Maybe the little manual to turn CoreELEC into a zerotier gateway can help you, the full article is here.
It tries to include the following command lines in CoreELEC (I do this in /storage/.config/autostart.sh)
echo 1 > /proc/sys/net/ipv4/ip_forward
(this is required, default ip_forward in CoreELEC is 0)
iptables -A FORWARD -i ztc3quell2 -o eth0 -j ACCEPT
(everything coming from the zerotier interface to eth0 domain IPs are accepted)
iptables -A FORWARD -i eth0 -o ztc3quell2 -m state --state ESTABLISHED,RELATED -j ACCEPT
(no one with an IP in the eth0 domain can initiate a conversation destined for zerotier but can converse with previously established communications from zerotier)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(mask everything that comes out of eth0)
route add -net 192.168.8.0 netmask 255.255.255.0 gw 10.10.10.12
(allows to find a remote IP in another domain 192.168.8.0/24 whose gateway is other remote zerotier device with IP 10.10.10.12)