Installing Ziti-Edge-Tunnel on MikroTik Router - Docker



The following guide provides guidance on the installation of NetFoundry OpenZiti Ziti-Edge-Tunnel software on to a MikroTik router. The functionality has been validated on a physical router (hAP ac^2). This guide has been developed with MikroTik Router OS 7.9.1 as of July 2023.


NOTE: the container functionality is not a default feature and needs to be downloaded and installed prior to beginning the following steps. You can find it in the extra packages download link




Container is MikroTik's own implementation of Docker(TM), allowing users to run containerized environments within RouterOS. The container feature was initially added in RouterOS v7.1rc4 for beta testing.  It has now been released to the general code base with specific supported conditions. Please contact MikroTik support for information regarding support and security notices.


Enabling the container

Please note, the following steps demonstrated how to enable container on MikroTik. At the time of publication, these steps were working correctly. Please refer to MikroTik documentation if these steps do not yield the correct result.

Copy container-7.9.1-arm.npk (from extra packages) to the router. 

Open a terminal window to the router. And issue the following command.

/system/device-mode/update container=yes

The system will prompt you to restart the router or hit the reset button.  Please do so, and once system restarts, the container functionality is enabled.


Turn on logging to echo for container package. Go to system > Logging + Topic Container and Action Echo



In this article, we will demonstrate how to create container using dockerhub image. Alternatively, you can also create your own image.


You will need to create and download an endpoint identity file from the NetFoundry console. This file should be downloaded to a location where you can scp via cli or upload via WinBox UI. Instructions for creating the endpoint identity are found here:


Step 1. 

Format an empty USB stick with ext4 and put it into the USB port of the Mikrotik router. (usb1-part1)

You should have something like this from your Disk List.



Step 2.

Create an identity for the MikroTik router in the console and save the JWT file for use in a later step.


Step 3.

Log in to Mikrotik RouterOS CLI (or use Winbox's terminal). Create a Virtual Interface for the Container environment. We chose an available network that does not overlap with any internal networks.

/interface/veth/add name=veth1 address= gateway=


Step 4.

Create a Bridge for the Containers and add veth1 to the bridge.

/interface/bridge/add name=docker
/ip/address/add address= interface=docker
/interface/bridge/port/add bridge=docker interface=veth1


Step 5.
Add Firewall NAT from the Web interface. From the IP Menu, Select Firewall and the NAT tab. Select NAT, add srcnat, your docker network and select bridge1 for your out Interface. Also from the Actions tab, select Masquerade.
/ip/firewall/nat/add src-address= out-interface=ether1 action=masquerade chain=srcnat




Step 6 .

Create environment variables for your endpoint. 

/container/envs/add name=ziti-edge-tunnel key=NF_REG_NAME value=regkey_name(without ".jwt")


/container/envs/add name=ziti-edge-tunnel key=NF_REG_NAME value=newmikrotick1i



Step 7. 

Create mountpoints for non-volatile data.

/container mounts add name netfoundry-volume src=/usb1-part1/ziti-edge-tunnel dst=/ziti-edge-tunnel




Step 8.

Setup the container configs.

/container/config/set ram-high=50M registry-url= tmpdir=usb1-part1/pull



Step 9.

Create container from Tar image.

/container add remote-image=openziti/ziti-edge-tunnel:0.20.14 interface=veth1 root-dir=/usb1-part1/ziti-tunnel envlist=ziti-edge-tunnel mounts=netfoundry-volume hostname=zititunnel1 logging=yes start-on-boot=yes


  • envlist value (ziti-edge-tunnel) is taken from Step 6 container/envs add name="envlist_name"
  • mounts is created from Step 7
  • version (0.20.14) of ziti-edge-tunnel  is latest ARM32 release at the time of publishing. Please check docker hub for newer available ziti-edge-tunnel image.


Step 10.

Register identity. Make sure container is stopped. if not stop the container.

/container print


0 name="6aa18f42-26bf-4f3f-a702-ffbcef5cb692" 
tag="openziti/ziti-edge-tunnel:0.20.14" os="linux" arch="arm"
interface=veth1 envlist="ziti-edge-tunnel" root-dir=/usb1-part1/ziti-tunnel
mounts=netfoundry-volume dns="" hostname="zititunnel1" logging=yes

copy the JWT file into the usb1-part1/ziti-edge-tunnel

Start the container

container start 0


And.. that is it.


Was this article helpful?
5 out of 6 found this helpful


1 comment

  • Hi can your try it with 7.4beta4 ? I tried it but I can't make it work. Thanks.


Please sign in to leave a comment.