Skip to main content

Enterprise Deployment Guide

This guide covers planning, deployment, and management best practices for ZeroTier in enterprise environments.

Initial Considerations

Network Architecture

Split Tunnel by Default

ZeroTier operates as a split tunnel by default, meaning only traffic destined for ZeroTier-managed networks routes through the virtual interface. All other traffic uses the device's normal network path. This is controlled by the allowDefault setting.

Full Tunnel and Exit Node Configurations

ZeroTier can be configured as a full tunnel VPN or exit node by:

  • Setting allowDefault=1 in the network's local configuration to allow default route override
  • Configuring appropriate routes on the network controller
  • See the Exit Node guide for detailed setup instructions

Firewall and NAT Considerations

Port Requirements

ZeroTier requires outbound UDP access on port 9993 to reach root servers. For optimal performance:

  • Allow outbound UDP to any IP address on any port (enables peer-to-peer connections)
  • At minimum: allow outbound source port 9993 and related return traffic
  • See Root Server IP Whitelist for current root server addresses
Enterprise Firewall Considerations

If your security policy doesn't permit unrestricted outbound UDP, consider deploying a border/gateway node with more permissive firewall rules (or hosting a TCP relay in a DMZ) that other nodes can connect through, rather than relaxing firewall policies across your entire deployment.

NAT Behavior and Relaying

ZeroTier uses UDP hole punching to establish direct peer-to-peer connections. Connection success depends on NAT type:

  • Easy NAT (Full Cone, Endpoint Independent Mapping): Direct connections work reliably
  • Hard NAT (Symmetric, Strict, Endpoint Dependent Mapping): Direct connections difficult or impossible
  • Behind CG-NAT or Restrictive Firewalls: Connections will be forced through relay servers

Relayed connections work but have higher latency and limited throughput. For critical deployments behind restrictive NATs, consider hosting a TCP relay in a nearby datacenter or DMZ.

See Corporate Firewalls for vendor-specific NAT configuration guidance.

Understanding ZeroTier Files and Directories

Before deploying, it's important to understand ZeroTier's file structure and the purpose of each component.

Working Directory Locations

All ZeroTier configuration and state files are stored in the working directory:

  • Windows: C:\ProgramData\ZeroTier\One
  • macOS: /Library/Application Support/ZeroTier/One
  • Linux: /var/lib/zerotier-one
  • FreeBSD/OpenBSD: /var/db/zerotier-one

Network-specific files are stored in the networks.d subdirectory within the working directory.

Filesystem Permissions

By default, the ZeroTier working directory is restricted to root/administrator users. On Linux and Unix systems, you'll need sudo privileges to access or modify files in /var/lib/zerotier-one. On Windows, administrative privileges are required to access C:\ProgramData\ZeroTier\One.

Identity Files

identity.secret and identity.public

These files contain the node's cryptographic identity (10-digit ZeroTier address). The secret key is used for all network authentication and encryption.

Critical Guidelines:

  • Never duplicate identity files across multiple devices
  • Never modify these files manually
  • Running two devices with the same identity causes undefined behavior and connection failures
  • Only copy identity files when deliberately migrating a node to new hardware
  • Treat identity.secret as highly sensitive - compromise allows node impersonation
  • These files are automatically generated on first run if not present

Configuration Files

local.conf - Node-wide Settings

Optional JSON configuration file for system-wide ZeroTier settings. Useful for enterprise deployments to standardize configurations.

Common enterprise use cases:

{
  "settings": {
    "primaryPort": 9993,
    "secondaryPort": 19993,
    "portMappingEnabled": false,
    "allowManagementFrom": ["10.0.0.0/8"]
  },
  "physical": {
    "10.0.0.0/24": {
      "blacklist": true
    }
  }
}

See Client Configuration for complete local.conf reference.

<network-id>.local.conf - Network-Specific Settings

Text file containing per-network configuration settings:

allowManaged=1
allowGlobal=0
allowDefault=0
allowDNS=0

Settings:

  • allowManaged (default: 1): Allow ZeroTier to manage IP addresses and routes for private ranges
  • allowGlobal (default: 0): Allow ZeroTier to set public IP ranges and routes
  • allowDefault (default: 0): Allow ZeroTier to override the default route (full tunnel mode)
  • allowDNS (default: 0): Allow ZeroTier to configure DNS servers

These settings can be modified via the UI, CLI, or by editing the file directly (requires service restart).

