[HN Gopher] ZeroTier - Global Area Networking
___________________________________________________________________
ZeroTier - Global Area Networking
Author : aphrax
Score : 54 points
Date : 2021-09-05 11:32 UTC (11 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| chromatin wrote:
| Probably a great idea, but pretty poor onboarding documentation.
|
| I read the entire manual and still have no idea what the user
| experience looks like once connected. How do I reach the
| connected nodes? ZEroTier DNS? IP? Do I pass the ZeroTier ID
| directly to my network stack and it's accepted and interpreted?
| gallexme wrote:
| It's just another network adapter /ethernet interface with its
| own subnet, u can reach every network member by ip, u cna push
| routes to members in the network settings, and future versions
| may also include dns names, in newer clients u can already push
| dns server addresses to members though
| throwaway2016a wrote:
| I've used Zero Tier in the past but not associated with the
| project.
|
| Have you set up subnets on a Network before? If you have it's
| like that.
|
| It creates a subnet any IP within the subnet range will route
| to your virtual network. It shows up as a Network device on
| your computer, as if you had another NIC.
|
| The ID is used to connect to the Network. It plays the role a
| domain would play when connecting to a VPN.
|
| You could set up an internal DNS server like you can do with
| other internal subnets but it's optional. When I used Zero Tier
| it didn't have a DNS layer so you'd have to do it yourself with
| Bind/a DNS server/something, not sure if it does now.
| kajiryoji wrote:
| I have found tailscale to be far more superior. For one, it
| actually works behind double NAT whereas zerotier just
| doesn't
| raarts wrote:
| Not true. I used it behind double NAT without problems in
| the past. Even in 2014.
| null0pointer wrote:
| How does this compare to Yggdrasil?
|
| https://yggdrasil-network.github.io/
| herewego wrote:
| One critical difference is that it looks as though Yggdrasil
| publicly intends to stop development once they hit a 1.0 stable
| release.
| dhruvdh wrote:
| "If we ever reach 1.0" is also important to note.
| DecoPerson wrote:
| I used ZeroTier (free) to allow my brother's friends to connect
| to his Minecraft server (instead of port forwarding on the router
| due to CGNAT on our home internet). Based on my experience, I
| give it 5/5.
|
| The client software is under "Business Source License" allowing
| you see what runs on your machine (unlike other options). It
| defaults to being dependent on a closed-source proprietary
| backend coordination server, to orchestrate the P2P connections.
|
| It was easy to setup the virtual network, and it was very easy to
| get members to join. There's a packet filter language that
| operates on every node in the network, so you can lock down
| traffic really well, down to a single protocol & port (e.g.:
| Minecraft).
|
| The UX is elegant and non-intrusive, thought the network
| configuration interface isn't the best for non-techy users.
|
| The networking performance for our Minecraft usage was excellent.
| The stability, even during poor underlying connection times, was
| impressive.
|
| Each node in the network is assigned an IP in a private use area
| (like 192.168.123.123, but you can choose the ranges yourself),
| allowing other software to use the virtual network effortlessly.
| No routing shenanigans are applied to your existing network
| interfaces.
|
| I hope this product stays awesome (and as secure as it currently
| seems). I would be happy to migrate my own professional virtual
| network needs and pay for a premium service if I knew for sure
| the coordination/orchestration server wouldn't disappear within
| the next 10 years, rendering the service dead. Will definitely
| use for temporary free stuff, though. (Tragedy of the commons,
| oops!)
| mobilio wrote:
| ZeroTier is amazing! And also support OpenWrt.
|
| But bad news is that their license isn't GPL anymore:
| https://www.zerotier.com/pricing/
| traverseda wrote:
| Personally as a free software zealot, I'm actually pretty happy
| with zerotier's licensing. The BSL license they've chosen
| reverts to MIT after 5 years, so there's very little risk of
| vendor lock in. As near as I can tell everything except their
| web interface has the source available, so there's nothing that
| makes you dependent on their infrastructure.
