This guide walks you through connecting your first devices to EagleSafe ZTB and building a secure peer-to-peer overlay network. There are two main usage scenarios: Peer-to-Peer Network and Remote Network Access.
Sign in to your tenant dashboard
Open your browser and navigate to https://{tenant}.ztb.eaglesafe.com. Authenticate with your company credentials. If multi-factor authentication is enabled on your account, you will be prompted for your second factor during login.
Scenario 1 — Peer-to-Peer Network
In this scenario, you install the EagleSafe ZTB agent on each device. All devices connect directly to each other over an encrypted tunnel.
Install the agent on your first device
- In the dashboard, go to Peers and click Add Peer.
- Select your operating system (Windows, macOS, Linux, iOS, Android).
- Download and run the installer. Follow the on-screen prompts to complete the installation.
Connect your first device
- After installation, find the EagleSafe ZTB icon in your system tray or menu bar.
- Click the icon and select Connect.
- A browser tab will open asking you to authorize the device. Authenticate with your company credentials.
- Once authorized, the device appears in the Peers tab with its assigned ZTB IP address.
Add a second headless device (Linux server)
For servers or devices without a graphical interface, use a Setup Key to register the device without interactive login.
- In the dashboard, go to Settings → Setup Keys and create a new setup key.
- On the target server, install the agent:
curl -fsSL https://pkgs.netbird.io/install.sh | sh- Register the device using the setup key:
netbird up --setup-key <YOUR_SETUP_KEY> --management-url https://{tenant}.ztb.eaglesafe.com:443The terminal will confirm Connected. The device will appear in the Peers tab.
Verify the connection
From the first device, ping the ZTB IP address of the second device:
ping <ZTB_IP_OF_SECOND_DEVICE>Successful replies confirm the two devices are communicating over the encrypted ZTB tunnel.
Access control
By default, a policy is active that allows all your devices to connect to each other. You can create granular policies to restrict which devices can communicate and on which ports. Go to Access Control in the dashboard to manage policies.
Scenario 2 — Remote Network Access
In this scenario, the ZTB agent is installed on a single machine inside your private network. That machine acts as a routing peer, forwarding traffic from remote users to internal resources that do not have the agent installed.
Define your network resource
- In the dashboard, go to Networks and add a new network resource.
- Select Entire Subnet and enter the CIDR range of your private network (e.g.
10.0.0.0/24). - Click Create Resource.
Install the routing peer
- Generate a setup key from Settings → Setup Keys.
- On the gateway machine (a Linux server inside the private subnet), run:
curl -fsSL https://pkgs.netbird.io/install.sh | sh
netbird up --setup-key <YOUR_SETUP_KEY> --management-url https://{tenant}.ztb.eaglesafe.com:443The routing peer will appear in the Peers tab once connected.
Connect a client device
- Install the EagleSafe ZTB agent on the remote client device following the same steps as Scenario 1.
- Connect and authenticate via the browser authorization page.
Test the connection
Move the client device to an external network (e.g. mobile hotspot), then ping an internal resource:
ping <INTERNAL_IP>Successful replies confirm that the client can reach internal resources through the routing peer.
Access policy
A default policy named Users to My Subnet is created automatically, allowing all authenticated users to access the defined subnet. You can modify or replace this policy under Access Control.