<network-id>.conf - Network Membership (Auto-Join)

This is the most important file for automated enterprise deployments. The <network-id>.conf file is a binary file managed by ZeroTier that represents network membership.

Key Deployment Feature: Creating an empty file named <network-id>.conf in the networks.d directory causes ZeroTier to automatically join that network when the service starts. This is the primary method for scripted and automated deployments.

The file must be placed in:

  • Windows: C:\ProgramData\ZeroTier\One\networks.d\<network-id>.conf
  • macOS: /Library/Application Support/ZeroTier/One/networks.d/<network-id>.conf
  • Linux: /var/lib/zerotier-one/networks.d/<network-id>.conf
  • FreeBSD/OpenBSD: /var/db/zerotier-one/networks.d/<network-id>.conf
Auto-Join on Startup

You can create this file before installing ZeroTier, or after installation. If the ZeroTier service is already running, simply restart it to recognize the new network configuration file. ZeroTier will automatically join the network on service start and begin requesting authorization from the network controller.

Authentication Token

authtoken.secret

The authentication token is required to control the ZeroTier service via CLI or API. Located in the working directory, it's automatically copied to the user's local directory during installation:

  • Windows: C:\Users\<User>\AppData\Local\ZeroTier
  • macOS: ~/Library/Application Support/ZeroTier

Users without access to this token cannot join/leave networks or modify settings. For security-sensitive deployments, restrict access to this file.

Deployment Methods

Standard Installation

Install ZeroTier using official installers before deploying configuration:

  • Windows: MSI installer from zerotier.com/download
  • macOS: PKG installer from zerotier.com/download
  • Linux: Install script (curl -s https://install.zerotier.com | bash) or package managers (apt, yum, snap, etc.)

Automated Deployment with Auto-Join

The recommended approach for enterprise deployments is to pre-create the <network-id>.conf file for automatic network joining.

Example Scripts Only

The following examples demonstrate basic deployment patterns. Real-world implementations will vary based on your specific security requirements, deployment environment, and operational needs. Always review and test scripts in a non-production environment before deployment.

Linux Example:

#!/bin/bash
# Replace with your actual 16-character network ID from ZeroTier Central
NETWORK_ID="1c33c1ced02a5eee"

# Install ZeroTier
curl -s https://install.zerotier.com | bash

# Create auto-join file
touch /var/lib/zerotier-one/networks.d/${NETWORK_ID}.conf

# Optionally configure network-specific settings
cat > /var/lib/zerotier-one/networks.d/${NETWORK_ID}.local.conf <<EOF
allowManaged=1
allowGlobal=0
allowDefault=0
allowDNS=1
EOF

# Restart service to apply changes
systemctl restart zerotier-one

# Note: Device will appear in ZeroTier Central and require authorization
# unless the network is set to public (auto-authorize)

Windows PowerShell Example:

# Replace with your actual 16-character network ID from ZeroTier Central
$NetworkID = "1c33c1ced02a5eee"
$ZTPath = "C:\ProgramData\ZeroTier\One"
$NetworksDir = Join-Path $ZTPath "networks.d"

# Install ZeroTier (assuming MSI already deployed)
# Download from: https://www.zerotier.com/download

# Create networks.d directory if it doesn't exist
New-Item -ItemType Directory -Force -Path $NetworksDir | Out-Null

# Create auto-join file
New-Item -ItemType File -Force -Path (Join-Path $NetworksDir "$NetworkID.conf") | Out-Null

# Restart service to join network
Restart-Service -Name ZeroTierOneService

# Note: Creating the virtual adapter can take up to 30 seconds on Windows
# Device will appear in ZeroTier Central and require authorization
Start-Sleep -Seconds 5
Write-Host "Check network status with: & 'C:\Program Files (x86)\ZeroTier\One\zerotier-one_x64.exe' -q listnetworks"

macOS Example:

#!/bin/bash
# Replace with your actual 16-character network ID from ZeroTier Central
NETWORK_ID="1c33c1ced02a5eee"
ZT_PATH="/Library/Application Support/ZeroTier/One"

