Zerotier and Azure, SDN at it’s best with quick and easy point to site VPN

I recently came across a fantastic cloud SDN provider called Zerotier which allows you to create your own networks in the cloud and connect clients to it.
The greatest feature of Zerotier is that they provide an extremely lightweight and well written network interface driver for Windows, Mac and Linux flavors. They also provide Android and iOS apps that engage VPN profiles allowing you to connect to the network.

Zerotier is FREE up to 100 nodes!!!
So you can link all your Azure VM’s to your network securely without having to create a complicated VPN Gateway and Subnet in Azure and it removes the cost of the VPN Gateway in Azure as well with no speed limitations

Always looking for different ways to optimize traffic and breakout, I recently tested the ability to route traffic over Zerotier and break out in another country securely and easily with a simple CentOS VM in Azure and a network created in Zerotier.

I did it in the following way

  1. Install an entry level Linux VM in Azure, I chose CentOS 7.3 for this test purely because it comes with blank IPTables unlike UFW in Ubuntu
  2. Create a Zerotier account and create a network.
  3. Install the Zerotier CLI on the VM and add it to your network.curl -s ‘’ | gpg –import && \ if z=$(curl -s ‘’ | gpg); then echo “$z” | sudo bash; fi
  4. Install Zerotier client on your workstation/client and connect to your network.zerotier-cli join [networkid]
  5. Once you can establish connectivity between your machine and the Azure VM via the Zerotier IP. ( I SSH’ed into it)
    This shows a typical network output for a machine in Azure, the IP address belongs to the Azure VNet I created.[wdt@centos-1 ~]$ ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet netmask broadcast
    inet6 fe80::20d:3aff:fe71:e9d7 prefixlen 64 scopeid 0x20<link>
    ether 00:0d:3a:71:e9:d7 txqueuelen 1000 (Ethernet)
    RX packets 3368691 bytes 1354052393 (1.2 GiB)
    RX errors 0 dropped 5 overruns 0 frame 0
    TX packets 4571064 bytes 1018380546 (971.2 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
    inet netmask
    inet6 ::1 prefixlen 128 scopeid 0x10<host>
    loop txqueuelen 1 (Local Loopback)
    RX packets 174 bytes 18768 (18.3 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 174 bytes 18768 (18.3 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0zt0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 2800
    inet netmask broadcast
    inet6 fe80::9c47:67ff:febc:aa2b prefixlen 64 scopeid 0x20<link>
    ether 9e:47:67:bc:aa:2b txqueuelen 1000 (Ethernet)
    RX packets 302914 bytes 35282913 (33.6 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 53834 bytes 39523695 (37.6 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[wdt@centos-1 ~]$
  6. Now configure IPTables for forwarding by editing /etc/sysctl.confnet.ipv4.ip_forward = 1
  7. I created the following rules for IPTables. I just edited the /etc/sysconfig/iptables file.
    Notice you will need to change the values in bold to suite your networks in Zerotier and Azure[root@centos-1 ~]# cat /etc/sysconfig/iptables*nat
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o eth0 -s -j SNAT –to-source
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    -A FORWARD -i zt+ -s -d -j ACCEPT
    -A FORWARD -i eth0 -s -d -j ACCEPT
    :OUTPUT ACCEPT [0:0]
  8. Install IPTables services and restart IPTables.
    yum install -y iptables-services
    systemctl enable iptables
    systemctl start iptables
  9. I then added the default route in the Zerotier configuration.
    Looks something like this.

    You want to add a route for to the IP address of Zerotier interface of the Linux server

  10. Once done, you just enable the default tick box of the client configuration and it changes your default route to the newly created “router”
  11. You can then go google “whats my ip” or something to that effect and it will tell you where you are breaking out.
    It should be out the Azure location.


Pretty simple huh ?

As a side note, I tried to get my Netflix to work through it, but they still too clever, lol.



Leave a Reply