ZeroTier setup for PocketNOC

Last updated: 2026-05-24

Use ZeroTier to put your phone and SolarWinds Orion server on the same virtual network for secure mobile monitoring, without exposing Orion to the internet.

Overview

ZeroTier is a software-defined networking layer that creates a virtual Ethernet network across devices anywhere on the internet. Devices join a network by ID and are then routable to each other on private IPs (default 10.147.x.x range), without port forwarding or public certificate exposure. This guide sets up ZeroTier so PocketNOC on your phone can reach the SolarWinds Orion SWIS API at https://10.147.0.10:17778 (or whatever ZeroTier assigns).

ZeroTier and Tailscale solve the same problem from slightly different angles. ZeroTier gives you a true Layer 2 overlay (you see real Ethernet frames); Tailscale gives you a Layer 3 mesh over WireGuard. For monitoring use, either works. Pick ZeroTier if you already use it elsewhere or if you specifically want L2 capabilities.

Prerequisites

• A SolarWinds Orion server you already reach from your workstation.
• A ZeroTier account (free for up to 25 nodes per network).
• Admin access to the Orion server's OS (Windows in most cases).
• PocketNOC installed on iOS or Android.

Setup

1. Create a ZeroTier network

In the ZeroTier Central web UI:

1. Click Networks → Create A Network. ZeroTier generates a 16-character network ID — copy it.
2. Set the network to Private (default). Devices must be authorized individually before they can join.
3. Under IPv4 Auto-Assign, pick a range that doesn't collide with your existing networks (e.g. 10.147.0.0/24).
4. Optionally enable Rules Engine later to restrict which devices on the network can reach the Orion server's port.

2. Install ZeroTier on the Orion server

On Windows Server hosting Orion, download the MSI from zerotier.com/download.

After install, from an elevated PowerShell:

zerotier-cli join <your-network-id>

Then in ZeroTier Central, find the new device under your network's Members tab, give it a recognizable name (orion-prod), and check Auth to approve it. The server gets an IP from your assigned range — note it.

3. Install ZeroTier on your phone

iOS: ZeroTier One in the App Store. Android: ZeroTier One in Google Play.

After install, sign in (or use a network without sign-in by entering the network ID directly), and join the same network. Approve the phone in ZeroTier Central as you did for the server.

4. Restrict the phone's access (optional but recommended)

By default, every authorized device on a ZeroTier network can reach every other device. For a server holding monitoring data, tighten this with rules. Under your network's Flow Rules tab, replace the default accept; with something like:

# Only allow phone → orion on the SWIS port, plus drop the rest.
tag pocketnoc_client
  id 1000
  default 0
  enum 1 phone
  enum 0 other
;

tag orion_server
  id 1001
  default 0
  enum 1 server
  enum 0 other
;

accept ipprotocol tcp and dport 17778
  and chr tag pocketnoc_client phone
  and chr tag orion_server server;

drop;

Then tag the Orion server orion_server:server and the phone pocketnoc_client:phone from the Members tab.

5. Confirm reachability

On your phone, visit https://10.147.0.10:17778 (use the actual ZeroTier-assigned IP for your Orion server) in Safari/Chrome. You should see a TLS warning for a self-signed cert (expected). If the connection times out, recheck device authorization and rules.

6. Point PocketNOC at the ZeroTier IP

Open PocketNOC, choose Connect to your Orion server, and enter:

• Host: 10.147.0.10 (the ZeroTier IP of your Orion server)
• Port: 17778
• Username / password: a dedicated read-only Orion account

On first connect, PocketNOC shows the cert fingerprint via TOFU. Verify against the server's actual cert and accept. The fingerprint is pinned for future connections.

Firewall requirements

Outbound (from each ZeroTier device)

ZeroTier uses UDP 9993 outbound to its root servers, with NAT-traversal fallbacks. Most firewalls allow this by default. If 9993/udp is blocked, ZeroTier falls back to TCP relay (slower, but works).

Internal (from phone to Orion)

The ZeroTier Flow Rules above are the network-layer allow-list. If you don't use Flow Rules, the entire ZeroTier network is unrestricted between authorized members — fine for trusted small networks, less good for compliance.

SolarWinds account recommendations

Use a dedicated, scoped read-only Orion account for PocketNOC. See the Tailscale setup guide — the recommendations are identical regardless of transport.

Troubleshooting

Device joins but stays "WAITING." You haven't authorized it in ZeroTier Central. Visit my.zerotier.com, find the device, check the Auth box.

Authorized but can't ping. Flow Rules may be blocking. Temporarily set rules to accept; to confirm, then put the restrictive rules back once you've identified the issue.

Works at home, fails on hotel Wi-Fi. Some captive-portal networks block UDP. ZeroTier falls back to TCP relay automatically but it can take 30+ seconds. Once the relay path is up it stays up.

Phone disconnects when screen turns off. iOS battery optimization can suspend ZeroTier. Add ZeroTier One to the iOS Background App Refresh allowlist.

Security considerations

• ZeroTier root servers see device IDs and routing metadata; the data plane is encrypted between members.
• Self-host ZeroTier's controller (open-source) if you can't rely on third-party coordination plane infrastructure.
• Audit network membership quarterly. Old phones, retired servers, and former employees' devices should all be removed.

Further reading

• Tailscale setup — different vendor, same approach.
• Cloudflare Tunnel setup — outbound-only model with Cloudflare-managed Access policies.
• WireGuard setup — self-hosted alternative.