During my search for simple and practical solutions for managing our networks, I came across ZeroTier. The project is now in its 5th year and, in my opinion, absolutely underestimated. With a few major customers and tens of thousands of users, the product can already be described as practical.
As a mixture of a Hamachi-like P2P VPN and an SD WAN solution with a management plane in the ZeroTier Cloud, the product is largely suitable for smaller companies to make “Software Defined WAN” suitable for everyday use and budget. Even the free version includes 100 nodes that can consist of the most colourful hardware components.
In addition to Windows, Linux, BSD, IOS and Android, OpenWRT, Synology and QNAP packages are also maintained. For hardware that is not natively supported, such as network printers, there is a separate ZeroTier Gateway “Edge”, of which several hundred have already been financed through Indigogo. However, deliveries have been delayed for months, and the first deliveries are currently being sent out. It is therefore not yet possible to determine the extent to which the gateway is suitable for practical use. “On paper, however, it is a hardware gateway that is supposed to be able to “saturate” the Gbit interface with encrypted VPN traffic.
Three VLANs are now in use in my test account (incl. DS111 Synology NAS).
The Windows drivers run absolutely stable. Depending on the scenario, the Windows 10 PCs also have two or three virtual network adapters. By activating IP forwarding, it is also possible to address non-zero-tier-capable NAS drives or printers through the Windows 10 gateway. Of course, these solutions have the disadvantage that the PC must always be running. A dedicated gateway such as Edge is definitely the more economical solution here.
VPN performance is comparable with IP SEC. On the very old DS111 I achieved 1 MB/sec, which of course was not really suitable for everyday use.
The Windows drivers start reliably with the operating system. The only problem is that Windows 10 can’t really handle multiple default gateways reliably. Tracert occasionally shows me that requests to VPN IPs want to be routed through the normal WIFI NIC, which of course doesn’t work. In my opinion, however, this is more of a Windows problem.
After logging in, you can see the managed networks in a very clear form:
For the respective network, the virtual and the actual IP, name, network ID and the status of the node are displayed very transparently.
The actual SD WAN feature, however, are the flow rules, which are supposed to be granulated enough to replace a firewall. Unfortunately, I have not yet been able to test this.
So the possibilities are very versatile, current developments are managed on Github. The project is open source, but certain components are subject to licensing.
Support is relatively fast via community chat and mail – even with the free package. The questions are usually answered by the ZeroTier developers themselves – due to time difference – in 10-12 hours.
Security-conscious admin can legitimately accuse ZeroTier of generating the VPN certificate and thus the key itself. With sufficient secure node identification and VPN encryption, the ZeroTier team has found a good way to offer a simple yet secure approach that meets the requirements of everyday life 99.9% and thus further promotes the further spread of secure and future-proof Internet technologies.
In the current development, support for Multipath WAN and continuous Quality of Service are currently added. It is precisely through QoS that the quality features previously known only for very expensive MPLS networks come within reach and affordable proximity. We are curious to see what the small and creative ZeroTier team will do in the following months. We wish you every success.
Practical experiences from our daily ZeroTier test routine are of course described in follow-up articles.