https://github.com/zyclonite/zerotier-docker

ZeroTier One as Docker Image
https://github.com/zyclonite/zerotier-docker

bridge container coreos docker fcos multi-arch podman rpi sdn vpn zero-trust zerotier

Last synced: about 2 months ago
JSON representation

ZeroTier One as Docker Image

• Host: GitHub
• URL: https://github.com/zyclonite/zerotier-docker
• Owner: zyclonite
• License: mit
• Created: 2017-03-29T09:03:11.000Z (over 7 years ago)
• Default Branch: main
• Last Pushed: 2024-05-23T16:19:17.000Z (4 months ago)
• Last Synced: 2024-06-12T13:23:49.150Z (3 months ago)
• Topics: bridge, container, coreos, docker, fcos, multi-arch, podman, rpi, sdn, vpn, zero-trust, zerotier
• Language: Shell
• Homepage:
• Size: 118 KB
• Stars: 299
• Watchers: 12
• Forks: 74
• Open Issues: 10
• Metadata Files:
  • Readme: README-router.md
  • License: LICENSE

Awesome Lists containing this project

README

        
## zerotier router

### Description

This is a variation built on top of the zyclonite/zerotier container which implements a local network router. It is based upon the ZeroTier Knowledge Base article:

* [Route between ZeroTier and Physical Networks](https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks)

Technically, this could be described as a *half-router*:

* You can initiate connections *from* a remote client *to* devices on the LAN; but

* You can't initiate connections *to* the remote client *from* devices on the LAN.

### Command line example

``` console

$ docker run --name zerotier-one --device=/dev/net/tun \

  --cap-add=NET_ADMIN --cap-add=NET_RAW --cap-add=SYS_ADMIN \

  --env TZ=Etc/UTC --env PUID=999 --env PGID=994 \

  --env ZEROTIER_ONE_LOCAL_PHYS=eth0 \

  --env ZEROTIER_ONE_USE_IPTABLES_NFT=false \

  --env ZEROTIER_ONE_GATEWAY_MODE=inbound \

  --env ZEROTIER_ONE_NETWORK_IDS=«yourDefaultNetworkID(s)» \

  -v /var/lib/zerotier-one:/var/lib/zerotier-one zyclonite/zerotier:router

```

Note:

* Environment variables that can contain multiple values should be enclosed in quotes with the components separated by spaces. Example:

	``` console

	--env ZEROTIER_ONE_LOCAL_PHYS="eth0 wlan0"

	``` 

### Compose file example

``` yaml

version: '3'

services:

  zerotier:

    image: "zyclonite/zerotier:router"

    container_name: zerotier-one

    devices:

      - /dev/net/tun

    network_mode: host

    volumes:

      - '/var/lib/zerotier-one:/var/lib/zerotier-one'

    cap_add:

      - NET_ADMIN

      - SYS_ADMIN

      - NET_RAW

    restart: unless-stopped

    environment:

      - TZ=Etc/UTC

      - PUID=999

      - PGID=994

      - ZEROTIER_ONE_LOCAL_PHYS=eth0

      - ZEROTIER_ONE_USE_IPTABLES_NFT=false

      - ZEROTIER_ONE_GATEWAY_MODE=inbound

    # - ZEROTIER_ONE_NETWORK_IDS=«yourDefaultNetworkID(s)»

```

Note:

* The right hand sides of environment variables should *never* be enclosed in quotes.   If you need to pass multiple values, separate them with spaces. Example:

	``` yaml

	environment:

	- ZEROTIER_ONE_LOCAL_PHYS=eth0 wlan0

	``` 

### Environment variables

* `TZ` – timezone support. Example:

	``` yaml

	environment:

	- TZ=Australia/Sydney

	```

	Defaults to `Etc/UTC` if omitted.

* `PUID` + `PGID` – user and group IDs for ownership of persistent store. Example:

	``` yaml

	environment:

	- PUID=1000

	- PGID=1000

	```

	

	If omitted, `PUID` defaults to user ID 999, while `PGID` defaults to group ID 994.

