About This Project
Imagine running a physical 200-mile long Ethernet cable from a datacenter switch directly to a server in your basement. That is exactly what this guide achieves virtually.
By bridging Layer 2 Ethernet frames over a ZeroTier VPN tunnel, we bypass routing tables, NAT, and firewalls entirely. This creates a transparent link that makes your home server behave exactly as if it were racked physically in the datacenter.
Native Public IP
Assign a static public IP directly to your home server's NIC. No port forwarding required.
Bypass CGNAT
Host services from home even if your ISP puts you behind Carrier-Grade NAT (Starlink, LTE, etc).
Home Lab Extension
Seamlessly cluster home hardware with cloud resources in the same broadcast domain.
Customize Your Guide
Don't copy-paste generic IPs! Enter your real Network ID, Public IP, and Interface Names in the configuration panel above. The code blocks below will automatically update to match your setup.
Architecture Overview
0 Prerequisites & Requirements
Hardware & OS
- ✓ OS: Debian 12 (Bookworm) or 13 (Trixie) installed on both machines.
- ✓ Home Server: Must have 2 Physical Network Ports. One for internet, one dedicated to the bridge.
- ✓ DC Server: A spare Public IP available in your block.
Critical Access
- ⚠ KVM / Console Access: You will disconnect your SSH session when applying network changes on the DC side. You must have out-of-band console access (IPMI, VNC, etc.) to fix it if it fails.
- ✓ ZeroTier Account: Access to central.zerotier.com.
Concept & Theory
What is Layer 2 Bridging? (The "Long Cable")
Standard VPNs (Layer 3): Route traffic based on IP addresses. They act like routers. Devices on one side are in a different "subnet" than devices on the other.
This Bridge (Layer 2): Operates on MAC addresses (Ethernet frames). It acts like a physical network switch.
By bridging the ZeroTier interface (zt0) to a physical port (eth1), we effectively create a "virtual patch cable" thousands of miles long. Broadcast traffic, ARP requests, and DHCP offers flow across it just like a real cable.
Critical for Cloud VPS Users (OVH, Hetzner, AWS)
Datacenter switches usually block traffic from unknown MAC addresses ("Port Security").
ZeroTier Portal Setup
Create a new network at central.zerotier.com. Enter the ID in the interactive panel above.
In Network Settings, ensure IPv4 Auto-Assign is turned OFF. We are manually bridging.
After adding members, click the Wrench Icon next to their name and check "Allow Ethernet Bridging". This is critical for L2 traffic.
Preparation (Both Sides)
Run these commands on BOTH the Datacenter and Home servers.
A. Update & Install Dependencies
Ensure the system is up to date and has curl installed.
apt update && apt upgrade -y
apt install -y curl gnupgB. Install ZeroTier
curl -s https://install.zerotier.com | bashC. Join Network
zerotier-cli join 8850xxxxxxD. Standardize Interface Name
systemctl stop zerotier-one
echo "8850xxxxxx=zt0" > /var/lib/zerotier-one/devicemap
systemctl restart zerotier-oneWhy are we doing this?
zt7u123abc. This is random and hard to script. The devicemap file forces it to always be named zt0, making your configuration files cleaner and less prone to errors.
Portal Action Required
Now that both servers have joined via the command line, you must return to central.zerotier.com.
Authorize the new members and—most importantly—click the Wrench Icon next to each member and check "Allow Ethernet Bridging". If you skip this, the bridge will silently fail to pass traffic.
Datacenter Side
High Risk ZoneVerify you have KVM/Console access before applying these changes. A typo here will kill SSH.
1. Edit Network Interfaces
nano /etc/network/interfacesDelete everything and paste this:
auto lo
iface lo inet loopback
# 1. Physical Interface (Set to manual)
# We strip the IP from the physical card because it is becoming a 'port' on the bridge.
auto eth0
iface eth0 inet manual
pre-up ip link set dev eth0 up
# 2. The Bridge (Holds Public IP)
# The Bridge 'br0' becomes the main interface for the OS.
auto br0
iface br0 inet static
address 192.168.1.27
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 8.8.8.8
# Create Bridge
pre-up ip link add name br0 type bridge
pre-up ip link set dev br0 up
# Bind Physical Interface (Internet) to Bridge
post-up ip link set dev eth0 master br0
post-down ip link del dev br0
# 3. ZeroTier Interface
allow-hotplug zt0
iface zt0 inet manual
pre-up sleep 1
post-up ip link set dev zt0 master br0What is 'pre-up' doing?
pre-up runs commands immediately before the system tries to configure the network. We use it here to manually "build" the virtual bridge and turn it on, so that by the time the system tries to assign the IP address in the next step, the device actually exists.
2. MSS Clamping (Fix Freezing)
apt install -y iptables-persistent
iptables -t mangle -A POSTROUTING -o br0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
netfilter-persistent saveWhy do I need this?
3. Apply
systemctl restart networkingHome Side
Safe ZoneThis machine is the "Invisible Pipe". It bridges the tunnel to physical port eth1.
1. Edit Network Interfaces
nano /etc/network/interfacesReplace content with this:
# 1. Main Internet (Tunnel Transport)
auto eth0
iface eth0 inet dhcp
# 2. The Bridge (No IP - Transparent Pipe)
auto br0
iface br0 inet manual
pre-up ip link add name br0 type bridge
pre-up ip link set dev br0 up
# Bring up Magic Port
pre-up ip link set dev eth1 up
# Connect Magic Port to Bridge
post-up ip link set dev eth1 master br0
post-down ip link del dev br0
# 3. Connect ZeroTier
allow-hotplug zt0
iface zt0 inet manual
pre-up sleep 1
post-up ip link set dev zt0 master br02. Apply & Connect
systemctl restart networkingVerification & Usage
Final StepConnect Your Device
The bridge is now active. Any device you plug in will act as if it's in the Datacenter.
Action: Plug your server/PC into port eth1 on the Home Bridge machine.
IP Configuration for the End Device