dangeroustech/zerotierbridge
1
0
Fork 0
mirror of https://github.com/dangeroustech/ZeroTierBridge.git synced 2025-12-06 00:56:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
general-updates
zerotierbridge/README.md
Josh Jacobs 2756d3b0c8 chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot 
- docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars
- entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown
- README.md: update to multi-arch + non-privileged run guidance; fix examples
- .gitignore: ignore sbom.spdx.json and results.sarif
- .github/dependabot.yml: monitor Dockerfiles weekly

No functional changes intended; improves security, robustness, and maintainability.
2025-10-26 15:50:49 +00:00

2.6 KiB
Raw Permalink Blame History

ZeroTierBridge

A container to provide out-of-the-box bridging functionality to a ZeroTier network.

Running

Prerequisites

  • Docker running as your logged in user (if docker ps runs then you're good, if not follow the link ->) - Linux instructions here

ZeroTier UI Changes

Once running, log into your ZeroTier interface and approve the new device. Click the wrench next to the name and select 'Allow Ethernet Bridging.'

brave_RxG5EgQinY

You also need to add a static route into ZeroTier so that the traffic is routed correctly. Add this a bit larger than normal because of longest prefix matching.

brave_4wHd9zo193

Docker Compose

Edit the ZT_NETWORKS variable in docker-compose.yml to add your networks. Multi-arch images are published automatically; no architecture changes are needed.

Easiest way to bring up is via Docker Compose. Rename docker-compose.yml.example to docker-compose.yml and run docker compose up -d.

If you want to disable bridging, set ZT_BRIDGE=false. This can be done after the initial networks have been joined (just change the environment variable in the docker-compose.yml file and restart), as the ZeroTier config persists but IPTables forwarding is done on each container startup.

OG Docker

docker build -t zerotierbridge .

docker run --cap-add NET_ADMIN --cap-add NET_RAW --sysctl net.ipv4.ip_forward=1 -e ZT_NETWORKS="NETWORK_1 NETWORK_2" -e ZT_BRIDGE=true zerotierbridge:latest

Add your network ID(s) into the ZT_NETWORKS argument, space separated.

Disable bridging by passing ZT_BRIDGE=false. This can be done after the initial networks have been joined (just restart the container), as the ZeroTier config persists but IPTables forwarding is done on each container startup.

Persistent Storage

If you would like the container to retain the same ZeroTier client ID on reboot, attach a volume as per the below.

docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true -v zt_config:/var/lib/zerotier-one/ zerotierbridge:latest

Notes

If your host requires additional privileges for networking, you may need to add device and capabilities in your runtime configuration. The provided Docker Compose example includes cap_add: [NET_ADMIN, NET_RAW] and sysctls for IP forwarding.