Zerotier/Tailscale; Viable Options?


Getting comfortable
Dec 12, 2020
Good morning all,

Been a long time since I have had an opportunity to post. My apologies in advance if I have placed this in the wrong section. Since it was dealing with VPN, I was unsure whether to utilize Cyber Security or Networking. Please feel free to move if needed.

My network setup is a fiber optic connection from my ISP directly to my Ubiquiti EdgeRouter-X. I have several VLANs set up for different purposes that prevent devices from communicating from one another (outside of the master VLAN and any other VLAN I allow to view my BI server). My L2TP over IPsec VPN worked great for 2-3 years, but recently, stopped connecting with my iPhone and Windows computer. Fortunately, I had just gotten back from an extended trip out of town before it started happening.

After review, I found that my outside IP had changed. Upon that conclusion, I replaced the outside address within the router and committed/saved. I also changed that address in my VPN connections on all my devices. Unfortunately, that did not work. From that point, I took several paths attempting to correct the issue to include deleting the VPN settings within the router, reinstalling a previous system image, etc. None of these solutions have worked.

I guess it is now time to change VPN types. After studying several resources (to include the VPN Primer for Noobs section), I have it narrowed down to OpenVPN or WireGuard. I do not want to use a provider nor do I wish to connect via another EdgeRouter (I guess site-to-site?). I basically just want to have the ability to turn on VPN on my iPhone or other device and be able to access my BI alerts and to view camera feeds via the app, but to do it safely/encrypted, even if I were to use public WiFi.

Is there any recommendation for what I should utilize for VPN access? Are there any videos or resources you could recommend, specifically for the EdgeRouter-X? I have looked at videos such as the video below, but this almost seems like it just trying to connect 2 routers together permanently. Again, I just want to go straight to my network when I’m away from my network. I know these are probably dumb questions, but I’m still an amateur when it comes to networking. Any help is appreciated!

Replying to bump out for hopeful visibility.
Can’t help you with the EdgeRouter setup, but I found setting up OpenVPN on my Netgear router to be fairly straightforward. The only problem I had was that it produced I think 2 or 3 files to be installed on my iPhone, and the iPhone only wanted one. I was able to use a simple text editor to combine the multiple files into one, and then it worked on my second attempt. As for your changing external IP address, Netgear partnered with a site to give me a free DNS service, which I use. This forum offers the same service.
  • Like
Reactions: srvfan
I have been looking into very similar setup recently. OpenVPN is a well established and documented system that is fairly easy to setup and supported by many routers. Wireguard is much newer, but faster and also built in to the linux kernel now. I think that Wireguard will be the Way of the Future and is also fairly useable today. Wireguard doesn't really have a server/client architecture but is more a peer to peer system, although it helps me to think of it as a Server and clients. The Clients can be individual devices like a phone or laptop or another site with its whole subnet. I haven't managed to find any easy to use, click this and go, type setups for Wireguard. I have one test system using it and had to manually create keys and config files, but once it was working it has been solid for 3 months now. This is for a site to site setup using routers with Openwrt at each end. I have done research into phone clients etc, but not tried to use one yet, mostly due to lack of spare time.

Not sure if any of this info helps in your case, but if you are starting from scratch rebuilding, then I'd spend the time to learn Wireguard and make it work. It may not be the easiest, but is probably the most efficient and fastest.
  • Like
Reactions: srvfan
Can’t help you with the EdgeRouter setup, but I found setting up OpenVPN on my Netgear router to be fairly straightforward. The only problem I had was that it produced I think 2 or 3 files to be installed on my iPhone, and the iPhone only wanted one. I was able to use a simple text editor to combine the multiple files into one, and then it worked on my second attempt. As for your changing external IP address, Netgear partnered with a site to give me a free DNS service, which I use. This forum offers the same service.
Yeah, I think it's supposed to be a fairly simple setup on a lot of routers. Unfortunately from what I have read through (with ER-X), you have to configure a lot of stuff and generate keys. I'm still reading through the Ubiquti page, so hoping to get a better idea/understanding from there. I'm still unsure when i hear the phrase "open-sourced". Almost makes it seem as though it could be easily hacked.
I'm also still investigating WireGuared, but I do not think it is supported in my application like L2TP and OpenVPN.
  • Like
Reactions: KnowledgeSeeker
I have been looking into very similar setup recently. OpenVPN is a well established and documented system that is fairly easy to setup and supported by many routers. Wireguard is much newer, but faster and also built in to the linux kernel now. I think that Wireguard will be the Way of the Future and is also fairly useable today. Wireguard doesn't really have a server/client architecture but is more a peer to peer system, although it helps me to think of it as a Server and clients. The Clients can be individual devices like a phone or laptop or another site with its whole subnet. I haven't managed to find any easy to use, click this and go, type setups for Wireguard. I have one test system using it and had to manually create keys and config files, but once it was working it has been solid for 3 months now. This is for a site to site setup using routers with Openwrt at each end. I have done research into phone clients etc, but not tried to use one yet, mostly due to lack of spare time.

