diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index b66ebf553035..9e4ec1180f67 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -1,52 +1,51 @@
 PORTNAME=	zerotier
-DISTVERSION=	1.12.2
-PORTREVISION=	1
+DISTVERSION=	1.14.0
 CATEGORIES=	net
 
 MAINTAINER=	dch@FreeBSD.org
 COMMENT=	Network virtualization everywhere
 WWW=		https://www.zerotier.com/
 
 # No SaaS or Govt usage: https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt
 LICENSE=		BUSINESS MIT PD
 LICENSE_COMB=		multi
 LICENSE_NAME_BUSINESS=	Business Source License
 LICENSE_FILE_BUSINESS=	${WRKSRC}/LICENSE.txt
 LICENSE_FILE_MIT=	${WRKSRC}/ext/http-parser/LICENSE-MIT
 LICENSE_PERMS_BUSINESS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 BUILD_DEPENDS=	as:devel/binutils
 
 USES=		gmake compiler:c++14-lang
 USE_RC_SUBR=	zerotier
 
 USE_GITHUB=	yes
 GH_PROJECT=	ZeroTierOne
 
 CFLAGS+=	-flax-vector-conversions
 
 OPTIONS_DEFINE=	DBG
 DBG_DESC=	Enable foreground debugging for zerotier-one daemon
 DBG_ALL_TARGET=	debug
 
 PLIST_FILES=	bin/zerotier-cli bin/zerotier-idtool sbin/zerotier-one
 
 .include <bsd.port.pre.mk>
 
 .if ${OPSYS} == "FreeBSD"
 # log output via syslog
 SUB_LIST+=	ZEROTIER_SYSLOG="-s debug -T zerotier"
 SUB_LIST+=	ZEROTIER_IF_TAP="if_tuntap"
 .else
 # we are not on FreeBSD
 SUB_LIST+=	ZEROTIER_IF_TAP="if_tap" \
 		ZEROTIER_SYSLOG=""
 .endif
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/zerotier-one ${STAGEDIR}${PREFIX}/sbin/
 .for l in zerotier-cli zerotier-idtool
 	${RLN} ${STAGEDIR}${PREFIX}/sbin/zerotier-one ${STAGEDIR}${PREFIX}/bin/${l}
 .endfor
 
