diff --git a/modules/zerotier/default.nix b/modules/zerotier/default.nix
index a4ef9ff..356b347 100644
--- a/modules/zerotier/default.nix
+++ b/modules/zerotier/default.nix
@@ -1,6 +1,9 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [ 9993 ];
+  networking.firewall.allowedTCPPorts = [
+    9993
+    993 # zt-tcp-proxy
+  ];
   networking.firewall.allowedUDPPorts = [ 9993 ];
   networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
   networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
@@ -16,13 +19,25 @@
     };
   };
 
+  systemd.services.zt-tcp-proxy = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "zerotier-one.service" ];
+    serviceConfig = {
+      Type = "simple";
+      # imap port
+      ExecStart = "${pkgs.callPackage ../../pkgs/zt-tcp-relay.nix {}}/bin/zt-tcp-relay --listen [::]:993";
+      Restart = "always";
+      RestartSec = 5;
+      DynamicUser = true;
+      User = "zt-tcp-proxy";
+      Group = "zt-tcp-proxy";
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+  };
+
   services.zerotierone = {
     enable = true;
-    joinNetworks = [
-      "33d87fa6bd93423e"
-    ];
+    joinNetworks = [ "33d87fa6bd93423e" ];
   };
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-    "zerotierone"
-  ];
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ];
 }
diff --git a/pkgs/zerotier-tcp-proxy.nix b/pkgs/zerotier-tcp-proxy.nix
new file mode 100644
index 0000000..7583365
--- /dev/null
+++ b/pkgs/zerotier-tcp-proxy.nix
@@ -0,0 +1,25 @@
+{ stdenv, fetchFromGitHub, fetchpatch, zerotierone }:
+stdenv.mkDerivation {
+  name = "zerotier-tcp-proxy";
+  src = fetchFromGitHub {
+    owner = "zerotier";
+    repo = "ZeroTierOne";
+    rev = "008a768f15763aa4b1c73434cdc517b6b4e3f997";
+    hash = "sha256-BX589KbO+6eoyUo7UUDEL7pyIgpUE25deax+dmvGGG4=";
+  };
+  patches = [
+    (fetchpatch {
+       url = "https://github.com/zerotier/ZeroTierOne/commit/dd2006d494e85a41d8b818b37460e7cf458a2aee.patch";
+       hash = "sha256-nuao04pDha7h62RHviUZYx21p6bNOyiU78kBBq2o2Rs=";
+    })
+  ];
+  buildPhase = ''
+    pushd tcp-proxy
+    cat tcp-proxy.cpp
+    make -j $NIX_BUILD_CORES CXX=$CXX
+    popd
+  '';
+  installPhase = ''
+    install -D -m 755 tcp-proxy/tcp-proxy $out/bin/zerotier-tcp-proxy
+  '';
+}
diff --git a/pkgs/zt-tcp-relay.nix b/pkgs/zt-tcp-relay.nix
new file mode 100644
index 0000000..4f188e6
--- /dev/null
+++ b/pkgs/zt-tcp-relay.nix
@@ -0,0 +1,32 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, fetchpatch
+}:
+
+rustPlatform.buildRustPackage {
+  pname = "zt-tcp-relay";
+  version = "unstable-2022-08-02";
+
+  src = fetchFromGitHub {
+    owner = "alexander-akhmetov";
+    repo = "zt-tcp-relay";
+    rev = "2d4541d77807d57d5c303a1babfabf7f445e3946";
+    hash = "sha256-6CkVvBRMsyAPBdkDBM1REJjM+3vs+ws/qCmQOfFInMw=";
+  };
+
+  patches = [
+    # https://github.com/alexander-akhmetov/zt-tcp-relay/pull/19
+    (fetchpatch {
+     url = "https://github.com/alexander-akhmetov/zt-tcp-relay/commit/69f0a4f1f210dcd7a305036d4737d9a29215824d.patch";
+     hash = "sha256-kqZS9IjwEggLE6CQFaacL2TyTUn0PQCz1TPdoZdDrk0=";
+    })
+  ];
+
+  cargoHash = "sha256-MDygbJRi1aT4hfI7b2hwhYJ4UJyR1DehDAHDgbDZ35g=";
+
+  meta = {
+    description = "ZeroTier One TCP relay";
+    homepage = "https://github.com/alexander-akhmetov/zt-tcp-relay";
+  };
+}