Zero Tier VPN - Set up port forward to device on LAN
This guide explains how to use ZeroTier VPN on a Proroute router to access a device connected to the router's LAN from a remote location — without requiring a fixed public IP SIM. ZeroTier creates a private virtual network overlay across the internet, and a port forward rule on the router directs traffic from the ZeroTier interface to the target LAN device.
Prerequisites
- A ZeroTier account and a ZeroTier network created (free tier is sufficient)
- ZeroTier client installed on the remote device (PC, laptop, or mobile) and joined to the same ZeroTier network
- The Proroute router connected to ZeroTier — enter the ZeroTier Network ID in the router WebUI at VPN > ZeroTier
- The router must have internet access (cellular or wired WAN)
Example network setup
This guide uses the following addresses as an example — substitute your own values where appropriate:
| Device | Address | Notes |
|---|---|---|
| Router — LAN IP | 192.168.8.1 |
Default LAN address |
| Router — ZeroTier IP | 10.10.10.1 |
Assigned by your ZeroTier network |
| Remote monitored device (RMD) — LAN IP | 192.168.8.2 |
Static IP on the router's LAN subnet |
| RMD — HTTP port | 81 |
Port the device's web interface listens on |
| Remote PC — ZeroTier IP | 10.10.10.x |
Assigned by your ZeroTier network |
The remote PC and router are both members of the same ZeroTier network. The PC connects to the RMD by sending a request to the router's ZeroTier IP on the forwarded port — the router then forwards that traffic to the RMD on its LAN.
Configuration
Step 1: Prepare the remote monitored device (RMD)
The RMD must have a fixed IP on the router's LAN subnet so the port forward rule always points to the correct address.
- Connect the RMD to a LAN port on the router via Ethernet
- Configure a static IP on the RMD:
Field Value IPv4 address 192.168.8.2Subnet mask 255.255.255.0Default gateway 192.168.8.1 - Note the port the RMD's HTTP interface listens on (port
81in this example)
Step 2: Verify ZeroTier connectivity
- Confirm the router is connected to your ZeroTier network — check VPN > ZeroTier in the WebUI and note the ZeroTier IP assigned to the router (e.g.
10.10.10.1) - On the remote PC, confirm ZeroTier is connected to the same network
- From the remote PC's browser, navigate to the router's ZeroTier IP (e.g.
http://10.10.10.1) — the router WebUI login page should load, confirming end-to-end ZeroTier connectivity
Step 3: Create the port forward rule
- In the router WebUI, navigate to Network > Firewall > Port Forwards
- Click Add and configure the rule as follows:
Field Value Name RMD-ZeroTier(or any descriptive label)Protocol TCP+UDP Source zone zerotier External port 81Destination zone lan Internal IP address 192.168.8.2Internal port 81 - Click Add, then Save and Apply
| Network > Firewall > Port Forwards — New Rule | |
| Name | RMD-ZeroTier |
| Protocol | TCP+UDP ▼ |
| Source zone | zerotier ▼ |
| External port | 81 |
| Destination zone | lan ▼ |
| Internal IP address | 192.168.8.2 |
| Internal port | 81 |
| Add Save and Apply | |
Important: Setting Source zone to zerotier (not
wan) ensures the port forward only accepts connections arriving via the ZeroTier interface. Traffic from the public internet cannot trigger this rule — the RMD is not exposed directly.
Step 4: Test the connection
- On the remote PC, confirm ZeroTier is connected
- Open a browser and navigate to the router's ZeroTier IP with the forwarded port appended:
http://10.10.10.1:81 - The RMD's web interface should load in the browser
If access is successful, the port forward rule is working correctly. Substitute the ZeroTier IP and port number with your own values in any application or script that needs to reach the device remotely.
Troubleshooting
| Issue | Resolution |
|---|---|
| Router WebUI not accessible via ZeroTier IP | ZeroTier may not be connected on the router or remote PC. Check status at VPN > ZeroTier on the router. Ensure both devices are authorised members of the same ZeroTier network in the ZeroTier Central dashboard. |
RMD not reachable at [ZeroTier-IP]:[port] |
Confirm the port forward rule is saved and applied. Verify the RMD's static IP and port are correct. Try pinging the RMD from the router at Network > Diagnostics. |
| Port forward rule exists but connection is refused | The RMD's service may not be running on the expected port, or a firewall on the RMD is blocking inbound connections. Confirm access works from a device on the router's LAN first. |
| Source zone "zerotier" not available in dropdown | ZeroTier must be connected and active on the router before the zerotier zone appears as an option. Enable and connect ZeroTier first, then create the port forward rule. |