Kelvin Zhang

About
Blog
Projects
[email protected]

Accessing your Raspberry Pi securely from

the Internet using ZeroTier
Tue, Jun 27, 2017

(Edited on 14th June 2020 to update the download link.)

When you need to access your Raspberry Pi from home, exposing your
public IP/using dynamic DNS and opening ports can expose your Pi to
potential security threats, especially if you're using password-based
authentication or running services behind these ports.

The well-known method of doing it is to use a VPN. Whereas OpenVPN is a

common solution, ZeroTier heavily outshines it. OpenVPN can be
cumbersome to set up and maintain (especially if things go wrong), and
provisioning new devices can be a pain with having to generate certificates.
In comparison, ZeroTier can be installed with a single bash script, and your
virtual network can be managed with their web panel which enables you to
provision devices, assign static IPs and more.

If you're wondering how secure and reliable ZeroTier is, check out their
manual. ZeroTier is also open source, with their codebase available on
GitHub.

Installation
ZeroTier Central
ZeroTier Central is the web panel where you control your virtual network
and manage connected devices. First, set up your network by registering
your account at https://my.zerotier.com/. Next, create your network by
navigating to https://my.zerotier.com/network and clicking Create. Then,
click on your newly created network entry and follow these steps:
 1. Change the name to something less random

2. Under IPv4 Auto-Assign, check Auto-Assign from Range and click on an

IP range which you know will not conflict with the private IP ranges of
any networks you use your devices on (ZeroTier will automatically
assign your devices an IP from this range)

3. Under Access Control, ensure Certificate (Private Network) is checked

4. Take note of the Network ID

Raspberry Pi

We will now set up ZeroTier on your Raspberry Pi. Note that if you are using
a Raspberry Pi B or Zero W and run into issues, you may have to apply a
patch detailed here (thanks to mrexodia for the tip!). Follow the following
instructions:

1. Run the shell command under their download page (the more secure,
GPG option is recommended).

2. To ensure ZeroTier starts on system boot, run sudo systemctl enable

zerotier-one

3. Check if everything is working by running sudo zerotier-cli status ; it

should return 200 info [ID] [version] ONLINE if all is fine

4. To join the network, run sudo zerotier-cli join [Network ID]

5. Authenticate your device by going to

https://my.zerotier.com/network/[Network ID] (the configuration page
we used in the previous section), scrolling down to Members and
checking the Auth checkbox

6. Optionally, assign your Pi a nicer IP address (such as one ending in .1)

by going to the Managed IPs column, entering an IP address within the
IP range you chose in the previous section, then pressing the plus icon
to save your changes (you can also delete the old one by pressing the
bin icon)
 7. Check that your Raspberry Pi is properly connected by running sudo

zerotier-cli listnetworks to see 200 listnetworks [...] OK PRIVATE [...]

[The IP(s) you assigned the Raspberry Pi]/24

8. To have your Raspberry Pi automatically join the virtual network on

system boot, simply run sudo touch /var/lib/zerotier-

one/networks.d/[Network ID].conf

9. If you have UFW or any other firewall software installed, ensure that you
allow traffic going to and from your private IP range

Client Devices

Finally, let's set up your client devices you will use to connect to the
Raspberry Pi from any Internet-available network in the world. On Linux
clients, the setup is the same as for the Raspberry Pi. ZeroTier also has
Android and iOS apps which you can find on their download page. After
connecting your client devices to the same network, you can check that the
other devices are resolvable using sudo zerotier-cli listpeers . Finally, you
can connect to your Raspberry Pi by using the private IP address you
assigned to it.

Conclusion
For me, using ZeroTier is a very pleasant experience. I can access my
Raspberry Pi from anywhere in the world with an Internet connection
without having to use port forwarding or exposing my Pi directly to the
Internet. Another added advantage is that I can add a UFW/iptables rule to
block all inbound traffic to SSH and other services originating from all IP
addresses other than my home and ZeroTier IP address ranges. The time
spent setting up your devices is well worth the security and convenience
which ZeroTier provides.

If you found this blog post useful or have any questions, leave a comment
below or tweet me @KelvZhan!

