Starting with VyOS 1.3.0 docker containers are supported so instead of installing ZT as an app we will install it as a container. This is not production-ready/officially supported but rather a proof of concept. These were tested with VyOS 1.3.1. I assume you already know about the VyOS which is a great piece of software opensource router that you can install on many cloud platforms and hardware or run as a Virtual Machine. And ZeroTier VPN that can establish a peer-to-peer Network connection between your Nodes even over symmetric NAT.
Here on GitHub, you’ll find the scripts that you will need. VyOS/ZT/README.md
Install VyOS and log in (steps are not included).
The first step: install the docker container
Copy text from this vyos-docker-install.script file. In VyOS console execute:
sudo su
#Create a new file in the /config folder and copy-paste this script (Re-run it after each VyOS update)
vi /config/vyos-docker-install.sh
#make it executable
chmod +x /config/vyos-docker-install.sh
#Run the script to install docker on VyOS
/config/vyos-docker-install.sh
#Run docker
systemctl restart docker
Second Step: Select Node or Controller
Now you need to decide if your VyOS going to play the role of ZT Node/Agent or ZT Controller. In the case of Node, you can use my.ZeroTier.com or your own hosted controller to store your Network Configuration.
Or you can run ZT Hosted Controller on VyOS. Most of the time I expect you’ll be interested in the Node, not Controller.
We can technically run both Controller and the Node on the same VyOS But not recommended. Accessing your VyOS over ZT VPN to configure Controller (especially if it's the only way to connect to your VyOS instance) would be a very bad idea because if the controller stops working and you just need to restart it, you would not be able to access it to because the controller with the ZT Node will not be accessible, so running both Controller and Node that is connected to that controller is not recommended.
Third Step A: Execute Agent Script to run ZT Node
I use agent and node intelligibly, even the official name for it would be a Node, sometimes it’s clearer if you call it an agent because you run it on your computers.
Before we start first we need to fix MTU on VyOS. ZeroTier by default uses MTU 2800 and the management network is often using ~1500. Modify in this command example eth1 to the network management interface (not ZT interface), where traffic from ZeroTier network will be routed to:
#Run in VyOS console in Configure mode, modify eth1 to your management network interface (not ZT interface)
set firewall options interface eth1 adjust-mss 1460
Now you need to decide if your ZeroTier agent going to run as a bare app on the VyOS or as a docker controller. This guide is to run it as a docker controller, but if you want to run it as a bare app on VyOS, here is the guide. To run it as a container, continue to this guide steps.
Copy text from this zt-agent.script file.
To run your ZT Node, in VyOS console execute:
sudo su
#Create a new file in the /config folder and copy-paste this script (Re-run it after each VyOS update)
sudo vi /config/vyos-docker-zt-agent.sh
#make it executable
sudo chmod +x /config/vyos-docker-zt-agent.sh
#Run the script to install agent container
sudo /config/vyos-docker-zt-agent.sh
#Get info about your Node ID
sudo docker exec zerotier-one zerotier-cli info
#Join your ZT Node with a ZT Network ID (Replace 8056c2e21c000001 with YOUR Network ID)
sudo docker exec zerotier-one zerotier-cli join 8056c2e21c000001
#Check that a new network appeared in VyOS
sudo ifconfig -a
If the Node container stops working re-start it like this:
sudo /config/user-data/docker/zt/ui/docker-run.sh
Third Step B: Execute Controller Script
Copy text from this zt-controller.script file.
You will probably need to configure the VyOS firewall to close access to TCP ports 4000 (UI) and 9994 (API) to protect access from the internet outsiders. (Steps are not included).
To run Controller, in VyOS console execute:
sudo su
#Create a new file in the /config folder and copy-paste this script (Re-run it after each VyOS update)
sudo vi /config/vyos-docker-zt-controller-ui.sh
#make it executable
sudo chmod +x /config/vyos-docker-zt-controller-ui.sh
#Run the script to install Controller and its UI as containers
sudo /config/vyos-docker-zt-controller-ui.sh
Once you are running your controller and UI, you can log into the UI with the default username & password:
admin
zero-ui
http://127.0.0.1:4000
I typically run this through an SSH tunnel. On PuTTy it would look like this (don’t forget to press Add and save your session config).
Or use command-line instead of PuTTy:
ssh -R 9997:127.0.0.1:4000 -N -f vyos@my.router
Now you’ll be able to open Web UI on your local computer using http://127.0.0.1:9997
Since the traffic is not going through the controller but peer-to-peer with each node, feel free to restart the controller or UI whenever needed, it does not influence your VPN traffic.
sudo /config/user-data/docker/zt/controller/docker-run.sh
sudo /config/user-data/docker/zt/ui/docker-run.sh
After each VyOS update, you must re-run these scripts
Since VyOS does not have built-in this functionality you will need to re-install the docker app after each VyOS update and then re-install ZT Node or Controller using already stored scripts. Data with configurations and the installation scripts will be preserved in the /config VyOS folder. Just Run two scripts:
#Necessary to run first as root
sudo /config/vyos-docker-install.sh
Node/Agent:
Fix MTU on VyOS. ZeroTier by default uses MTU 2800 and the management network is often using ~1500. Modify in this command example eth1 to the network management interface (not ZT interface):
#Run in VyOS console in Configure mode, modify eth1 to your management network interface (not ZT interface)
set firewall options interface eth1 adjust-mss 1460
Run script
#Select one: Node or Controller as root:
sudo /config/vyos-docker-zt-agent.sh
OR Controller
#Select one: Node or Controller as root:
sudo/config/vyos-docker-zt-controller-ui.sh