Tunneling - An idiot needs help please

I use ZeroTier in my day-today support world but would like, if possible, to ditch it.

I have a Windows VM running that I would like to SSH into without having to use something like Zerotier to be the middleman and using username / password as authentication.

My machine - Mac with SSH server enabled
VM machine running on my machine - Windows with OpenSSH server installed and a local IP of

How can this be done?

Treat me gently, my brain can't get around the concept of local, remote and dynamic connections!

Could you please post some of your ZeroTier tunnel settings? I'll try to translate to Core Tunnel settings.

Kindly Regards,


Zerotier IPs are (my machine) and (the Windows VM)

It's a straight forward SSH connection to the VM port 22

Any screenshots for tunnel settings?


No. It's all internal to ZT.

I want to move away from ZT so looking for help with my original question - Can it be done or do I still need an agent of some sort on the VM machine?

My Mac has SSH server set up so I presume all the VM needs is the FQDN of the Mac to connect to the Mac and SSH server before I can connect to it?

Some questions for you that will help me understand your usage scenario:

  1. Are you accessing VM machine from your Mac computer locally?
  2. You need to login to VM machine's command line shell and execute commands?
  3. If #2 question is correct, What types of commands do you run?
  4. Are you able to SSH to VM machine right now? If you can, please post the ssh command.

Kindly Regards,


How are you running your VM? VirtualBox has several different networking modes as an example. Some of them depend on the host being connected to a network to provide an IP.

With ZT your VM will have two IP's. The ZT IP will obviously only work on the ZT network.

What is the IP of your mac? Is it on a network or disconnected? That will have a big impact on how and if you can ssh to it from the VM but I guess the main problem is to ssh from the mac to the VM.

Knowing the Virtualization software and how it's networked is needed to be able to solve this.


No agent need on the VM. Just ssh server enabled. I do this all the time from my mac to VM's running on it.

1 Like

Windows VM is on Parallels with shared networking (own private network,

Mac has local IP from router (192.168.50.x)

Basically the Mac is connected to network via router, the VM to a separate "private" network.

Maybe it would be easier to more generally describe it as this:

  1. I have a Mac sitting behind my router (IP address 192.168.50.x).

  2. I want to SSH to another computer sitting behind yet another router (public ISP IP address unknown, can change at anytime and has no port forwarding).

  3. I have a DDNS service through my router so my external IP is a known value (for example mymac.myipaddress.com)

  4. Knowing the above how to SSH from the Mac to the remote machine. Can the SSH server (Windows or Mac) running on the remote machine use the DDNS address to allow me to SSH into it?

flowchart LR
    A[Mac] -->|LAN| B(Router A)
    B --> |Internet| C(Router B with DDNS)
    C -->|LAN| D[Remote Machine]
    A-.SSH .->D

According to your description, I draw a simple flowchart to reflect your scenario, am I understand you correctly? And, it seems there is nothing to do with your Windows VM.

Kindly Regards,



I looked at Parallels different networking modes, KB Parallels: Network modes in Parallels Desktop for Mac, and it looks like you're using the default Shared mode. That should allow you to ssh to the VM from the host it's running on. I believe that was the initial question you had.

What you now describes sounds different or maybe it's the same and the VM was never on your own Mac?

Having a DDNS service for your external IP is of no help trying to reach the remote machine. For your use case I'm using Tailscale which is similar to ZeroTier. With Tailscale all my devices that's part of my TailNet have a fixed IP and all communication is encrypted, it's a VPN mesh. It's doesn't matter if remote devices move to other networks or get new local IP's. Tailscale will still work. It's free for 100 devices. All communication is direct between the devices. Traffic is not bounced through any middleman. All ports are open for all devices in the same Tailnet.

Even if you manage to get your solution to work with DDNS, reverse tunnels etc. it will be complicated and fragile. Any network change, router change, ports closed will break it.


1 Like

Many thanks Mikael, you've confirmed what I suspected - some sort of agent is required on remote machines (as I already have with ZT which basically does exactly the same as Tailscale) so I'll stick with my existing set up.

1 Like