 .include <bsd.port.post.mk>
diff --git a/net/zerotier/distinfo b/net/zerotier/distinfo
index 4e33dbc4d17b..3e33cb0498a8 100644
--- a/net/zerotier/distinfo
+++ b/net/zerotier/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1695881387
-SHA256 (zerotier-ZeroTierOne-1.12.2_GH0.tar.gz) = 7c6512cfc208374ea9dc9931110e35f71800c34890e0f35991ea485aae66e31c
-SIZE (zerotier-ZeroTierOne-1.12.2_GH0.tar.gz) = 12431815
+TIMESTAMP = 1714832015
+SHA256 (zerotier-ZeroTierOne-1.14.0_GH0.tar.gz) = 7191623a81b0d1b552b9431e8864dd3420783ee518394ac1376cee6aaf033291
+SIZE (zerotier-ZeroTierOne-1.14.0_GH0.tar.gz) = 12453099
diff --git a/net/zerotier/files/patch-README.md b/net/zerotier/files/patch-README.md
deleted file mode 100644
index 2ef84861cac6..000000000000
--- a/net/zerotier/files/patch-README.md
+++ /dev/null
@@ -1,26 +0,0 @@
---- README.md.orig	2023-09-14 19:09:26 UTC
-+++ README.md
-@@ -169,3 +169,23 @@ If there are other metrics you'd like to see tracked, 
- | zt_peer_packet_errors | node_id | Counter | number of incoming packet errors from a peer |
- 
- If there are other metrics you'd like to see tracked, ask us in an Issue or send us a Pull Request!
-+
-+### HTTP / App server
-+
-+There is a static http file server suitable for hosting Single Page Apps at http://localhost:9993/app/<app-path>
-+
-+Use `zerotier-cli info -j` to find your zerotier-one service's homeDir
-+
-+``` sh
-+cd $ZT_HOME
-+sudo mkdir -p app/app1
-+sudo mkdir -p app/appB
-+echo '<html><meta charset=utf-8><title>appA</title><body><h1>hello world A' | sudo tee app/appA/index.html 
-+echo '<html><meta charset=utf-8><title>app2</title><body><h1>hello world 2' | sudo tee app/app2/index.html 
-+curl -sL http://localhost:9993/app/appA http://localhost:9993/app/app2 
-+```
-+
-+Then visit [http://localhost:9993/app/app1/](http://localhost:9993/app/app1/) and [http://localhost:9993/app/appB/](http://localhost:9993/app/appB/)
-+
-+Requests to paths don't exist return the app root index.html, as is customary for SPAs. 
-+If you want, you can write some javascript that talks to the service or controller [api](https://docs.zerotier.com/service/v1).
diff --git a/net/zerotier/files/patch-controller_EmbeddedNetworkController.cpp b/net/zerotier/files/patch-controller_EmbeddedNetworkController.cpp
deleted file mode 100644
index 1f037774fcfb..000000000000
--- a/net/zerotier/files/patch-controller_EmbeddedNetworkController.cpp
+++ /dev/null
@@ -1,26 +0,0 @@
---- controller/EmbeddedNetworkController.cpp.orig	2023-09-14 19:09:26 UTC
-+++ controller/EmbeddedNetworkController.cpp
-@@ -874,6 +874,7 @@ void EmbeddedNetworkController::configureHTTPControlPl
- 	std::string memberListPath = "/controller/network/([0-9a-fA-F]{16})/member";
- 	std::string memberPath = "/controller/network/([0-9a-fA-F]{16})/member/([0-9a-fA-F]{10})";
- 
-+
- 	auto controllerGet = [&, setContent](const httplib::Request &req, httplib::Response &res) {
- 		char tmp[4096];
- 		const bool dbOk = _db.isReady();
-@@ -885,11 +886,11 @@ void EmbeddedNetworkController::configureHTTPControlPl
- 			(unsigned long long)OSUtils::now(),
- 			dbOk ? "true" : "false");
- 
--			if (!dbOk) {
--				res.status = 503;
--			}
-+		if (!dbOk) {
-+			res.status = 503;
-+		}
- 
--			setContent(req, res, tmp);
-+		setContent(req, res, tmp);
- 	};
- 	s.Get(controllerPath, controllerGet);
- 	sv6.Get(controllerPath, controllerGet);
diff --git a/net/zerotier/files/patch-node_InetAddress.cpp b/net/zerotier/files/patch-node_InetAddress.cpp
deleted file mode 100644
index 2b1b7a6e4b4a..000000000000
--- a/net/zerotier/files/patch-node_InetAddress.cpp
+++ /dev/null
@@ -1,23 +0,0 @@
---- node/InetAddress.cpp.orig	2023-09-14 19:09:26 UTC
-+++ node/InetAddress.cpp
-@@ -132,7 +132,20 @@ InetAddress::IpScope InetAddress::ipScope() const
- 					return IP_SCOPE_PRIVATE;        // fc00::/7
- 				}
- 			}
-+
-+			// :::ffff:127.0.0.1
-+			// 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0x7f, 0, 0, 1
- 			unsigned int k = 0;
-+			while ((!ip[k])&&(k < 9)) {
-+				++k;
-+			}
-+			if (k == 9) {
-+				if (ip[10] == 0xff && ip[11] == 0xff && ip[12] == 0x7f) {
-+					return IP_SCOPE_LOOPBACK;
-+				}
-+			}
-+
-+			k = 0;
- 			while ((!ip[k])&&(k < 15)) {
- 				++k;
- 			}
diff --git a/net/zerotier/files/patch-service_OneService.cpp b/net/zerotier/files/patch-service_OneService.cpp
deleted file mode 100644
index 884b42e88a65..000000000000
--- a/net/zerotier/files/patch-service_OneService.cpp
+++ /dev/null
@@ -1,138 +0,0 @@
---- service/OneService.cpp.orig	2023-09-14 19:09:26 UTC
-+++ service/OneService.cpp
-@@ -795,6 +795,7 @@ class OneServiceImpl : public OneService (public)
-     bool _allowTcpFallbackRelay;
- 	bool _forceTcpRelay;
- 	bool _allowSecondaryPort;
-+	bool _enableWebServer;
- 
- 	unsigned int _primaryPort;
- 	unsigned int _secondaryPort;
