Zerotier

Installation on Docker

Use zyclonite/zerotier image

For podman, need to map to zerotier-one folder in home folder if running as rootless, e.g ~/.containers/zerotier-one, this folder must be created before running docker run

docker run --name zerotier --device=/dev/net/tun \
  --network=host -d \
  --cap-add=NET_ADMIN --cap-add=NET_RAW --cap-add=SYS_ADMIN \
  --env TZ=Etc/UTC --env PUID=$(id -u) --env PGID=$(id -g) \
  --env ZEROTIER_ONE_LOCAL_PHYS=eth0 \
  --env ZEROTIER_ONE_USE_IPTABLES_NFT=true \
  --env ZEROTIER_ONE_GATEWAY_MODE=inbound \
  --env ZEROTIER_ONE_NETWORK_IDS=$networkid \
  -v /var/lib/zerotier-one:/var/lib/zerotier-one \
  zyclonite/zerotier:router

--device=/dev/net/tun: Grants the container access to the /dev/net/tun device, which is required for creating virtual network interfaces (often needed for VPN or networking tools).
--network=host: Uses the host machine’s network stack instead of creating an isolated one for the container. This allows the container to directly interact with the host's network.
--cap-add=NET_ADMIN, NET_RAW, and SYS_ADMIN: Adds specific capabilities to the container. These are required for advanced networking and system administration tasks:
- NET_ADMIN: Allows managing network configurations.
- NET_RAW: Enables sending raw packets.
- SYS_ADMIN: Grants access to system-level administrative privileges.
--env or -e: environment variables
- TZ=Etc/UTC: Sets the time zone for the container.
- PUID=$(id -u) and PGID=$(id -g): Passes the current user's ID and group ID to the container for proper permission handling.
- ZEROTIER_ONE_LOCAL_PHYS=eth0: Specifies the physical network interface eth0 for ZeroTier.
- ZEROTIER_ONE_USE_IPTABLES_NFT=true: Enables the use of iptables/nftables for firewall rules.
- ZEROTIER_ONE_GATEWAY_MODE=inbound: Configures the container in inbound gateway mode.
- ZEROTIER_ONE_NETWORK_IDS=$networkid: Sets the network IDs for the ZeroTier container

Docker file

## NOTE: to retain configuration; mount a Docker volume, or use a bind-mount, on /var/lib/zerotier-one

FROM debian:buster-slim as builder

## Supports x86_64, x86, arm, and arm64

RUN apt-get update && apt-get install -y curl gnupg
RUN apt-key adv --keyserver pgp.mit.edu --recv-keys 0x1657198823e52a61  && \
    echo "deb http://download.zerotier.com/debian/buster buster main" > /etc/apt/sources.list.d/zerotier.list
RUN apt-get update && apt-get install -y zerotier-one=1.8.6
COPY ./main.sh /var/lib/zerotier-one/main.sh

FROM debian:buster-slim
LABEL version="1.8.6"
LABEL description="Containerized ZeroTier One for use on CoreOS or other Docker-only Linux hosts."

# ZeroTier relies on UDP port 9993
EXPOSE 9993/udp

RUN mkdir -p /var/lib/zerotier-one
COPY --from=builder /usr/sbin/zerotier-cli /usr/sbin/zerotier-cli
COPY --from=builder /usr/sbin/zerotier-idtool /usr/sbin/zerotier-idtool
COPY --from=builder /usr/sbin/zerotier-one /usr/sbin/zerotier-one
COPY --from=builder /var/lib/zerotier-one/main.sh /main.sh

RUN chmod 0755 /main.sh
ENTRYPOINT ["/main.sh"]
CMD ["zerotier-one"]

main.sh

#!/bin/sh

export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin

if [ ! -e /dev/net/tun ]; then
	echo 'FATAL: cannot start ZeroTier One in container: /dev/net/tun not present.'
	exit 1
fi

exec "$@"

Build and Run Docker

docker build -t zerotier .
docker run -it --name zerotier --restart unless-stopped --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun zerotier:latest /bin/bash
zerotier-one -d
zerotier-cli join $id
zerotier-cli leave $id
zerotier-cli listnetworks
zerotier-cli status

