Destination	Via
`192.168.10.0/24`	`10.147.17.1`
`192.168.20.0/24`	`10.147.17.2`

Where 10.147.17.1 and 10.147.17.2 are the ZeroTier-assigned IPs of the respective routers. All network members receive these routes and can reach the remote LAN through the designated gateway.

Manual Static Routes on RouterOS

For precise control, configure static routes directly on each router instead of relying on controller-pushed routes. This is the recommended approach when using self-hosted controllers or when you want routing independent of controller connectivity.

On Site A (ZeroTier IP 10.147.17.1, LAN 192.168.10.0/24):

# Route to Site B's LAN via Site B's ZeroTier IP
/ip route add dst-address=192.168.20.0/24 gateway=10.147.17.2 comment="Site-B via ZeroTier"

On Site B (ZeroTier IP 10.147.17.2, LAN 192.168.20.0/24):

# Route to Site A's LAN via Site A's ZeroTier IP
/ip route add dst-address=192.168.10.0/24 gateway=10.147.17.1 comment="Site-A via ZeroTier"

Enable forwarding on the ZeroTier interface so the router passes traffic between the ZeroTier network and local interfaces:

/zerotier interface set [find] allow-forwarding=yes

Add firewall rules to permit forwarded traffic between sites:

/ip firewall filter
add chain=forward src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
    action=accept comment="ZeroTier: Site-A to Site-B"
add chain=forward src-address=192.168.20.0/24 dst-address=192.168.10.0/24 \
    action=accept comment="ZeroTier: Site-B to Site-A"

Place these accept rules before any drop rules in the forward chain.

Bridging Local Networks

To enable devices on the router’s local network to access the ZeroTier network:

/zerotier interface set [find] allow-forwarding=yes

This enables IP forwarding, allowing the router to route traffic between interfaces. For full Layer 2 bridging:

/interface bridge add name=zerotier-bridge
/interface bridge port add bridge=zerotier-bridge interface=zerotier1
/interface bridge port add bridge=zerotier-bridge interface=bridge-local

The ZeroTier interface becomes a bridge port, effectively extending the ZeroTier network to the local LAN.

Network Types

ZeroTier networks can operate in different modes affecting how members communicate.

Public Networks

Public networks allow any ZeroTier client to join after authentication. Network ID alone is sufficient to attempt joining; the controller authorizes members:

/zerotier interface add name=zerotier1 instance=zt1 network=YOUR_NETWORK_ID

Private Networks

Private networks require explicit authorization. The controller must approve each member before they receive network configuration:

Authorization happens through ZeroTier Central interface or self-hosted controller API. Unapproved members remain in “waiting-for-authorization” status.

IP Assignment

Networks can assign IPs through different mechanisms:

ZeroTier Managed IPs: The controller assigns addresses from the network’s configured IP pool. This requires setting up IP pools in ZeroTier Central.

Static Assignment: Configure specific IPs in the controller and match via node ID in RouterOS.

DHCP: Use a DHCP server on another network member to assign addresses.

Configure managed IP pools in ZeroTier Central under Network > IP Allocation:

Assign ranges like 10.147.17.0/24
Set route destinations for network segments

Self-Hosted Controller

RouterOS includes a built-in ZeroTier controller, allowing you to manage networks without ZeroTier Central. This is useful for air-gapped environments or when you want full control over network infrastructure.

Creating a Network

/zerotier controller add name=zt-private instance=zt1 private=yes \
    ip-range=172.27.27.10-172.27.27.20 routes=172.27.27.0/24

The routes parameter pushes a managed route to all authorized members. To also advertise a local LAN (e.g., 192.168.10.0/24 via the controller’s ZeroTier IP 172.27.27.1):

/zerotier controller set [find] routes="172.27.27.0/24,192.168.10.0/[email protected]"

Authorizing Members

When a member joins a private controller network, it appears in the member list with authorized=no:

/zerotier controller member print

Authorize the member:

/zerotier controller member set 0 authorized=yes

The member receives IP assignment and managed routes within seconds of authorization.

Checking Controller Status

/zerotier controller print
/zerotier controller member print

Port Requirements

ZeroTier requires specific UDP ports for operation:

Port	Purpose
9993	Primary ZeroTier traffic
443	Alternative for restricted networks
0	Any available (automatic)

Ensure firewalls allow outbound UDP on these ports. The router’s default configuration uses port 9993.

Security Considerations

ZeroTier provides strong security through cryptographic identity and encryption.

Node Identity

Each ZeroTier node has a unique cryptographic identity consisting of:

Public key (used for encryption)
Private key (kept secret)
Node ID (derived from public key)

Never share private keys. If compromised, regenerate keys and re-authorize the node.

