zerotier-one - Man Page

ZeroTier virtual network endpoint service


zerotier-one [-switches] [working directory]


zerotier-one is the service/daemon responsible for connecting a Unix (Linux/BSD/OSX) system to one or more ZeroTier virtual networks and presenting those networks to the system as virtual network ports. You can think of it as a peer to peer VPN client.

It's typically run by init systems like systemd (Linux) or launchd (Mac) rather than directly by the user, and it must be run as root unless you give it the -U switch and don't plan on actually joining networks (e.g. to run a network controller microservice only).

The zerotier-one service keeps its state and other files in a working directory. If this directory is not specified at launch it defaults to "/var/lib/zerotier-one" on Linux, "/Library/Application Support/ZeroTier/One" on Mac, and "/var/db/zerotier-one" on FreeBSD and other similar BSDs. The working directory should persist. It shouldn't be automatically cleaned by system cleanup daemons or stored in a volatile location. Loss of its identity.secret file results in loss of this system's unique 10-digit ZeroTier address and key.

Multiple instances of zerotier-one can be run on the same system as long as they are run with different primary ports (see switches) and a different working directory. But since a single service can join any number of networks, typically there's no point in doing this.

The zerotier-one service is controlled via a JSON API available at<primary port> with the default primary port being 9993. Access to this API requires an authorization token normally found in the authtoken.secret file in the service's working directory. On some platforms access may be guarded by other measures such as socket peer UID/GID lookup if additional security options are enabled (this is not the default).

The first time the service is started in a fresh working directory, it generates a ZeroTier identity. On slow systems this process can take ten seconds or more due to an anti-DDOS/anti-counterfeit proof of work function used by ZeroTier in address generation. This only happens once, and once generated the result is saved in identity.secret in the working directory. This file represents and defines/claims your ZeroTier address and associated ECC-256 key pair.



Run as daemon with OS default working directory and default port:

$ sudo zerotier-one -d

Run as daemon with a different working directory and port:

$ sudo zerotier-one -d -p12345 /tmp/zerotier-working-directory-test


These are found in the service's working directory.

See Also

zerotier-cli(1), zerotier-idtool(1)

Referenced By

zerotier-cli(1), zerotier-idtool(1).

December 2016