Zerotier

Installation on Docker

Use zyclonite/zerotier image

For podman, need to map to zerotier-one folder in home folder if running as rootless, e.g ~/.containers/zerotier-one, this folder must be created before running docker run

docker run --name zerotier --device=/dev/net/tun \
  --network=host -d \
  --cap-add=NET_ADMIN --cap-add=NET_RAW --cap-add=SYS_ADMIN \
  --env TZ=Etc/UTC --env PUID=$(id -u) --env PGID=$(id -g) \
  --env ZEROTIER_ONE_LOCAL_PHYS=eth0 \
  --env ZEROTIER_ONE_USE_IPTABLES_NFT=true \
  --env ZEROTIER_ONE_GATEWAY_MODE=inbound \
  --env ZEROTIER_ONE_NETWORK_IDS=$networkid \
  -v /var/lib/zerotier-one:/var/lib/zerotier-one \
  zyclonite/zerotier:router

--device=/dev/net/tun: Grants the container access to the /dev/net/tun device, which is required for creating virtual network interfaces (often needed for VPN or networking tools).
--network=host: Uses the host machine’s network stack instead of creating an isolated one for the container. This allows the container to directly interact with the host's network.
--cap-add=NET_ADMIN, NET_RAW, and SYS_ADMIN: Adds specific capabilities to the container. These are required for advanced networking and system administration tasks:
- NET_ADMIN: Allows managing network configurations.
- NET_RAW: Enables sending raw packets.
- SYS_ADMIN: Grants access to system-level administrative privileges.
--env or -e: environment variables
- TZ=Etc/UTC: Sets the time zone for the container.
- PUID=$(id -u) and PGID=$(id -g): Passes the current user's ID and group ID to the container for proper permission handling.
- ZEROTIER_ONE_LOCAL_PHYS=eth0: Specifies the physical network interface eth0 for ZeroTier.
- ZEROTIER_ONE_USE_IPTABLES_NFT=true: Enables the use of iptables/nftables for firewall rules.
- ZEROTIER_ONE_GATEWAY_MODE=inbound: Configures the container in inbound gateway mode.
- ZEROTIER_ONE_NETWORK_IDS=$networkid: Sets the network IDs for the ZeroTier container

Docker file

## NOTE: to retain configuration; mount a Docker volume, or use a bind-mount, on /var/lib/zerotier-one

FROM debian:buster-slim as builder

## Supports x86_64, x86, arm, and arm64

RUN apt-get update && apt-get install -y curl gnupg
RUN apt-key adv --keyserver pgp.mit.edu --recv-keys 0x1657198823e52a61  && \
    echo "deb http://download.zerotier.com/debian/buster buster main" > /etc/apt/sources.list.d/zerotier.list
RUN apt-get update && apt-get install -y zerotier-one=1.8.6
COPY ./main.sh /var/lib/zerotier-one/main.sh

FROM debian:buster-slim
LABEL version="1.8.6"
LABEL description="Containerized ZeroTier One for use on CoreOS or other Docker-only Linux hosts."

# ZeroTier relies on UDP port 9993
EXPOSE 9993/udp

RUN mkdir -p /var/lib/zerotier-one
COPY --from=builder /usr/sbin/zerotier-cli /usr/sbin/zerotier-cli
COPY --from=builder /usr/sbin/zerotier-idtool /usr/sbin/zerotier-idtool
COPY --from=builder /usr/sbin/zerotier-one /usr/sbin/zerotier-one
COPY --from=builder /var/lib/zerotier-one/main.sh /main.sh

RUN chmod 0755 /main.sh
ENTRYPOINT ["/main.sh"]
CMD ["zerotier-one"]

main.sh

#!/bin/sh

export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin

if [ ! -e /dev/net/tun ]; then
	echo 'FATAL: cannot start ZeroTier One in container: /dev/net/tun not present.'
	exit 1
fi

exec "$@"

Build and Run Docker

docker build -t zerotier .
docker run -it --name zerotier --restart unless-stopped --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun zerotier:latest /bin/bash
zerotier-one -d
zerotier-cli join $id
zerotier-cli leave $id
zerotier-cli listnetworks
zerotier-cli status

Using docker-compose

# docker-compose.yml
version: '3.8'
services:
  zerotier:
    image: zerotier
    container_name: zerotier
    devices:
      - "/dev/net/tun:/dev/net/tun"
    cap_add:
      - NET_ADMIN
      - SYS_ADMIN
    restart: unless-stopped

docker-compose up -d

Configuration Forwarding on container

apt-get update
apt-get upgrade -y
apt-get install procps -y
sysctl -w net.ipv4.ip_forward=1
- to change it permanently: add/uncomment net.ipv4.ip_forward=1 to /etc/sysctl.conf
- In proxmox, may need to unbind host settings to lxc container: add the following line to /etc/pve/lxc/xxx.conf
  - lxc.mount.entry = /proc/sys/net/ipv4/ip_forward proc/sys/net/ipv4/ip_forward none bind,optional,create=file
    /proc/sys/net/ipv4/ip_forward: first is host, second is container
    none bind: not linked, container will not inherit setting from host
    optional: If the file doesn’t exist, the container won’t fail to start.
    create=file: If the file doesn’t exist inside the container, it will be created automatically.
sysctl -p: apply the changes
sysctl net.ipv4.ip_forward
apt-get install iptables -y
iptables -t nat -A POSTROUTING -s $NetworkofZeroTier -j MASQUERADE
iptables -L -t nat
if needed, configuration forward rule as well

iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT

Save iptables and make it persistent: rule will be saved in /etc/iptables/rules.v4 and rules.v6

sudo apt-get install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
sudo systemctl status netfilter-persistent

Install other utilities for testing:
- apt-get install iproute2: ip add, route commands
- apt-get install iputils-ping: ping command

Install as container in proxmox

Create containter

Create container as usual
Then, in proxmox shell, configure

echo "lxc.cgroup.devices.allow: c 10:200 rwm" >> /etc/pve/lxc/XXX.conf
echo "lxc.mount.entry: /dev/net dev/net none bind,create=dir" >> /etc/pve/lxc/XXX.conf

lxc.cgroup.devices.allow: c 10:200 rwm
- This line grants the container permission to access the TUN/TAP network device (c 10:200 refers to the character device with major number 10 and minor number 200).
- The rwm flag allows read, write, and memory mapping operations on this device.
- This is necessary for VPN software that creates virtual network interfaces inside the container.
lxc.mount.entry: /dev/net dev/net none bind,create=dir
- This mounts the /dev/net directory inside the container, ensuring that the TUN/TAP device is accessible.
- The bind option links the directory from the host system to the container.
- The create=dir option ensures that the directory is created if it does not already exist.
if /dev/net/tun does not exist inside container, create it

Install zero inside container

curl -s https://install.zerotier.com | sudo bash
zerotier-cli join $networkid
zerotier-cli status

Verification

zerotier-cli listnetworks: list networks
- -j: output in json format

Print List of network in table format

# Get ZeroTier networks JSON data
ZEROTIER_JSON=$(/usr/local/bin/zerotier-cli -j listnetworks)
# Format and display results in a table
echo "Network Name |         ID         | Interface | Assigned Address | Status | Allowed Default | Routes        "
echo "-------------|--------------------|-----------|------------------|--------|-----------------|---------------"
echo "$ZEROTIER_JSON" | jq -r '
  .[] | "\(.name) | \(.id) | \(.portDeviceName) | \(.assignedAddresses[0]) | \(.status)   | \(.allowDefault) |        \(.routes | map(.target) | join(", ")) "
  ' | column -t -s '|'

API

Get Network:

curl -X GET "https://api.zerotier.com/api/network" \
  -H "Authorization: Bearer $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Get Member

curl -X GET "https://api.zerotier.com/api/v1/network/<network_id>/member" \
  -H "Authorization: Bearer $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Approve Member

curl -X POST "https://api.zerotier.com/api/v1/network/<network_id>/member/<member_id>" \
  -H "Authorization: token $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "config": {
      "authorized": true
    }
  }'

Verify Approval Status

curl -X GET "https://api.zerotier.com/api/v1/network/<network_id>/member/<member_id>" \
  -H "Authorization: token $ZEROTIER_CENTRAL_TOKEN" \
  -H "Content-Type: application/json"

Reference

PreviousInstalling Connectors NextAzure

Last updated 6 months ago