How to Install ZeroTier VPN on a Linux VPS (Complete Guide)

While traditional VPN protocols typically restrict routing to the IP layer (Layer 3), enterprise network systems occasionally demand deeper communication protocols at the data link layer. ZeroTier effectively behaves like a distributed virtual Ethernet switch, connecting every device from mobile phones and laptops to cloud servers into the same internal network space, regardless of whether they reside behind the strictest firewalls.

1. What is ZeroTier?

ZeroTier (or ZeroTier One) is open-source software that creates a secure virtual LAN operating across the Internet. It encrypts all data (End-to-End Encryption) and establishes Peer-to-Peer connections between devices without the need to physically configure Port Forwarding.

The core distinction of ZeroTier lies in its emulation of Layer 2 (Ethernet) connectivity. This means your operating system recognizes the ZeroTier network as a physical LAN cable plugged directly into other machines globally, fully supporting Broadcast and Multicast protocols.

2. How ZeroTier Works

ZeroTier separates its architecture into two layers, akin to modern SD-WAN solutions:

• VL1 (Virtual Layer 1 - P2P Transport): The encrypted P2P transport layer (Curve25519/Poly1305/Salsa20) responsible for NAT traversal, node authentication, and establishing direct connections.
• VL2 (Virtual Layer 2 - Virtual Ethernet): The virtual switch layer operating above VL1, providing a network interface with distinct MAC and IP addresses, supporting Broadcast, Multicast, and VLANs exactly like a physical switch.

3. System Architecture

The ZeroTier ecosystem uses astronomical terminology to describe its routing components. Below is the basic network flow diagram:

• Planets: Root servers operated by ZeroTier, responsible for connecting devices when they initially join the network.
• Moons: Self-hosted relay servers (like your VPS) to assist in reducing latency when P2P direct connections fail due to strict network firewalls.
• Nodes / Leafs: Mobile phones, laptops, or end-servers installing the ZeroTier One software to participate in the network.

Comparing Popular Mesh VPN Architectures

• WireGuard: A pure Layer 3 VPN protocol requiring manual peer configuration for each device.
• Tailscale: An overlay network based on WireGuard with a Control Plane for automated key management.
• ZeroTier: A Layer 2 SD-WAN network platform featuring a built-in Virtual Ethernet Switch, supporting Broadcast/Multicast.

4. VPN Deployment Models

Layer 2 communication capabilities allow ZeroTier to dominate in complex network topologies:

• Global Virtual LAN (Mesh P2P): Grouping remote employees, cloud servers, and IoT devices into a single network range, managed centrally via a dashboard.
• Layer 2 Bridging (Site-to-Site): Directly bridging two physical LANs in different offices. Devices in Office A can "see" a printer in Office B through mDNS/Bonjour protocols.
• Multi-Cloud Backbone: Linking VPS from various providers (VietHosting, AWS, DigitalOcean...) into a secure Private Cluster network completely independent of public internet routing.

5. Key Advantages & Real-World Use Cases

ZeroTier is the premier choice for system developers due to specific technical strengths:

• Layer 2 Support (Broadcast/Multicast): Extremely rare for modern VPNs. It allows legacy applications to discover each other over the LAN effortlessly.
• Zero-Config NAT Traversal: Automatically punches holes through network firewalls to establish peer-to-peer connections (UDP Hole Punching), maximizing bandwidth speed instead of routing through intermediate servers.
• Generous Free Tier: ZeroTier Central allows creating a free internal network for up to 25 devices (Nodes) per administrative account.

6. Real-World Architecture Deployment

ZeroTier's virtual switch architecture is born to solve tough infrastructure problems:

• IoT (Internet of Things) Management: An enterprise deploys thousands of cameras or sensors using 4G SIM cards (blocked by CGNAT inbound). Installing ZeroTier allows IT engineers to access each camera using a static IP to remotely upgrade Firmware.
• Gaming LAN Setup: Gamers connect computers across different countries into a ZeroTier network to play classic games that only support Local Area Network (LAN) modes.
• Multi-Region Database Synchronization: Establishing a MySQL Galera Cluster between a VPS in Vietnam and a VPS in Singapore with fully encrypted traffic without exposing Port 3306 to the public.