|
| It means that you need to negotiate with them if you want to
| build a product on top of their work (unless it's older than 5
| years) but other than that minor compromise it keeps in spirit
| with free software.
| throwaway2016a wrote:
| I used ZeroTier years ago. At least at the time, on one of my
| computers it did interfere with my network and I had to uninstall
| it but I also had a VPN and Docker networking layer on my machine
| so I'm not sure it was ZeroTier's fault.
|
| It has a lot of promise for something like a distributed P2P
| network. It also has an SDK which I thought would be cool to
| embed in another app to create kind of a seamless Network.
| opk wrote:
| For this use case, the Nebula mesh VPN has the advantage of being
| rather more fully open source.
|
| I use wireguard to provide access to my home network from
| outside. For that, nebula would have the advantage of being a
| single subnet and handling point-to-point communication instead
| of everything going via the tunnel endpoint. I've failed to get
| multicast routing to work over wireguard which would have been
| good for DLNA. But wireguard also serves the extra purpose of
| protecting my Internet traffic if I use untrusted free wifi
| somewhere.
| gnufx wrote:
| Other things (I haven't yet investigated) in this space
| include: https://github.com/wiretrustee/wiretrustee
| https://blog.tonari.no/introducing-innernet
| https://gravitl.com/
| bastard_op wrote:
| I've used zerotier for a good 5-7 years now, and can honestly say
| it's pretty great. I use mostly for personal stuff, some
| business, mostly letting folks into my house to hit my storage
| because it's perpetual, and supports pretty much every device. I
| use this with rpi's as well with quad/octal serial cables as term
| servers with customers too.
|
| This includes my synology filers, android, ios, pi, win, lin,
| mac, ddwrt, and tons more, but this is at least what I've used it
| with so far.
|
| I saw Slack's Nebula release, and thought "oh, they just
| recreated zerotier", and recently someone told me of Tailscale
| much the same. Now Cloudflare seems to be doing like for their
| Quick Tunnels and treating it with the buzzword zero-trust to get
| enterprise attention.
|
| Zero-tier is and has been way ahead of the game for a long time.
| I'm a bit surprised someone hasn't just acquired them by now. So
| many of the "enterprise" sd-wan and zero-tier solutions suck out
| there, but traditional infrastructure folks don't understand how
| this overlay networking works to even consider it. Their loss,
| but obviously Slack and Cloudflare do.
| windexh8er wrote:
| Same boat here. I've turned so many friends on to software
| defined overlay networks over the years and most can't
| understand how ZeroTier is free for everything you get. I use
| both Tailscale and ZeroTier for different purposes. With
| ZeroTier L2 bridging comes at less of a cost than with
| ZeroTier. I honestly wish Tailscale has a bit more flexibility
| and functionality in their routing capabilities. Both are
| fantastic though and I highly recommend both!
|
| I'm also surprised that ZeroTier hasn't been acquired. I was
| working for a prominent network security vendor about 6 years
| ago and mentioned to some higher level product folks that
| ZeroTier is basically "next-gen VPN" and how it would be a
| fantastic addition to our product suite. I remember getting
| snide comments about we already did what ZeroTier was solving
| for. However DM-VPN type implementations aren't remotely like
| how ZeroTier solved for and now I think the light bulb has
| likely lit up for those folks given how all the Zero Trust /
| Perimeterless / SASE / SD-WAN have taken off. Totally agree
| that most of the "enterprise" solutions are just garbage built
| on OpenVPN or overly rigid IPsec implementations with poor
| performance and even worse functionality.
| cormacrelf wrote:
| I haven't talked about this before, but I found a pretty severe
| vulnerability in the Central API (the thing that backs the web
| UI) back in 2018. The users endpoint for a network was returning
| everyone's API tokens, including the network's administrator's
| one. Obviously that lets you do a lot. I reported it and they
| fixed it very quickly, within about 24 hours. Nothing to fault in
| the response, but I have been a bit skittish since.