Not sure if any of this info helps in your case, but if you are starting from scratch rebuilding, then I'd spend the time to learn Wireguard and make it work. It may not be the easiest, but is probably the most efficient and fastest.
I have heard a lot of good things about WireGuard, but since it seems to be fairly new (and unsupported at this time on ER-X), I'm a little hesitant. I don't know, maybe at this time I need to graduate to another router, maybe something like a Dream Machine pro. I just hate to give up my ER-X b/c it works so well for my home networks and does an awesome job with VLANs, separating devices from seeing/communicating, etc. However, I have get my VPN capability back for whenever I"m away from home.
People here have been saying good things about Zerotier as a vpn substitute for what you want to do. You might look into that.
Thank you I will definitely look into that option as well. I just hate having to use an app on my iPhone for vpn. I wished I could get the L2tp working again in my phone. It was just built into the settings and had no app required.
Whatever decision you choose for VPN, I would also suggest that you look into a dynamic DNS service. There are both free and paid dynamic DNS services out there. This is set up so that you use a unique IP address that doesn't ever change. You run a service on your network (obviously the most common place is in the firewall/router device) that will automatically tell the dynamic DNS service anytime your real public IP address changes and what it has changed to. This means your VPN connection will always work in the future, even if your public IP address changes.

So for example, my unique url might be "" I would then set up my VPN to use that URL in leu of my actual public IP address. The dynamic dns service will ensure that data is forwarded from that url to the correct public IP address - whatever it might be - even if it changes all the time.

This will alleviate any future issues should your public IP address change for some reason.

As far as what VPN service to use, I use OpenVPN because Wireguard really wasn't widely supported when I set it up and while I have tested Wireguard out, I haven't made the switch to use Wireguard exclusively. Wireguard is a lot more streamlined/simple and therefore it can be faster in most cases. But it also is so simple that you can experience problems with the connection where you have to close out and restart the VPN connection. This would be an annoyance when it happens IMHO, so I haven't made the switch. I am not experiencing any "slowness" with OpenVPN, so I am hesitant to "fix what isn't broken" by switching to Wireguard.
it does seem as though OpenVPN may be a better option for me. I’m just not sure about creating certificates and signing them, but Ubiquiti does have a guide online.
Regarding the dynamic dns service (both paid and free); I think understand the concept. However, does that open someone up for being hacked? Little nervous about routing all of my data to yet another place and not being sure it was encrypted/protected. Is there any service you would recommend?
Thank you
I have a Ubiquiti Edge Router and originally used that for a L2TP VPN to my phone.

I now just use that to have a permanent VPN to another home our family owns....

For my phone, I use Wireguard and run it on Docker.
Edge Router here with wire guard VPN. Works perfect with Blue Iris and Homeseer. Camera VLAN, IOT VLAN etc.

Use this handy how to initially setup ERPOE5 router for Blue Iris. Started with L2TP VPN then moved to WireGuard installed on router.


Recently moved whole setup to ER4 for better throughput with 1 gig ISP service.
Good afternoon,
Rather than start a new thread, I figured I would resurrect this one. I have recently been able to review the issue with connecting to my router outside of my network. The conclusion I have arrived at is my ISP has placed me behind a CGNAT. After research, I have determined that the ISP currently does not offer IPv6. All of the reading I have done on this site points to using ZeroTier or Tailscale. I do understand that Tailscale is built upon Wireguard, but I like the fact that ZeroTier has a zero-trust approach which allows me to manage any connections.
However, I am still worried about the hole-punching idea. I know it's definitely safer than port forwarding, but I'm still concerned with the thought of punching a hole and allowing access to anything on my network (even though just my BI PC). Are these truly safe options to use, and do they truly get around the whole CGNAT issue?
Thank you in advance for any insight.