Using docker-compose

# docker-compose.yml
version: '3.8'
services:
  zerotier:
    image: zerotier
    container_name: zerotier
    devices:
      - "/dev/net/tun:/dev/net/tun"
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    restart: unless-stopped

docker-compose up -d

Configuration Forwarding on container

apt-get update
apt-get upgrade -y
apt-get install procps -y
sysctl -w net.ipv4.ip_forward=1
- to change it permanently: add/uncomment net.ipv4.ip_forward=1 to /etc/sysctl.conf
- In proxmox, may need to unbind host settings to lxc container: add the following line to /etc/pve/lxc/xxx.conf
  - lxc.mount.entry = /proc/sys/net/ipv4/ip_forward proc/sys/net/ipv4/ip_forward none bind,optional,create=file
    /proc/sys/net/ipv4/ip_forward: first is host, second is container
    none bind: not linked, container will not inherit setting from host
    optional: If the file doesn’t exist, the container won’t fail to start.
    create=file: If the file doesn’t exist inside the container, it will be created automatically.
sysctl -p: apply the changes
sysctl net.ipv4.ip_forward
apt-get install iptables -y
iptables -t nat -A POSTROUTING -s $NetworkofZeroTier -j MASQUERADE
iptables -L -t nat
if needed, configuration forward rule as well

iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

Save iptables and make it persistent: rule will be saved in /etc/iptables/rules.v4 and rules.v6

sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
sudo systemctl status netfilter-persistent

Install other utilities for testing:
- apt-get install iproute2: ip add, route commands
- apt-get install iputils-ping: ping command

Install as container in proxmox

Create containter

Create container as usual
Then, in proxmox shell, configure

echo "lxc.cgroup.devices.allow: c 10:200 rwm" >> /etc/pve/lxc/XXX.conf
echo "lxc.mount.entry: /dev/net dev/net none bind,create=dir" >> /etc/pve/lxc/XXX.conf

lxc.cgroup.devices.allow: c 10:200 rwm
- This line grants the container permission to access the TUN/TAP network device (c 10:200 refers to the character device with major number 10 and minor number 200).
- The rwm flag allows read, write, and memory mapping operations on this device.
- This is necessary for VPN software that creates virtual network interfaces inside the container.
lxc.mount.entry: /dev/net dev/net none bind,create=dir
- This mounts the /dev/net directory inside the container, ensuring that the TUN/TAP device is accessible.
- The bind option links the directory from the host system to the container.
- The create=dir option ensures that the directory is created if it does not already exist.
if /dev/net/tun does not exist inside container, create it

Install zero inside container

curl -s https://install.zerotier.com | sudo bash
zerotier-cli join $networkid
zerotier-cli status

Verification

zerotier-cli listnetworks: list networks
- -j: output in json format

Print List of network in table format

# Get ZeroTier networks JSON data
ZEROTIER_JSON=$(/usr/local/bin/zerotier-cli -j listnetworks)
# Format and display results in a table
echo "Network Name |         ID         | Interface | Assigned Address | Status | Allowed Default | Routes        "
echo "-------------|--------------------|-----------|------------------|--------|-----------------|---------------"
echo "$ZEROTIER_JSON" | jq -r '
  .[] | "\(.name) | \(.id) | \(.portDeviceName) | \(.assignedAddresses[0]) | \(.status)   | \(.allowDefault) |        \(.routes | map(.target) | join(", ")) "
  ' | column -t -s '|'

API

Get Network:

curl -X GET "https://api.zerotier.com/api/network" \
  -H "Authorization: Bearer $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Get Member

curl -X GET "https://api.zerotier.com/api/v1/network/<network_id>/member" \
  -H "Authorization: Bearer $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Approve Member

curl -X POST "https://api.zerotier.com/api/v1/network/<network_id>/member/<member_id>" \
  -H "Authorization: token $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "config": {
      "authorized": true
    }
  }'

Verify Approval Status

curl -X GET "https://api.zerotier.com/api/v1/network/<network_id>/member/<member_id>" \
  -H "Authorization: token $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Reference

PreviousInstalling Connectors NextAzure

Last updated 9 months ago

hashtagInstallation on Docker

hashtagUse zyclonite/zerotier image

hashtagDocker file

hashtagBuild and Run Docker

hashtagUsing docker-compose

hashtagConfiguration Forwarding on container

hashtagInstall as container in proxmox

hashtagCreate containter

hashtagInstall zero inside container

hashtagVerification

hashtagPrint List of network in table format

hashtagAPI

hashtagReference

Installation on Docker

Use zyclonite/zerotier image

Docker file

Build and Run Docker

Using docker-compose

Configuration Forwarding on container

Install as container in proxmox

Create containter

Install zero inside container

Verification

Print List of network in table format

API

Reference