|
| These days I use Tailscale for my home setup, which is similarly
| awesome. Both obviously have closed source components. I was
| convinced because (1) you can operate a Tailscale network
| entirely on OAuth2 with an external identity provider, no long-
| lived API tokens and less for them to mess up; (2) it runs over
| Wireguard and I like not having to trust more people on the
| crypto. I had been trying to basically build a mini-Tailscale
| when I discovered it already existed. Others in this thread have
| mentioned being able to operate your own control plane nodes for
| it, I'll have to look into that.
|
| The primary difference between them is that ZeroTier is layer
| 2-ish whereas Tailscale is layer 3-ish. Ironically enough, ZT's
| design is more oriented towards scalability, whereas Tailscale is
| more of a fully connected graph with independent encryption on
| each edge. ZT rules are like configuring `pf` on your whole
| network at once. I miss that, especially the capabilities system.
| With Tailscale, if I were doing more than my own machines, I
| would probably rely on actual firewalls rather than their
| miniature JSON one. But the DNS features on tailscale are
| unmatched. You get `ssh myothermachine` with zero configuration.
| That's hard to beat at home.
|
| I cannot recommend highly enough giving one of these a go. They
| make the internet fun again.
| ithkuil wrote:
| I'm also a happy TailScale user (coming from ZeroTier which I
| still use for some of my networks).
|
| Unfortunately I now work for a company who is also a happy
| TailScale user, which means I cannot use the same machine to
| connect to two TailScale networks at the same time.
|
| I understand that some think this is a feature, but I liked how
| ZeroTier worked in that respect.
| bradfitz wrote:
| We (Tailscale employees) all feel that same pain so we
| continue to think about it. It's not the highest priority,
| but it's a priority.
| aborsy wrote:
| Some questions about ZeroTier, particularly in comparison with
| Tailscale.
|
| Does ZeroTier require a central coordination server for
| authentication and to distribute public keys?
|
| That was a problem with Tailscale that prevented me from using
| it. The provider apparently could inject public keys into
| anyone's network. I don't know if the situation is any different
| in ZeroTier.
|
| I see there are "moons" and you can install your own moon. How
| much is the effort for self hosted version?
|
| Another question: How does ZeroTier bypass NAT if the connections
| are peer to peer? Is it similar to Tailscale (UPnP and STUN,
| followed by relaying)?
| traverseda wrote:
| >Does ZeroTier require a central coordination server for
| authentication and to distribute public keys?
|
| You can run your own network controller, although that option
| isn't very well documented. If you did, that network controller
| would be the only thing that had the private keys that sign
| changes to the network configuration. The basic network
| controller is bundled with the zerotier builds, but there's no
| web UI or anything like that.
|
| >I see there are "moons" and you can install your own moon. How
| much is the effort for self hosted version?
|
| It's easy to set up a moon. By default every zerotier install
| can also work as a moon. The challenge is more in configuring
| all the other nodes to use that moon. Some platforms, like
| android/iphone, I don't believe can be currently set up to use
| custom moons. There's currently no way to remove the default
| zerotier moons, as they're hard-coded.
|
| I think the only thing you really get out of a custom moon is
| that it can act as a relay server, and can work in an
| environment where there's no internet at all. I wish that it
| was easier to push moon config to other nodes, as right now the
| feature is kind of useless.
|
| >Another question: How does ZeroTier bypass NAT if the
| connections are peer to peer? Is it similar to Tailscale (UPnP
| and STUN, followed by relaying)?
|
| Yep.
| toomuchtodo wrote:
| Is there a Docker container for the referenced network
| controller by chance?
| gnufx wrote:
| > The provider apparently could inject public keys into
| anyone's network. I don't know if the situation is any
| different in ZeroTier.
|
| https://github.com/juanfont/headscale is a (not yet complete)
| free software control server for Tailscale if you want to self-
| host.
| atok1 wrote:
| Would not trust.
___________________________________________________________________
(page generated 2021-09-05 23:02 UTC)