Network Authorization

For private networks, carefully control member authorization. Untrusted members can sniff all broadcast traffic on the virtual Ethernet segment.

Traffic Encryption

All ZeroTier traffic is encrypted using the recipient’s public key. Even ZeroTier’s relay infrastructure cannot read traffic content.

Troubleshooting

Common ZeroTier issues and solutions.

Status Shows “Requesting Peer List”

The router cannot reach the ZeroTier network controller. Verify internet connectivity and UDP port 9993 is not blocked.

/ping 127.0.0.1

Check the interface is enabled:

/zerotier interface set [find] disabled=no

Peers Show High Latency or RELAY

Peer connections traverse NAT or relay servers. For better performance:

Enable port forwarding on upstream NAT for UDP 9993
Ensure both peers can establish direct connections
Check firewall rules on both ends

Cannot Reach Other Members

Verify routing on the router:

/ip route print where dst-address=10.147.17.0/24

Ensure allow-forwarding is enabled if the router should route traffic:

/zerotier interface set [find] allow-forwarding=yes

Check firewall rules:

/ip firewall filter print chain=forward
/ip firewall filter add chain=forward in-interface=zerotier1 action=accept

Use Cases

Site-to-Site Mesh Networking

ZeroTier enables a hub-free mesh between multiple sites. Each office router joins the same ZeroTier network and establishes direct peer-to-peer tunnels to all other members — no central VPN concentrator required.

Scenario: Three offices (HQ, Branch A, Branch B) each running RouterOS.

ZeroTier Central setup:

Create a private ZeroTier network and note the 16-digit network ID
Assign an IP range, for example 10.147.17.0/24, as the ZeroTier address pool
Add managed routes for each site’s LAN:
- 192.168.1.0/24 via 10.147.17.1 (HQ router)
- 192.168.2.0/24 via 10.147.17.2 (Branch A router)
- 192.168.3.0/24 via 10.147.17.3 (Branch B router)

On each router (example for HQ — repeat with adjusted addresses on each site):

# 1. Enable the instance (if not already done)
/zerotier enable zt1

# 2. Join the ZeroTier network
/zerotier interface add name=zerotier1 instance=zt1 network=YOUR_NETWORK_ID

# 3. Authorize in ZeroTier Central and note the assigned ZeroTier IP (e.g. 10.147.17.1)

# 4. Enable forwarding
/zerotier interface set zerotier1 allow-forwarding=yes

# 4. Add routes to remote sites (if not using controller-pushed managed routes)
/ip route add dst-address=192.168.2.0/24 gateway=10.147.17.2 comment="Branch-A"
/ip route add dst-address=192.168.3.0/24 gateway=10.147.17.3 comment="Branch-B"

# 5. Permit forwarding between ZeroTier and local LAN
/ip firewall filter
add chain=forward in-interface=zerotier1 out-interface=bridge-local action=accept \
    comment="ZeroTier inbound to LAN"
add chain=forward in-interface=bridge-local out-interface=zerotier1 action=accept \
    comment="LAN outbound to ZeroTier"

Each site’s LAN devices can now reach the other sites’ LANs through the mesh. Traffic takes the most direct peer-to-peer path available — if HQ and Branch A can establish a direct tunnel, their traffic never traverses Branch B’s router.

Verification:

# Check all peers are connected
/zerotier peer print

# Verify routes are installed
/ip route print where gateway~"10.147.17"

# Test end-to-end connectivity
/ping 192.168.2.1 src-address=192.168.1.1

Remote Access

Provide mobile clients access to network resources. ZeroTier clients on phones and laptops join the corporate network. The RouterOS router advertises the corporate LAN via a managed route, and remote devices route traffic through the router.

IoT Isolation

Create isolated networks for IoT devices while maintaining management access from central locations.

Development Environments

Quickly spin up development networks that can span laptops, cloud VMs, and office infrastructure.

ZeroTier

ZeroTier

Summary

How ZeroTier Works

Network Architecture

Packet Flow

ZeroTier vs Traditional VPN

Configuration

Installation

Enabling the ZeroTier Instance

Joining a Network

Interface Behavior Flags

Verifying Status

Viewing Peers

Configuring Managed Routes

Controller-Side Managed Routes

Manual Static Routes on RouterOS

Bridging Local Networks

Network Types

Public Networks

Private Networks

IP Assignment

Self-Hosted Controller

Creating a Network

Authorizing Members

Checking Controller Status

Port Requirements

Security Considerations

Node Identity

Network Authorization

Traffic Encryption

Troubleshooting

Status Shows “Requesting Peer List”

Peers Show High Latency or RELAY

Cannot Reach Other Members

Use Cases

Site-to-Site Mesh Networking

Remote Access

IoT Isolation

Development Environments

See Also