	

	These variables are only used to ensure consistent ownership of persistent storage on each launch. They do not affect how the container *runs.* Absent a `user:` directive, the container runs as root and does not downgrade its privileges.

* `ZEROTIER_ONE_LOCAL_PHYS` - a space-separated list of physical interfaces that should be configured to participate in NAT-based routing. Examples:

	- Use only the physical Ethernet interface (this is also the default of the variable is omitted):

		``` yaml

		environment:

		- ZEROTIER_ONE_LOCAL_PHYS=eth0

		```

	- If your computer only has WiFi active (eg Raspberry Pi Zero W2):

		``` yaml

		environment:

		- ZEROTIER_ONE_LOCAL_PHYS=wlan0

		```

	

	- If your computer has both Ethernet and WiFi interfaces active and you wish to be able to route through each interface:

	

		``` yaml

		environment:

		- ZEROTIER_ONE_LOCAL_PHYS=eth0 wlan0

		```

		

		This scheme could be appropriate where the physical interfaces were:

		

		1. In the same broadcast domain (subnet). Disconnecting Ethernet would fail-over to WiFi.

		2. In different broadcast domains, such as if you allocated different subnets for Ethernet and WiFi.

* `ZEROTIER_ONE_USE_IPTABLES_NFT` - controls the command the container uses to set up NAT forwarding. Example:

	``` yaml

	environment:

	- ZEROTIER_ONE_USE_IPTABLES_NFT=true

	```

	

	- `false` means the container uses `iptables`. This is the default.

	- `true` means the container uses `iptables-nft`.

	Try `true` if NAT does not seem to be working. This is needed on Raspberry Pi Bullseye.

	

* `ZEROTIER_ONE_GATEWAY_MODE` - controls the traffic direction. Examples:

	- Only permit traffic *from* the ZeroTier cloud *to* the local physical interfaces:

		``` yaml

		environment:

		- ZEROTIER_ONE_GATEWAY_MODE=inbound

		```

		

	- Only permit traffic *from* the local physical interfaces *to* the ZeroTier cloud:

		``` yaml

		environment:

		- ZEROTIER_ONE_GATEWAY_MODE=outbound

		```

	- Permit bi-directional traffic between the local physical interfaces and the ZeroTier cloud:

		``` yaml

		environment:

		- ZEROTIER_ONE_GATEWAY_MODE=both

		```

	Defaults to `inbound` if omitted. Note that you will probably need one or more static routes configured in your local LAN router so that traffic originating in a local host which is not running the ZeroTier client can be directed to the gateway host.

	

* `ZEROTIER_ONE_NETWORK_IDS` – a space-separated list of ZeroTier network IDs.

	This variable is *only* effective on first launch. There is no default if it is omitted. Examples:

	

	- to join a single network:

		``` yaml

		environment:

		- ZEROTIER_ONE_NETWORK_IDS=aaaaaaaaaaaaaaaa

		```

		

		Equivalent of running the following command after the container first starts:

		```

		$ docker exec zerotier zerotier-cli join aaaaaaaaaaaaaaaa

		```

	- to join a multiple networks:

		``` yaml

		environment:

		- ZEROTIER_ONE_NETWORK_IDS=aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb

		```

		Equivalent of running the following commands after the container first starts:

		```

		$ docker exec zerotier zerotier-cli join aaaaaaaaaaaaaaaa

		$ docker exec zerotier zerotier-cli join bbbbbbbbbbbbbbbb

		```

	It does not matter whether you use this environment variable or the `join` command, you still need to use ZeroTier Central to approve the computer for each network it joins.

### Managed route(s)

For each ZeroTier container that is configured as a router, ZeroTier needs at least one *Managed Route*.

The [ZeroTier Wiki](https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks#Configure-the-ZeroTier-managed-route) explains how to design managed routes.

You configure Managed Routes in ZeroTier Central.