← Back to Blog
20 Comments 
1 Login

G Join the discussion…

LOG IN WITH OR SIGN UP WITH DISQUS ?

Name

 3 Share Best Newest Oldest

DiemKae − ⚑
2 years ago

FWIW, NOT just for Pies!

These instructions also worked perfectly on Ubuntu systems (18.04.6 LTS and
20.04.4 LTS) in my lab!

Still works in 2022.

1 0 Reply • Share ›

K
Kelvin Z. Mod > DiemKae − ⚑
2 years ago

Pleasure to help!

0 0 Reply • Share ›

iAmBecomeDeath − ⚑
3 years ago edited

This guide is great and still works in 2021. Thanks!

1 0 Reply • Share ›

K
Kelvin Z. Mod > iAmBecomeDeath
− ⚑
3 years ago

I just saw this comment. Thank you! I greatly appreciate it. :)

0 0 Reply • Share ›

benjamin k > iAmBecomeDeath

− ⚑
3 years ago

Interestingly status as a command line is not seen as part of --help in

terminal but it still works!

0 0 Reply • Share ›

papafriki − ⚑
6 years ago

Thank you for this great tutorial. In five minutes I had everything configured and I
do not care being behind cgnat
 1 0 Reply • Share ›

K
Kelvin Z. Mod > papafriki − ⚑
6 years ago

I'm certainly glad I could help!

0 0 Reply • Share ›

mrexodia − ⚑
6 years ago

For the Raspberry Pi B and Raspberry Pi Zero W I had to do some extra steps to
get it to work: https://github.com/zerotier...

1 0 Reply • Share ›

K
Kelvin Z. Mod > mrexodia − ⚑
6 years ago

Thanks for your comment! I have updated my blog post to reflect this.

1 0 Reply • Share ›

S
sch MATKA − ⚑
6 years ago

greet app !!!

1 0 Reply • Share ›

K
Kelvin Z. Mod > sch MATKA − ⚑
6 years ago

Indeed! With ZeroTier, if you need SSH access outside from outside of
your access using an Android device, JuiceSSH (an Android SSH client)
+ ZeroTier is a very good combination.

0 0 Reply • Share ›

DiemKae − ⚑
2 years ago

This guide is a distillation of the necessary stuff to install and use ZT, THANKS!

One thing I've seen is that my pi4b drops its connection frequently, at random
times (i.e. it doesn't seem to be an "idle timeout" AFAIK).

Does anyone else see this?

0 0 Reply • Share ›

Therm Hal − ⚑
4 years ago

any issues with frontier networks and ZeroTier on remote RPI access?

0 0 Reply • Share ›

A
Arch linux − ⚑
6 years ago

Thank you for your time.. That app is great.

 y y pp g

0 0 Reply • Share ›

A
Al Jones − ⚑
6 years ago

awesome. Thank you

0 0 Reply • Share ›

K
Kelvin Z. Mod > Al Jones
− ⚑
6 years ago

You're welcome!

0 0 Reply • Share ›

F
Francisco Márquez Chaves − ⚑
6 years ago

Thanks you for the tutorial

0 0 Reply • Share ›

K
Kelvin Z. Mod > Francisco Márquez Chaves − ⚑
6 years ago

You're welcome!

0 0 Reply • Share ›

M
MarcV > Kelvin Z. − ⚑
3 years ago

This is a great tutorial. I followed all steps, got no error

messages, but I still can't connect to my Raspberry Pi from my
iPhone. The VPN on my iPhone is on, the zerotier account page
shows both iPhone and Pi 'online', and yet I can't ping Pi or ssh
into Pi, or connect to port 8123 on Pi. Any thoughts on what to
do?

0 0 Reply • Share ›

K
Kelvin Z. Mod > MarcV − ⚑
3 years ago

Sorry -- just saw this. What firewalls do you have

between your iPhone and Pi? If it happens while both
are connected to the same local network (especially if
you have a mesh network setup), maybe firewall rules
are blocking these connections.

0 0 Reply • Share ›

Subscribe Privacy Do Not Sell My Data

Built from scratch with Next.js and Tailwind CSS.

Check out the source code on GitHub.