OPNsense

OPNSense#

OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. They maintain a ZeroTier package.

If you're using more than one OPNsense router with ZeroTier for a site-to-site style VPN. The work-around is to paste this into the local.conf text box in the opnsense UI:

{
  "physical": {
    "10.0.0.0/8": {
      "blacklist": true
    },
    "172.16.0.0/12": {
      "blacklist": true
    },
    "192.168.0.0/16": {
      "blacklist": true
    }
  }
}

This prevents zerotier from sending zerotier traffic over zerotier.

See this discussion for more information.

Some more settings you may find helpful for your firewall rules:

{
  "physical": {
    "10.0.0.0/8": {
      "blacklist": true
    },
    "172.16.0.0/12": {
      "blacklist": true
    },
    "192.168.0.0/16": {
      "blacklist": true
    }
  },
  "settings": {
    "primaryPort": 9993,
    "portMappingEnabled": false,
    "allowSecondaryPort": false,
    "allowTcpFallbackRelay": false
  }
}

This prevents ZeroTier from binding to multiple ports.