7. ZeroTier vs. Tailscale & Traditional VPNs

Tailscale and ZeroTier are frequently compared as both are SD-WAN Mesh VPNs. However, their foundational architectures differ fundamentally:

8. Performance & Security Benchmark

Below is a system performance evaluation based on peer-to-peer UDP encryption standards optimized for real-world scenarios:

9. When to Use ZeroTier?

Based on its specific Layer 2 architectural design, ZeroTier is the perfect choice in the following scenarios:

Practical Scenario	Recommendation
Applications require Layer 2, Broadcast, Multicast (Game LAN, mDNS, DLNA).	Highly Recommended
Administrators want to self-operate the Network Controller (100% closed network).	Highly Recommended
Bridging 2 physical networks (Office A ↔ Office B) as one.	Highly Recommended
Enterprise models mandating Google Workspace/O365 for logins.	Use Tailscale instead

10. System Requirements & Supported Platforms

ZeroTier boasts one of the broadest operating system coverages currently available:

• Server / Cloud / NAS: Ubuntu, Debian, CentOS, RHEL, Amazon Linux, FreeBSD, Synology NAS, QNAP.
• Client Devices: Windows, macOS, Linux, iOS, Android.
• VPS Hardware Requirements: Extremely lightweight; a VPS with 1 vCPU and 512MB RAM is more than sufficient for dozens of Nodes. Proactively opening port 9993 (UDP/TCP) on the Firewall guarantees optimal connections.

11. How to Install ZeroTier on a Linux VPS

Deploying ZeroTier One on a Linux VPS (Ubuntu/Debian/CentOS) is swiftly accomplished via the official installation script:

# 1. Install ZeroTier One via the official automated script
curl -s https://install.zerotier.com | sudo bash

# 2. Ensure the service starts on system boot
systemctl enable zerotier-one
systemctl start zerotier-one

# 3. Open port 9993 (UDP and TCP) on the VPS firewall (e.g., using UFW)
ufw allow 9993/udp
ufw allow 9993/tcp
ufw reload

# CRITICAL NOTE: Before step 4, you need to create an account at https://my.zerotier.com 
# Create a new Network to obtain a Network ID (a 16-character string, e.g., 8056c2e21c000001).

# 4. Request the VPS to join the virtual network using the Network ID
zerotier-cli join 

12. Configuration Examples

Unlike WireGuard, ZeroTier does not require administrators to manually edit text-based peer configuration files. You perform device management via the Web dashboard or CLI.

# After a device runs the "join" command, the connection is pending authorization (ACCESS_DENIED).
# You have 2 ways to grant permission:

# METHOD 1 (Via Web GUI - Recommended):
# Access https://my.zerotier.com -> Select Network -> Scroll down to the "Members" section
# Check the "Auth" checkbox in front of the new device to authenticate it.

# METHOD 2 (Via Controller CLI):
# If you are self-hosting a Network Controller on a VPS, use the command:
zerotier-cli listnetworks
# Check if the status switches to OK, the device has been assigned a virtual IP (e.g., 10.147.x.x).

13. VPN Client Setup

To add personal computers or mobile phones to the internal ZeroTier network, follow these steps:

• Install App (Windows/macOS/Mobile): Download the ZeroTier One software from the official website or mobile Store.
• Join Network: On a computer, right-click the ZeroTier icon in the taskbar, select "Join New Network" and paste the 16-character Network ID. Click Join.
• Authorize Connection: The administrator logs into the ZeroTier Central dashboard, locates the newly joined device (marked Unassigned), and checks the Auth box.
• Verify Connection: On your personal machine, run the command ping [VPS_IP]. If you receive replies, the L2 tunnel is successfully established.

