diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix
index 5de095d17..113fed67a 100644
--- a/nixosModules/clanCore/zerotier/default.nix
+++ b/nixosModules/clanCore/zerotier/default.nix
@@ -79,9 +79,10 @@ in
           KeepConfiguration = "static";
         };
       };
-      networking.firewall.allowedUDPPorts = [ 9993 ];
-      networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ];
-      networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ];
+      networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; # mdns
+      networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; # mdns
+      networking.networkmanager.unmanaged = [ "interface-name:zt*" ];
+
       services.zerotierone = {
         enable = true;
         joinNetworks = [ cfg.networkId ];
diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py
index d5c98858e..44b6aa90d 100644
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -41,5 +41,10 @@ def test_upload_secret(
     assert age_key.lstat().st_mtime_ns == age_key_mtime
     assert identity_secret.lstat().st_mtime_ns == secret1_mtime
 
-    machine_path = sops_secrets_folder().joinpath("vm1-zerotier-identity-secret").joinpath("machines").joinpath("vm1")
+    machine_path = (
+        sops_secrets_folder()
+        .joinpath("vm1-zerotier-identity-secret")
+        .joinpath("machines")
+        .joinpath("vm1")
+    )
     assert machine_path.exists()