====== ZeroTier Support in APdesk and MESHdesk ======

------------
===== ZeroTier Introduction =====
  * ZeroTier support in APdesk and MESHdesk is different when compared to Wireguard, IKEv2+IPsec or OpenVPN.
  * With ZeroTier you do not have to worry about the server side since it is hosted by ZeroTier.
  * Another important point about the ZeroTier VPN connection is that you <color #ed1c24>**can not use it to access the Internet**</color>.
  * ZeroTier is typically used to to create a **private network** where you can access devices on that network.

-----------
===== ZeroTier Central =====
  * To manage ZeroTier networks, you have to register at ZeroTier (https://www.zerotier.com/).
  * There are free plans available which has certain restrictions in terms of the amount of devices that are allowed on the network.
  * There are also two versions of the dashboard, the original one is called **Legacy Central** and the new one is called **New Central**.
  * It seems the one you should use depends on when you registered with them.
  * I tried New Central and could not get to devices listed on Legacy Central.
  * The screenshots here are from Legacy Central.

-------
==== ZeroTier Networks ====
  * Each network in Zerotier will have a unique Network ID which will be used by the client to join the network.
{{:technical:zerotier:zerotier-1.png?nolink|}}
  * After a client joined the network it will appear in the list of devices as an **Unauthorized** device.
  * You can then change its status to **Authorized** to allow it full access to the ZeroTier network

-----------
===== MESHdesk Firmware =====
  * The MESHdesk firmware includes support for ZeroTier since Jan 2026.
  * When you build the firmware make sure you include:
      * Network -> VPN -> zerotier 
  * After selecting it also select the following Configuration options:
    * Build in debug mode
    * Build a self test program
  * To make the ZeroTier package appear in the available list of packages, you need to install it into the SDK
<code bash>
./scripts/feeds install zerotier
</code>
<WRAP center round tip 100%>
  * Note that ZeroTier might not fit on devices with limited flash.
  * Fortunately OpenWrt can also be running as a VM.
  * In our setup we created a virtual setup in VirtualBox and ran an OpenWrt instance which are then configured using APdesk
</WRAP>

------
===== Join a ZeroTier Network =====
  * Joining a ZeroTier Network is very easy in APdesk and MESHdesk.
  * Make sure the MESHdesk firmware is recent and the ZeroTier package is included in the firmware built.
  * Edit the VPN connections of the device which you want to use to join the ZeroTier network.
  * Specify the ZeroTier Network ID.
  * The interface name will be automatically populated when you save the entry.
{{:technical:zerotier:zerotier-2.png?nolink|}}

------
==== Split tunnel routing ====
  * As stated earlier, you can not use a ZeroTier network to break out into the Internet.
  * This makes split tunnel routing optional since any device connected to the AP would be able to access the ZeroTier network (without having to specify anything under the **Split tunnel routing** section.
  * If however you want a certain network or MAC Address to ONLY have access to the ZeroTier and no Internet access, you will be using the **Split tunnel routing** section.

------
==== Onboarding ====
  * After you added the ZeroTier VPN entry, reboot the device in order for it to fetch its latest settings.
  * You should see it appear in ZoreTier Central as an **Unauthorized** device
{{:technical:zerotier:zerotier-3.png?nolink|}} 
  * Authorize it
{{:technical:zerotier:zerotier-4.png?nolink|}}
  * Reboot the device and confirm that it got an IP now
{{:technical:zerotier:zerotier-5.png?nolink|}}
  * You should now be able to reach any of the other devices on that ZeroTier network through the AP.

------
==== Confirm on OpenWrt ====
  * You can log into the AP to confirm everything works as intended by issuing the following commands.
<code bash>
#Confirm it joined
zerotier-cli listnetworks
200 listnetworks <nwid> <name> <mac> <status> <type> <dev> <ZT assigned ips>
200 listnetworks 9bee8941b51fae7b RADIUSdesk 7a:67:e9:94:c8:58 OK PRIVATE zt3jnzn36o 172.30.108.62/16
#Confirm that the interface is up and have an IP Address
ifconfig zt3jnzn36o 
zt3jnzn36o Link encap:Ethernet  HWaddr 7A:67:E9:94:C8:58  
    inet addr:172.30.108.62  Bcast:172.30.255.255  Mask:255.255.0.0
    inet6 addr: fe80::81:a3ff:fe2e:da69/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:2800  Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000 
    RX bytes:0 (0.0 B)  TX bytes:872 (872.0 B)
</code>