Anil Warbhe PhD

How to Set Up ZeroTier on Debian 13 (Trixie) for Secure Remote SSH Access (2026 Guide)

Tired of port-forwarding SSH, dealing with dynamic DNS, or exposing your server to the entire internet?

ZeroTier creates a virtual LAN between your devices — it’s like having everything on the same switch, even when they’re on different continents. No port forwarding. No public IP required. Very good security model.

In this guide we’ll install and configure ZeroTier on Debian 13 (Trixie) (as of early 2026), join a network, and make SSH available only via the ZeroTier IP — safely from anywhere.

Prerequisites

  • A Debian 13 (Trixie) machine (server, VM, Raspberry Pi, etc.)
  • Root or sudo access
  • A free ZeroTier account → https://my.zerotier.com
  • The device you’ll connect from (laptop/phone) also needs ZeroTier installed

Step 1: Install ZeroTier on Debian 13

The official one-liner works on Trixie (Debian 13) as of late 2025 / 2026.

Bash

curl -s https://install.zerotier.com | sudo bash

What this script does:

  • Adds the official ZeroTier apt repository
  • Imports the signing key
  • Installs the zerotier-one package

Alternative (more controlled / air-gapped friendly):

Bash

# Add repository manually
echo "deb https://download.zerotier.com/debian/trixie trixie main" | sudo tee /etc/apt/sources.list.d/zerotier.list

# Add & trust GPG key (recommended way in 2025+)
curl -s 'https://download.zerotier.com/contact@zerotier.com.gpg' | gpg --dearmor | sudo tee /usr/share/keyrings/zerotier-archive-keyring.gpg > /dev/null

# Use signed-by
echo "deb [signed-by=/usr/share/keyrings/zerotier-archive-keyring.gpg] https://download.zerotier.com/debian/trixie trixie main" | sudo tee /etc/apt/sources.list.d/zerotier.list

sudo apt update
sudo apt install zerotier-one

Both ways work in 2026.

Verify:

Bash

zerotier-cli -v
# Should show something like → 1.14.x or newer

The service starts automatically.

Step 2: Create or Join a ZeroTier Network

  1. Go to https://my.zerotier.com
  2. Login → Create A Network (or use existing one)
  3. Note down the 16-digit Network ID (e.g. a1b2c3d4e5f6g7h8)

On the Debian 13 server join it:

Bash

sudo zerotier-cli join a1b2c3d4e5f6g7h8

200 means success.

You now have a ZeroTier address (10.x.x.x or fdxx::/64)

Bash

zerotier-cli listnetworks
# or
ip addr show zt*

Example output:

text

200 listnetworks <nwid> <name> <mac> <status> <type> <ZT assigned ips>
200 listnetworks a1b2c3d4e5f6g7h8 myhome-server 12:34:56:78:9a:bc OK PUBLIC 10.147.18.42/24 fd80:1234::abcd/40

Remember the 10.x.x.x address — that’s what you’ll SSH to.

Step 3: Authorize the Node in Central

  1. Back to https://my.zerotier.com/network/<your-nwid>
  2. Find the new unauthorized node (shows red dot or “REQUEST”)
  3. Click the checkbox → Authorize
  4. (Recommended) Give it a friendly name (e.g. “homeserver-deb13”)
  5. (Recommended) Check Add to Managed Routes if you want the whole /24 routed (usually yes)

Wait 5–30 seconds → status should become ONLINE.

Step 4: Configure SSH to Listen on ZeroTier Interface (Best Practice)

By default SSH listens on all interfaces (0.0.0.0).

For better security → listen only on the ZeroTier IP.

Find your ZeroTier IP again:

Bash

ip -4 addr show dev ztxxxxxx | grep inet | awk '{print $2}' | cut -d/ -f1
# example: 10.147.18.42

Edit SSH config:

Bash

sudo nano /etc/ssh/sshd_config

Add or change these lines:

ini

# Listen only on localhost + ZeroTier IP (add your actual IP)
ListenAddress 127.0.0.1
ListenAddress 10.147.18.42

# Optional – very good idea with ZeroTier
PasswordAuthentication no           # only keys
PermitRootLogin prohibit-password   # or no

Then restart:

Bash

sudo systemctl restart ssh

Now SSH is not reachable from the real public internet — only from inside the ZeroTier network.

Step 5: Connect from Your Laptop / Phone

Install ZeroTier on your client device:

  • Windows / macOS / Linux → same curl script or download from zerotier.com
  • Android / iOS → official app

Join the same network ID → authorize yourself in Central.

Then simply SSH using the ZeroTier IP:

Bash

ssh anil@10.147.18.42
# or with key
ssh -i ~/.ssh/mykey anil@10.147.18.42

It should connect almost instantly (usually < 50 ms even intercontinental).

Bonus: Useful ZeroTier Commands

Bash

# Show status
zerotier-cli status

# List networks
zerotier-cli listnetworks

# Leave network
zerotier-cli leave a1b2c3d4e5f6g7h8

# Show peers (who you're connected to)
zerotier-cli peers

# Moon / self-hosted controller (advanced)
zerotier-cli orbit ...

Security Notes (2026 edition)

  • Use SSH key authentication only — disable passwords
  • Enable ZeroTier flow rules to restrict who can reach TCP/22 Example rule in Central → accept dport 22;
  • Consider fail2ban even on ZeroTier interface
  • Keep ZeroTier updated (apt upgrade zerotier-one)
  • If paranoid → bind SSH to fd00:: address (IPv6 ULA) instead of 10.x

Troubleshooting Checklist

  • Node shows OFFLINE? → Check firewall allows UDP 9993
  • No route? → Authorize + add managed route in Central
  • Connection timeout? → zerotier-cli peers — look for DIRECT or RELAY
  • Very slow? → Try forcing UDP (avoid some CGNAT broken relays)

That’s it!

You’ve now got a clean, modern, zero-config-port-forward remote SSH access — and you can add more machines (laptops, Raspberry Pis, cloud VMs) to the same virtual LAN anytime.

Enjoy,

Anil Nagpur, January 2026

Author

  • Dr. Anil Warbhe is a freelance technical consultant and a passionate advocate for simplifying complex technologies. His expertise lies in developing custom mobile applications, websites, and web applications, providing technical consultancy on server administration, and offering insightful perspectives on current tech trends through his writing.

    View all posts

Leave a Reply

Your email address will not be published. Required fields are marked *