Skip to content
MKController Blog
InstagramYouTubeFacebook

Remote Access

ZeroTier Remote MikroTik Management

Use ZeroTier on RouterOS 7.5+ to build a peer-to-peer virtual LAN reaching MikroTiks behind CGNAT or NAT without public IPs or port forwarding.

MKController5 min read

Summary ZeroTier builds a secure peer-to-peer virtual LAN that makes MikroTik routers reachable across the internet without public IPs, port forwarding, or PKI to maintain. RouterOS 7.5+ ships an official ZeroTier package; this guide covers the install on MikroTik, network setup at my.zerotier.com, LAN subnet advertisement, NAT for narrow service exposure, and the operational tips that keep a multi-site ZeroTier deployment manageable.

How does ZeroTier enable remote MikroTik management?

ZeroTier is a virtual networking platform that blends VPN, peer-to-peer mesh, and SD-WAN traits into a single overlay. Each node runs a ZeroTier client that creates a virtual interface (typically zt0 on Linux, zt1 on MikroTik), joins a network identified by a Network ID, and receives a private IP from that network. Peers communicate directly when network conditions allow it; public “planet” and “moon” servers help with discovery and relay traffic when direct paths aren’t possible. From a MikroTik perspective, ZeroTier turns every router on the Tailnet into a member of a flat virtual LAN with automatic NAT traversal — no public IPs, no port forwarding, no per-device key management.

For MikroTik fleets, the strengths are speed of deployment and operational simplicity: install the package, join one Network ID, approve in the admin console, and the router is reachable. The trade-offs are reliance on the ZeroTier control plane (or your own self-hosted moons for full independence) and less granular identity-based ACL control than Tailscale. For the closely-related Tailscale alternative, see our Tailscale guide.

ZeroTier architecture

  • Controller (Network) — created and managed at my.zerotier.com or via a self-hosted controller.
  • Peers — devices running the ZeroTier client that have joined the network.
  • Planet / Moons — public or self-hosted discovery and relay helpers.

NAT traversal is automatic. Authentication happens through the admin approving new peers in the web console. ZeroTier does not decrypt traffic on public controllers — encryption is end-to-end with modern crypto (Curve25519, authenticated ephemeral keys), and each node has a unique keypair plus a 40-bit hardware-like address. Self-host controllers and moons if you need full operational independence.

Step 1: Create the ZeroTier network

  1. Open https://my.zerotier.com and sign in (or create an account).
  2. Create a new network.
  3. Note the Network ID — a 16-character hex string (e.g., 8056c2e21c000001).

Step 2: Quick setup on a server or workstation

Install the ZeroTier client on a Linux server or VPS to validate the network:

curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join 8056c2e21c000001
sudo zerotier-cli listnetworks

In the web console, authorize the new node (flip the Auth? toggle). Confirm the assigned ZeroTier IP with zerotier-cli listnetworks. That establishes the first peer.

Step 3: Install ZeroTier on MikroTik (RouterOS 7.5+)

MikroTik provides an official ZeroTier package for RouterOS 7.x:

  1. Download the matching zerotier-7.x-<arch>.npk from mikrotik.com.
  2. Upload the .npk to the router (drop it into the Files window via Winbox) and reboot.
  3. Create the ZeroTier interface and join the network:
/interface zerotier add name=zt1 network=8056c2e21c000001
/interface zerotier print
  1. Approve the MikroTik in the ZeroTier web console (flip the Auth? toggle).

When status shows connected, the router is on the Tailnet. Keep the ZeroTier package updated after every RouterOS upgrade — the two version chains are independent and lagging on either causes silent connectivity issues.

Step 4: Advertise and route local subnets

To make devices on the router’s LAN reachable through ZeroTier, choose between routing the whole subnet or narrowly exposing specific services.

Option A: route the LAN (preferred when possible)

On the MikroTik, advertise the local subnet via ZeroTier and allow forwarding:

/ip route add dst-address=192.168.88.0/24 gateway=zt1
/ip firewall filter add chain=forward src-address=192.168.88.0/24 \
    dst-address=!192.168.88.0/24 action=accept

Then accept the advertised route in the ZeroTier admin console so other peers learn it.

Option B: dst-nat a specific service (narrow and safe)

Map a ZeroTier-side port to one internal host:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8081 \
    action=dst-nat to-addresses=192.168.88.10 to-ports=80

Access from another peer via http://<zerotier-ip>:8081. Use Option B when you don’t want full subnet exposure, only specific reachable services.

Operational tips

  • Choose non-overlapping private subnets for site LANs to avoid routing conflicts when multiple sites join the same Tailnet.
  • Use descriptive names in the ZeroTier console to track which router is which.
  • Group nodes with tags and ACLs for simpler access control as the fleet grows.
  • Monitor zerotier-cli output and RouterOS logs for connection issues — relayed traffic shows up clearly in metrics.

Troubleshooting common issues

  • Node stuck at REQUESTING_CONFIGURATION — verify the controller is reachable from the router and the node is authorized.
  • No peer-to-peer path — relays will proxy traffic via planet/moons; check performance and consider self-hosted moons for low-latency requirements.
  • IP conflict with local LAN — change either the ZeroTier-assigned IP range or the local LAN subnet.

Comparison with other VPN options

SolutionPublic IP neededSetup easeBest for
ZeroTierNoVery easyQuick mesh, devices behind NAT/CGNAT
TailscaleNoVery easyIdentity-based control planes, teams
WireGuard (manual)SometimesModerateHigh-performance, DIY setups
OpenVPN / IPsecSometimesComplexLegacy compatibility, PKI control

For the WireGuard side of this comparison, see our WireGuard remote management guide; for the OpenVPN pattern, see the OpenVPN guide.

When to pick ZeroTier

Choose ZeroTier when you need a fast low-friction mesh across many devices, when you must reach devices behind CGNAT without provisioning public IPs, or when you want a hybrid — peer-to-peer with optional relays and a friendly admin UI. If strict identity-based ACLs tied to corporate SSO matter more, Tailscale is the better fit.

Take the next step

ZeroTier dramatically reduces the friction of remote management — fast, secure, and well-suited to mixed environments. A few RouterOS commands connect a MikroTik to a Tailnet and reach internal services safely. Start small: authorize a router, expose one service, then expand routes and ACLs.

For teams managing larger MikroTik fleets, MKController’s NATCloud centralizes remote access and monitoring across many devices in one dashboard, reducing per-device networking work while keeping governance and observability consistent.

Start your free MKController trial