How to Deploy a Connector with Docker Compose

Use Docker Compose to deploy your Connectors.

The Twingate Connector can easily be deployed using Docker Compose. There are a few optional parameters you can change and prerequisites to meet that are covered in this guide.

Peer-to-peer connections help you to provide a better experience for your users and to stay within the Fair Use Policy for bandwidth consumption. Learn how to support peer-to-peer connections.

Prerequisites

You will need to specify an Access Token and a Refresh Token for the Connector in your Docker Compose instructions. You can generate both tokens by following the instructions on how to deploy a Connector.
You will need your Twingate tenant name (the <name> in the URL to your instance of the Admin Console: https://<name>.twingate.com)

Docker Compose with mandatory parameters

You can use the following template and replace the <TENANT NAME>, <ACCESS TOKEN> and <REFRESH TOKEN> with your own:

services:
  twingate-connector:
    image: twingate/connector:latest
    environment:
      - TWINGATE_NETWORK=<TENANT NAME>
      - TWINGATE_ACCESS_TOKEN=<ACCESS TOKEN>
      - TWINGATE_REFRESH_TOKEN=<REFRESH TOKEN>

Docker Compose with optional parameters

On top of the required parameters (see above), we recommend adding a few more parameters to your Docker Compose instructions. They are not mandatory but can help to provide a better experience:

<container_name>: you can set this to the name of the Connector as it appears in your Admin Console
<restart>: this will ensure the container will restart if it crashes
<TWINGATE_LOG_LEVEL>: this will configure the Connector to generate detailed logs which is useful for troubleshooting. You can change the parameter value at your discretion (see Twingate Connector logs for more information).
<TWINGATE_LOG_ANALYTICS>: this will allow Connector Analytics logs (Network Events) to appear in the container logs
<net.ipv4.ping_group_range>: system setting for the base image that allows the proper handling of ICMP / ping in case you intend to use ping for connectivity testing to Twingate Resources
<network_mode>: is implicitly set to bridge but can be set to host instead (host mode allows the container to connect to its host machine’s network stack and can be used to enable local peer-to-peer connections)

services:
  twingate_connector:
    container_name: <CONNECTOR NAME>
    restart: always
    image: "twingate/connector:latest"
    environment:
      - TWINGATE_NETWORK=<TENANT NAME>
      - TWINGATE_ACCESS_TOKEN=<ACCESS TOKEN>
      - TWINGATE_REFRESH_TOKEN=<REFRESH TOKEN>
      - TWINGATE_LOG_ANALYTICS=v2
      - TWINGATE_LOG_LEVEL=3
    network_mode: host
    sysctls:
      net.ipv4.ping_group_range: "0 2147483647"

Docker Compose with log forwarding via syslog

You can also add a few more parameters to your Docker Compose instructions if you want to automatically forward the container logs to something like syslog:

services:
  twingate_connector:
    container_name: <CONNECTOR NAME>
    restart: always
    image: "twingate/connector:latest"
    environment:
      - TWINGATE_NETWORK=<TENANT NAME>
      - TWINGATE_ACCESS_TOKEN=<ACCESS TOKEN>
      - TWINGATE_REFRESH_TOKEN=<REFRESH TOKEN>
      - TWINGATE_LOG_ANALYTICS=v2
      - TWINGATE_LOG_LEVEL=3
    logging:
      driver: syslog
      options:
        syslog-address: "udp://<syslog server IP>:514"
        syslog-format: "rfc5424"
        syslog-facility: daemon
        tag: "<CONNECTOR NAME>"

Last updated 13 days ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls