Skip to content
On this page
Documentation

Five minutes. One docker label.
One public IP.

You've already paid (or you're on the free tier). You have an API token. You have a Docker host. Add the agent, label your container, run docker compose up. Free tier available. Paid tiers from $0.99/mo (Micro). Annual billing saves 2 months.

no router config works behind CGNAT all ports, TCP + UDP ~5s cold start

Quickstart

01 / AGENT
Add the agent

The fastest way to install the agent is the one-line installer — sets up a systemd service and auto-updater, pins the current released image digest. Requires Linux with systemd and Docker. Must run as root.

terminal
# paste your token from the dashboard $ export SIDECAR_TOKEN=sct_live_your_token_here $ curl -fsSL https://sidecar.network/install | sudo sh

Prefer Compose? Download the canonical compose.yml from sidecar.network/releases, or use the minimal snippet below. The agent opens container network namespaces via Docker's own SandboxKey — no --pid host required.

docker-compose.yml
# docker-compose.yml — minimal manual setup # For the full hardened compose (socket proxy, signed digest), use the installer. services: sidecar-agent: # pin to a signed digest — see sidecar.network/releases image: ghcr.io/sidecar-network/agent:<latest-release> environment: - SIDECAR_TOKEN=sct_live_your_token_here - SIDECAR_CTRL_URL=https://relay-us-east.sidecar.network:8443 volumes: - /var/run/docker.sock:/var/run/docker.sock - /var/run/docker/netns:/var/run/docker/netns:ro network_mode: host cap_drop: - ALL cap_add: - NET_ADMIN - SYS_ADMIN security_opt: - no-new-privileges:true restart: unless-stopped
02 / LABEL
Label your containers

Add sidecar.enable=true to any container you want a public IP on. All tiers include IPv6 /128. IPv4 requires Pulse+IPv4 ($29.99/mo) or Relay ($39.99/mo).

Unlimited data transfer on all tiers. Speed depends on your plan (25–1000 Mbps).

docker-compose.yml (continued)
minecraft: image: itzg/minecraft-server labels: - "sidecar.enable=true" - "sidecar.ipv4=true" # optional: request dedicated IPv4
03 / DONE
Bring it up

Run docker compose up -d. The agent connects, watches for labels, and allocates IPs within seconds.

terminal
$ docker compose up -d sidecar | Connected to relay (relay-us-east) sidecar | Watching for labeled containers… sidecar | minecraft → 2001:db8:1::42 ✓ live sidecar | minecraft → 203.0.113.97 ✓ live (IPv4)

Docker Network Plugin (Alternative)

The plugin is an alternative to the agent — no persistent daemon required. Instead of labeling containers, you create a Sidecar-backed network type and attach containers to it with --network. Use docker run to start it (not docker plugin install).

terminal
# Run the plugin container (NET_ADMIN + SYS_ADMIN — manages WireGuard netns) $ docker run -d --name sidecar-plugin \ --restart unless-stopped \ --network host \ --cap-drop ALL \ --cap-add NET_ADMIN \ --cap-add SYS_ADMIN \ --security-opt no-new-privileges \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /var/run/docker/netns:/var/run/docker/netns:ro \ -e SIDECAR_TOKEN=<your-token> \ ghcr.io/sidecar-network/plugin:latest # Create a sidecar network and use it $ docker network create --driver sidecar mynet $ docker run --network mynet --network-alias myservice nginx

Any container on mynet gets its own public IPv6 from your relay's /64. Add --label sidecar.ipv4=true to request a dedicated /32 IPv4. In production, pin the plugin to a digest rather than :latest — see sidecar.network/releases for the current digest.

Docker Desktop (macOS / Windows)

The agent runs inside Docker Desktop's Linux VM (LinuxKit on macOS, WSL2 on Windows). WireGuard is present in the VM kernel and public IPs work end-to-end. The relay tunnel is outbound UDP from the VM, so no macOS/Windows firewall changes are needed.

Note: The one-line installer (install.sh) requires systemctl / systemd on the host. Docker Desktop hosts don't expose systemd. Use the docker run command below instead.
terminal
$ docker run -d --name sidecar-agent \ --restart unless-stopped \ --network host \ --cap-drop ALL \ --cap-add NET_ADMIN \ --cap-add SYS_ADMIN \ --security-opt no-new-privileges \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /var/run/docker/netns:/var/run/docker/netns:ro \ -e SIDECAR_TOKEN=YOUR_TOKEN \ ghcr.io/sidecar-network/agent:latest

The same command works on both macOS (LinuxKit VM) and Windows (WSL2 backend). The agent enters container network namespaces via Docker's own SandboxKey path — --pid host and SYS_PTRACE are not required.

Auto-start on reboot: because --restart unless-stopped is set, the agent restarts automatically when Docker Desktop starts. No additional configuration needed.

Post-Quantum Encryption

Post-quantum encryption is mandatory.

mandatory since initial release automatic no configuration needed

All connections use X-Wing hybrid post-quantum encryption (X25519 + ML-KEM-768 combined key exchange) layered over WireGuard's standard Noise_IKpsk2 handshake. No configuration needed — it's mandatory and automatic. The agent handles key generation and PSK rotation on every provisioning call. Enforced since initial release; connections without a valid hybrid session key are rejected.

Bitcoin Lightning Payments

Annual subscriptions can be paid with Bitcoin via Lightning Network. Payments are processed through BTCPay Server — no account required, no KYC, instant settlement.

Annual billing only: Lightning payments are available on annual plans. Monthly billing is PayPal only.

To pay with Lightning, go to sidecar.network/btcpay, select your plan, and scan the Lightning invoice with any compatible wallet (Phoenix, Breez, Mutiny, Zeus, etc.).

Your subscription activates immediately after the invoice is settled. Annual pricing saves 2 months vs monthly — same tiers, starting from $0.99/mo equivalent.