https://twitter.com/ZeroTier/status/1433039278850904065?s=20
People keep stating how ‘simple’ and ‘easy’ it should be to setup a zerotier link, but I can assure you: It’s not. And everytime I tried it, and by now that’s about 5 times over the last 5 years, it did not work, as in, I could not actually use it as a VPN replacement, I could not access LAN IPs through CGNAT, etc. The docs and UI are not very user-friendly at all. They should look at how OpenVPN write docs, that one was easy and works, as long as you’re not behind a CGNAT.
thanks for response. those were all setup correctly. i have the setup working now after the 2 firewall rules were added (input and forward to zerotier1 interface).
my only issue is that: i have unifi controller on one of the LAN box(controller runs inside docker container of LAN box). accessing the url: https://:8443 (from a zerotier authorized laptop) does not seem to work (i can reach other devices on the LAN like my mikrotik switch/ATA adapter etc)
from Inside the LAN,( laptop ) controller access works just fine. (not sure if it has got to do with page redirects and firewall rules)
@IPANetEngineer, maybe you know but there isn't a way to edit the "local.conf" on the Mikrotik side, and that's where bonding would need to be setup?
The ZeroTier docs suggest to enable "multipath/bonding" using in local.conf (but obviously there isn't one on a Mikrotik):
{
"settings": {
"allowTcpFallbackRelay": false,
"portMappingEnabled": false,
"defaultBondingPolicy": "balance-aware"
}
}
which is why @CTassisF asks:
Imagine Mikrotik will get to adding "proper" ROS attributes to set this stuff under /zerotier (or whatnot) in future – but AFAIK you can't try Zerotier Multipath using Mikrotik today – be happy if I'm wrong however...maybe you can do this from the Flow Rules side, but didn't look that way... 
...Twitter was a little unclear on these details 
First of all, great work on bringing ZT to the platform!
A question about encryption: what about the hardware acceleration? All models that supports IPsec HW will offload ZT’s encryption?
ZeroTier uses Salsa20 to encrypt and Poly1305 to authenticate packets.
As far as I know these are (very fast but) software-only algorithms and can’t be offloaded to the hardware for acceleration.
Since version 1.6.0 ZT has new AES-GMAC-SIV encryption mode, which is supported in hardware accelerated engines. So the question is still open. This is what they say in Release Notes:
New features and improvements:
AES-GMAC-SIV encryption mode, which is both somewhat more secure and significantly faster than the old Salsa20/12-Poly1305 mode on hardware that supports AES acceleration. This includes virtually all X86-64 chips and most ARM64. This mode is based on AES-SIV and has been audited by Trail of Bits to ensure that it is equivalent security-wise.
hi,
since the support ticketing system of mikrotik still under maintenance at this point, can someone share the rc3 early build i’m also interested and need the fix for the route insertion fix in the controller because route don’t propagate in mikrotik but in normal client it’s working properly, thanks in advance 
hmmmm...sounds interesting!
The AES-GMAC is a "variant" from AES-GCM, which is already supported from some RBs. This means that, in theory, some ARM based RBs (RB1100AHx4, RB4011 and CCR2004) will have ZT hardware acceleration.
Like this feature a lot!
I have the RB4011 non wireless on version v6.48.4. Apart from backing up the current config, is there anything else I need to do before going to 7.1rc2?
i did it on routerboard rb450gx4 and all i had to do was drop the rc2 into 'files' and reboot twice. also take the zerotier .npk and drop in files and reboot. you are all set.
Would be great if we can specify the Distance for the routes as by default add it to the route table with Distance of 1 and if you are using it as a backup then you end up with Issue.
love to see zerotier/interface/ add network=xxxx instance=zt1 route-distance=xxx
Thanks all
Oh, I missed that in the 1.6.0 changelog. Nice!
They still need to support the Salsa20/Poly1305 option in code, both to keep backwards compatibility to versions pre-1.6.0 and to be able to talk to other ZT peers that do not support the new AES encryption. But it is great having AES because it can be hardware accelerated!
Hope to see ZT offloading AES to the hardware on Routerboards 
(if not done already)
Same. This would be phenomenal. 
It’s definitely something I’m doing wrong.
My phone is auth’d with an IP, as is the router (RB4011), in the ZeroTier interface.
zerotier interface print
shows it’s set up.
But I cannot get access to LAN from WAN.
Is there firewall rules I need to apply?
I finally got my RB4011. So I did some Iperf3 benchmarks via ZeroTire link. As you can see on screenshots I got around 90Mbits. CPU load is around 40%. I think it’s not bad.
I was testing via 1Gb link. I also found out that ZeroTire supports AES hardware offload only on ARM64. So I think we have to wait until ZeroTire start to support hardware offload on ARM, then maybe we will get it on Mikrotik (since Mikrotik supports ZeroTire only on ARM based devices). This is from ZeroTire Relase notes:
Known remaining issues:
AES hardware acceleration is not yet supported on 32-bit ARM, PowerPC (32 or 64), or MIPS (32 or 64) systems. Currently supported are X86-64 and ARM64/AARCH64 with crypto extensions.
Quiero saber si ya está disponible para RB 750 GR3
For those who interested in encryption hardware offload on ZT.
I’ve asked on ZeroTire forum about support of ARM 32bit platforms and especially Mikrotik. And that’s what they answered:
For one, we do not maintain the port to Mikrotik devices. Mikrotik is doing that themselves. Secondly, no ARM32 platforms that we’re aware of support the full set of hardware instructions for the AES-GMAC-SIV algorithm. ARM64 is the only ARM platform with full hardware support for all the instructions.
So as I can see we will not get any hardware accelerated encryption of ZeroTire on 32bit ARM platforms.
I hope that it is possible to get it on new RB5009 as it’s ARM64, and has some AES hardware engine in CPU, though I’m not sure if it is compatible with AES-GMAC-SIV algo.
RB4011iGS+5HacQ2HnD to RB4011GS+ via the same switch. Wireguard vs ZeroTier.
Wireguard about 450/430 Mbps with 80-90% CPU.
ZeroTier about 106/109 Mbps with 55% CPU.
Direct bandwidth test is 950/950 Mbps with 75% CPU.
I’ve got a hAP ac3 that I’ll test at a later stage.