ZeroTier on MikroTik: Easy VPN Without Public IPs (Full Setup Guide)

Traditional VPNs like WireGuard or IPsec require at least one side to have a public IP or open ports. ZeroTier eliminates this requirement. It creates a secure, peer‑to‑peer overlay network that works behind NAT, firewalls, and dynamic IPs – no port forwarding needed. With MikroTik's official ZeroTier package for RouterOS v7, you can turn your router into a ZeroTier node and connect remote offices, IoT devices, or roaming clients as if they were on the same physical LAN.

Why ZeroTier Over Traditional VPNs?

• No public IP needed – Works behind CGNAT, Starlink, LTE, or double NAT.
• Zero configuration firewall – Uses outbound UDP or TCP, so no port forwarding required.
• Layer 2 or Layer 3 networking – Can bridge Ethernet segments or route IP subnets.
• Built‑in management – Central web dashboard at my.zerotier.com to manage members and rules.

Prerequisites

• MikroTik router running RouterOS v7.1 or later (ZeroTier is not available in v6).
• Internet access on the router (any type, including CGNAT).
• A free ZeroTier account (create at zerotier.com).
• Basic knowledge of IP addressing and routing.

Step 1: Install the ZeroTier Package on MikroTik

ZeroTier is an optional package. Download it from MikroTik's website and upload it to your router.

Via CLI (if router has internet access):

/system package update install=zerotier

If the above doesn't work, download the package manually:

1. Go to MikroTik download page for your router architecture (arm, arm64, mipsbe, tile, etc.).
2. Download the zerotier-*.npk file.
3. Upload it via WinBox (Files → drag and drop).
4. Reboot the router.

After reboot, verify the installation:

/interface zerotier print

Step 2: Create a ZeroTier Network (via Web Dashboard)

ZeroTier uses a central controller (either ZeroTier's cloud or your own) to manage members.

1. Log into my.zerotier.com.
2. Click Create A Network.
3. Note the Network ID (a 16‑character hex string, e.g., 8056c2e21c000001).
4. Optionally, set a private network name and adjust IPv4 range (default is 10.147.20.0/23).
5. Leave other settings as default for now – you can fine‑tune later.

Step 3: Join the ZeroTier Network from MikroTik

On your router, add the ZeroTier interface and join the network using the Network ID.

/interface zerotier add name=zt1 network-id=YOUR_NETWORK_ID

Check its status:

/interface zerotier peers print
/interface zerotier print

If everything is correct, you'll see the interface with a R (running) flag and the assigned ZeroTier address (e.g., 172.27.0.1). The router will appear in your ZeroTier web dashboard as an unapproved member.

Step 4: Authorize the Router on the ZeroTier Dashboard

1. Go back to my.zerotier.com and open your network.
2. Under Members, you'll see your router's ZeroTier address.
3. Check the Auth box to approve it.
4. Optionally, assign a static IP to the router (e.g., 10.147.20.1) so it doesn't change.

Back on the router, you may need to manually assign an IP to the ZeroTier interface if you didn't use DHCP inside ZeroTier (most people just let ZeroTier assign via its internal DHCP).

/ip address add address=10.147.20.1/23 interface=zt1

Step 5: Add Another Device (Client) to the Same Network

Install ZeroTier on a laptop, phone, or another MikroTik router. Join the same Network ID and approve it in the dashboard. Both devices will now have ZeroTier IPs (e.g., 10.147.20.1 for router, 10.147.20.2 for laptop) and can ping each other directly – even across different ISPs, NATs, and firewalls.

Step 6: Enable IP Forwarding and NAT for ZeroTier (If Needed)

If you want ZeroTier clients to access your router's local LAN or the internet via the router, you need to:

• Enable IP forwarding (usually already on).
• Add a NAT masquerade rule for ZeroTier traffic going out to the WAN.
• Add a forward accept rule to allow ZeroTier to LAN.

/ip firewall nat add chain=srcnat src-address=10.147.20.0/23 out-interface=ether1 action=masquerade
/ip firewall filter add chain=forward src-address=10.147.20.0/23 dst-address=192.168.88.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=10.147.20.0/23 action=accept
/ip firewall filter add chain=forward connection-state=established,related action=accept

Replace ether1 with your WAN interface, and 192.168.88.0/24 with your LAN subnet.

Step 7: Routing Between ZeroTier and Site‑to‑Site Subnets

If you have multiple ZeroTier members that each have their own local LAN subnets, you can inform ZeroTier about those subnets via the web dashboard. Under your network's Advanced section, add Managed Routes. For example, if a remote MikroTik router at Site B has LAN 192.168.2.0/24 and its ZeroTier IP is 10.147.20.5, add a route: 192.168.2.0/24 via 10.147.20.5. ZeroTier will then route traffic between 192.168.1.0/24 and 192.168.2.0/24 automatically.

Step 8: Advanced – Bridge ZeroTier to a Local LAN (Layer 2)

ZeroTier can operate in Ethernet bridge mode, making remote devices appear as if they're directly connected to your local switch. This requires bridging the ZeroTier interface with your LAN bridge.

/interface bridge add name=bridge-zt
/interface bridge port add bridge=bridge-zt interface=ether2
/interface bridge port add bridge=bridge-zt interface=zt1
/interface bridge set bridge-zt vlan-filtering=yes (if needed)

Warning: Bridging across a WAN can cause broadcast storms and MAC table issues. Use only for small, trusted networks or test environments.

Troubleshooting ZeroTier on MikroTik

• Interface not appearing: Ensure the ZeroTier package is installed and enabled. Reboot after installation.
• No peers or not joining: Check that the router has internet access. ZeroTier uses UDP port 9993 outbound – ensure your firewall allows it. Try setting a custom port: /interface zerotier set zt1 port=9993.
• Can ping ZeroTier IP but not local LAN: Verify firewall forward rules and that IP forwarding is enabled (/ip settings set ip-forward=yes). Also check routing – does the router have a route back to the ZeroTier client?
• Slow throughput: ZeroTier's performance depends on the path between peers. It attempts direct peer‑to‑peer UDP (fast) but may fall back to relayed TCP (slower). Enable /interface zerotier set zt1 multicast-limit=32 or adjust MTU to 1400.

Use Cases for ZeroTier on MikroTik

1. Remote Access to Home Network Behind CGNAT

Your home internet has no public IPv4 address. Install ZeroTier on your MikroTik router and on your laptop. Join the same ZeroTier network – instant secure access without any port forwarding.

2. Connecting Two Small Branch Offices

Each office has a MikroTik router behind dynamic IPs. Install ZeroTier on both, join the same network, and add managed routes for each office's LAN subnets. The offices become fully connected.

3. Management Network for IoT Devices

Deploy ZeroTier on remote sensors or controllers. Even if they are on cellular or Starlink, you can reach them securely from your central network.

ZeroTier vs. WireGuard: Which to Choose?

Conclusion

ZeroTier is a game‑changer for networks that cannot use traditional VPNs due to NAT, CGNAT, or lack of public IPs. With MikroTik's native package, you can turn any router into a ZeroTier node in minutes. Start with a simple point‑to‑point connection, then explore bridging and routed subnets for larger deployments. ZeroTier won't replace WireGuard everywhere, but for zero‑config, NAT‑traversing VPNs, it's unbeatable.

Next steps: experiment with ZeroTier's Flow Rules for fine‑grained traffic control, or set up a ZeroTier moon (custom relay) to improve performance in your region.