# Install ZeroTier (assuming PKG already installed)
# Download from: https://www.zerotier.com/download

# Create auto-join file
touch "$ZT_PATH/networks.d/${NETWORK_ID}.conf"

# Restart service to join network
launchctl unload /Library/LaunchDaemons/com.zerotier.one.plist
launchctl load /Library/LaunchDaemons/com.zerotier.one.plist

# Note: Device will appear in ZeroTier Central and require authorization
# unless the network is set to public (auto-authorize)

Cloud Environments

Use cloud-init for automated deployment in cloud environments. This allows pre-configuration of networks, identities, and settings at instance launch.

Enterprise Management Platforms

For larger deployments, consider using dedicated management platforms:

Enterprise Management and Operations

Security Best Practices

Network Authorization

Keep networks private (authorization required) and monitor member activity:

  • Enable network authorization on your controller (private networks by default)
  • Use SSO integration for user authentication where applicable
  • Review authorized members regularly in ZeroTier Central - verify device identity by checking the ZeroTier address matches expected devices
  • Configure webhooks for automated monitoring of member join/authorization events (webhooks are API-accessible and can trigger automated workflows)
Device Verification

When authorizing devices, you can view the device's physical MAC address in ZeroTier Central to help identify devices. While MAC addresses can be spoofed, they provide a basic verification layer. The ZeroTier address (10-digit ID) itself is cryptographically secure and cannot be spoofed without access to the device's identity.secret file.

Batch Authorization Workflows

When deploying ZeroTier to multiple devices, you'll need to authorize them on your network:

  • Manual batch authorization: In ZeroTier Central, select multiple unauthorized members using checkboxes and click "Authorize Selected"
  • API-based automation: Use the Central API to programmatically authorize members as they join (see API Examples for batch authorization scripts)
  • Webhook-triggered workflows: Configure webhooks to trigger authorization workflows in your infrastructure management tools

Microsegmentation

Implement flow rules for granular traffic control and microsegmentation within networks:

  • Restrict traffic between network segments using flow rules
  • Implement least-privilege access policies
  • Use excluded devices in flow rules for administrator access

Monitoring and Observability

Monitor ZeroTier health and connectivity:

  • Use zerotier-cli peers to check peer connection status (direct vs. relayed)
  • Configure webhooks for real-time notifications of member authorizations, deauthorizations, and configuration changes
  • Monitor relay usage - high relay counts indicate NAT traversal issues
  • Query the local API for detailed metrics (see Metrics and Monitoring)

DNS Management

For large deployments, consider DNS management integration to:

  • Automatically register ZeroTier members in internal DNS
  • Enable hostname-based communication
  • Simplify service discovery

Multi-Path and Bonding

Multi-path allows simultaneous aggregation of multiple physical network links into a bond for increased throughput, redundancy, and automatic failover. Common enterprise use cases include:

  • High-availability deployments - Automatic failover between fiber and LTE backup links
  • Multi-WAN load balancing - Distribute traffic across multiple internet connections
  • Remote locations - Combine diverse connection types for resilience
  • Bandwidth aggregation - Increase total throughput by bonding multiple links

ZeroTier supports several bonding policies including active-backup (failover), balance-xor (flow-based hashing), and balance-aware (intelligent auto-balancing based on link quality and capacity).

See the Multi-Path documentation for complete configuration options and examples.

Low Bandwidth Mode

For deployments over expensive or bandwidth-constrained links (satellite, metered cellular, IoT devices), enable Low Bandwidth Mode to significantly reduce ambient protocol traffic.

{
  "settings": {
    "lowBandwidthMode": true
  }
}

This mode reduces the frequency of protocol messages including HELLOs to peers and root servers, network config requests, and path advertisements. The trade-off is slower detection of network topology changes. Ideal for satellite connections, metered data plans, and edge computing in remote locations.

See the Low Bandwidth Mode documentation for details on the specific reductions.

Central API Integration

Automate network management using the ZeroTier Central API:

  • Programmatically authorize members
  • Deploy networks via infrastructure-as-code
  • Integrate with existing provisioning systems
  • See API examples and Terraform integration