-@@ -1557,6 +1558,7 @@ class OneServiceImpl : public OneService (public)
- 
-         std::vector<std::string> noAuthEndpoints { "/sso", "/health" };
- 
-+
- 		auto setContent = [=] (const httplib::Request &req, httplib::Response &res, std::string content) {
- 			if (req.has_param("jsonp")) {
- 				if (content.length() > 0) {
-@@ -1573,8 +1575,98 @@ class OneServiceImpl : public OneService (public)
- 			}
- 		};
- 
-+		//
-+		// static file server for app ui'
-+		//
-+		if (_enableWebServer) {
-+			static std::string appUiPath = "/app";
-+			static char appUiDir[16384];
-+			sprintf(appUiDir,"%s%s",_homePath.c_str(),appUiPath.c_str());
- 
--        auto authCheck = [=] (const httplib::Request &req, httplib::Response &res) {
-+			auto ret = _controlPlane.set_mount_point(appUiPath, appUiDir);
-+			_controlPlaneV6.set_mount_point(appUiPath, appUiDir);
-+			if (!ret) {
-+				fprintf(stderr, "Mounting app directory failed. Creating it. Path: %s - Dir: %s\n", appUiPath.c_str(), appUiDir);
-+				if (!OSUtils::mkdir(appUiDir)) {
-+					fprintf(stderr, "Could not create app directory either. Path: %s - Dir: %s\n", appUiPath.c_str(), appUiDir);
-+				} else {
-+					ret = _controlPlane.set_mount_point(appUiPath, appUiDir);
-+					_controlPlaneV6.set_mount_point(appUiPath, appUiDir);
-+					if (!ret) {
-+						fprintf(stderr, "Really could not create and mount directory. Path: %s - Dir: %s\nWeb apps won't work.\n", appUiPath.c_str(), appUiDir);
-+					}
-+				}
-+			}
-+
-+			if (ret) {
-+				// fallback to /index.html for paths that don't exist for SPAs
-+				auto indexFallbackGet = [](const httplib::Request &req, httplib::Response &res) {
-+					// fprintf(stderr, "fallback \n");
-+
-+					auto match = req.matches[1];
-+					if (match.matched) {
-+
-+						// fallback
-+						char indexHtmlPath[16384];
-+						sprintf(indexHtmlPath,"%s/%s/%s", appUiDir, match.str().c_str(), "index.html");
-+						// fprintf(stderr, "fallback path %s\n", indexHtmlPath);
-+
-+						std::string indexHtml;
-+
-+						if (!OSUtils::readFile(indexHtmlPath, indexHtml)) {
-+							res.status = 500;
-+							return;
-+						}
-+
-+						res.set_content(indexHtml.c_str(), "text/html");
-+					} else {
-+						res.status = 500;
-+						return;
-+					}
-+				};
-+
-+				auto slashRedirect = [](const httplib::Request &req, httplib::Response &res) {
-+					// fprintf(stderr, "redirect \n");
-+
-+					// add .html
-+					std::string htmlFile;
-+					char htmlPath[16384];
-+					sprintf(htmlPath,"%s%s%s", appUiDir, (req.path).substr(appUiPath.length()).c_str(), ".html");
-+					// fprintf(stderr, "path: %s\n", htmlPath);
-+					if (OSUtils::readFile(htmlPath, htmlFile)) {
-+						res.set_content(htmlFile.c_str(), "text/html");
-+						return;
-+					} else {
-+						res.status = 301;
-+						res.set_header("location", req.path + "/");
-+					}
-+				};
-+
-+				// auto missingAssetGet = [&, setContent](const httplib::Request &req, httplib::Response &res) {
-+				// 	fprintf(stderr, "missing \n");
-+				// 	res.status = 404;
-+				// 	std::string html = "oops";
-+				// 	res.set_content(html, "text/plain");
-+				// 	res.set_header("Content-Type", "text/plain");
-+				// 	return;
-+				// };
-+
-+				// auto fix no trailing slash by adding .html or redirecting to path/
-+				_controlPlane.Get(appUiPath + R"((/[\w|-]+)+$)", slashRedirect);
-+				_controlPlaneV6.Get(appUiPath + R"((/[\w|-]+)+$)", slashRedirect);
-+
-+				// // 404 missing assets for *.ext paths
-+				//   s.Get(appUiPath + R"(/\.\w+$)", missingAssetGet);
-+				// sv6.Get(appUiPath + R"(/\.\w+$)", missingAssetGet);
-+
-+				// fallback to index.html for unknown paths/files
-+				_controlPlane.Get(appUiPath + R"((/[\w|-]+)(/[\w|-]+)*/$)", indexFallbackGet);
-+				_controlPlaneV6.Get(appUiPath + R"((/[\w|-]+)(/[\w|-]+)*/$)", indexFallbackGet);
-+
-+			}
-+		}
-+
-+		auto authCheck = [=] (const httplib::Request &req, httplib::Response &res) {
- 			if (req.path == "/metrics") {
- 
- 				if (req.has_header("x-zt1-auth")) {
-@@ -1624,6 +1716,11 @@ class OneServiceImpl : public OneService (public)
- 						isAuth = true;
- 					}
- 
-+					// Web Apps base path
-+					if (req.path.rfind("/app", 0) == 0) { //starts with /app
-+						isAuth = true;
-+					}
-+
- 					if (!isAuth) {
- 						// check auth token
- 						if (req.has_header("x-zt1-auth")) {
-@@ -2429,6 +2526,7 @@ class OneServiceImpl : public OneService (public)
- 		// bondingPolicy cannot be used with allowTcpFallbackRelay
- 		_allowTcpFallbackRelay = OSUtils::jsonBool(settings["allowTcpFallbackRelay"],true);
- 		_forceTcpRelay = OSUtils::jsonBool(settings["forceTcpRelay"],false);
-+		_enableWebServer = (OSUtils::jsonBool(settings["enableWebServer"],false));
- 
- #ifdef ZT_TCP_FALLBACK_RELAY
- 		_fallbackRelayAddress = InetAddress(OSUtils::jsonString(settings["tcpFallbackRelay"], ZT_TCP_FALLBACK_RELAY).c_str());