14. Connection Monitoring

The ZeroTier Command Line Interface (CLI) provides detailed metrics of the connection directly on the Linux VPS:

# 1. Check local device info (Node ID, Online status)
zerotier-cli info

# 2. View joined networks and assigned IPs
zerotier-cli listnetworks

# 3. Display the list of directly connected Peer devices (Nodes)
# The "Role" column will report as LEAF (Device) or PLANET/MOON (Relay Server)
# The "Path" column displays the partner's actual Public IP.
zerotier-cli peers

15. Performance Tuning & Troubleshooting

Because it uses a proprietary routing protocol, ZeroTier optimization focuses on establishing the shortest physical P2P path:

• Self-hosting Moons (Relay Servers): If you are in Vietnam but P2P devices route through Planets (US/Europe) causing high Ping (up to 300ms), use a VPS at VietHosting as a Moon. The Moon acts as a regional relay station, forcing data to route domestically and reducing Ping to under 10ms.
• Proactively Open Firewall Ports: Although ZeroTier can traverse NAT using UDP Hole Punching, for the smoothest P2P (Direct) connection without bandwidth degradation, always ensure port 9993 UDP/TCP is not blocked on your personal Router. Verify via zerotier-cli peers (the link column must display `DIRECT` instead of `RELAY`).

16. Common Configuration Errors

Network congestion issues often stem from incorrect node authorization procedures:

• Stuck in REQUESTING Status: The listnetworks command reports REQUESTING instead of OK. This error is 100% caused by your Node lacking the "Auth" checkmark in the ZeroTier Central dashboard.
• PORT_ERROR: Occurs when the ZeroTier service is stuck because the Firewall completely blocks internal UDP traffic, or port 9993 conflicts with another network application on the same server.
• Cannot Access LAN (Layer 3 Routing): ZeroTier supports Managed Routes for traditional Layer 3 VPN routing. However, if you assign the 0.0.0.0/0 range but forget to configure IP Forwarding and NAT (iptables) on the Linux VPS, the Client machine will instantly lose Internet connectivity.

17. Self-hosted Controller vs. Public ZeroTier Cloud

ZeroTier particularly appeals to security experts because it provides a fully independent Self-hosted Network Controller feature, allowing absolute disconnection from the root servers.

18. Choosing a Reliable VPS for VPN at VietHosting

Whether you utilize a Linux VPS as a Node, a Moon (Ping-reduction Relay station), or install a Controller Server, selecting the system platform is paramount. We provide VPS solutions based on dedicated infrastructure with transparent resource commitments:

• Enterprise Hardware: 100% Dell servers, Intel Xeon Platinum CPUs, and high-performance SSD RAID-10.
• True KVM Virtualization: A pure KVM VPS environment provides administrators with unrestricted privileges to customize the Kernel, deploy Controllers, and execute iptables Firewall operations.
• High-Speed Network Connectivity: Domestic connectivity up to 1Gbps, high-speed and stable international bandwidth (32Mbps shared, guaranteed minimum 10Mbps) with Unmetered Data Transfer, ensuring Multi-region Database synchronization encounters no congestion.
• Large Clean IPv4 Pool: Flexible allocation of clean IPv4 ranges, supporting up to 64 IP addresses per VPS (up to /26 subnet). This guarantees 100% success for NAT Hole Punching (UDP), establishing a perfect P2P network structure.

Related System & Network Infrastructure Knowledge

Software-Defined Networking (SD-WAN) technology is the future of network management. Expand your system knowledge below to equip your enterprise with the most optimal operational solutions.

• How to Install WireGuard VPN on a Linux VPS (Complete Guide)
• How to Install Tailscale VPN on a Linux VPS (Complete Guide)
• Install OpenVPN on a VPS with One Command (Auto Installer)
• What is KVM VPS? The Benefits of KVM Virtualization
• What Is Offshore VPS? Benefits & Comparison to Vietnam VPS