If devices connect to a central VPN server, they have formed a VPN mesh network. That’s what ZT is doing.
Sure the VPN server solution is not peer to peer, rather peer to server, but with a nearby server delays are probably not prohibitive?
Also opening ports on one device in each p2p pair seems less than ideal. And with relays we are back to central server case with its issues (speed etc).
What are positive and negative things about ZT compared to VPN server?
Note: I know about SFN, BeyondCorp etc. I don’t see what it can do for home users (non enterprise).
For me, it’s just a matter of convenience, but I’m just using for personal uses. Most of my time I’m using ZT to help family members with questions or problems on their machines, and ZT is a lot more convenient than setting up a DDNS and then initiating a VPN connection every time I need to connect to their machines.
When I’m away from my home, I still have VPN options to get on my network but, again, it’s usually quicker and easier to just use a ZT connection to a particular machine.
Necroposting: You’re not making a valid comparison. Zerotier is a serverless ZTNA solution, it’s concept is entirely different from server-to-client protocols such as OpenVPN (SSL VPN), or peer-to-peer protocols such as wireguard, for instance. ZT is a network switch, you can think of ZT networks as VLANs which are also able to forward broadcast and multicast traffic. We run about 2000 nodes on our own ZT overlay, with geo-redundant root servers as well as controllers across our entire infrastructure. If you’re still interested in this topic, I’d suggest you check out the protocol design section in the official documentation (https://docs.zerotier.com/protocol), which should make things very clear. I will say however, that one of the more obvious differences between ZT and other platforms is the fact that the peer-to-peer network layer (VL1) of Zerotier doesn’t support PFS. This is intentional for a couple of reasons, and it doesn’t have such a huge impact as long as you’re running secure protocols through your ZT overlay, which you’re supposed to do anyway
Personal view, but Zerotier is easier to implement. I have both, for historic reasons. My devices connect peer to peer just fine, no need to open ports on any device or router, so I don’t quite understand that comment, whereas for PiVPN you have to open router port (no big deal however!)
In my case, where I have 2 locations 90km apart Zerotier made it easy to have all my Pi’s appear as if on one LAN. Yes, I know that can be done with PiVPN or whatever - but it was just much much easier with Zerotier. They now happily and securely communicate with one another in various ways, location independent.
I use the same ISP in both locations, which may help, and there is no CGNAT involved (location is the U.K.).
If I had only one location the thing in favour of Zerotier is (relative) ease of implementation IMO.
The advantages are the same as with any p2p solution. Besides that: the design of the software is simple and elegant, and the end product is easy to use. It has its downsides, mobile implementations are a mess, and with the all the heavy development sometimes smaller things fail, but nothing too disruptive.
I have seen this several times. It does not say much.
If two peers are behind NAT and hole punching isn’t possible, you need relays that are too slow to be practical. If I can establish a direct connection by port forwarding or hole punching, why do I need ZeroTier? I use a VPN. If what ZT does is simplifying VPN for networks, then maybe it is valuable for enterprise. It does not seem to bring much to home users.
Concerning opening ports, if firewalls on both sides don’t allow incoming traffic (either user opens ports or ZT negotiates with router and creates a random port if router permits that ), then relaying is the only option which is slow and impractical.
So you may not open a port but that’s because your router supports protocols that allow hole punching in your network, and ZT does it for you automatically. You should probably disable those protocols eg UPnP as they could be security problems.
In other words, ZT makes it more convenient to open ports on demand.
A couple of reasons. First, I set up ZT because I’m a hobbyist and thought it would be an interesting way to skip the steps of initiating VPN connections having active DDNS for the remote machines I connect to, and setting up port forwarding at those remote locations. I never comparison shopped for performance or features - rather I saw someone post about it and thought “that looks cool, I’m going go try it”. Second, it’s free for my tiny personal account/network.
So, I’ve got it working and it serves my purposes nicely and I have no doubt there a better services out there. That’s probably not a very good answer to your question but it’s how I wound up using ZT.
It’s a different take on being a VPN. ZT implants a layer 3 overlay. Every device directly connects to every other device on the ZT network under one address space.
If traditional VPN meets your needs, then there is no need for ZT. If you want devices on different networks to seamlessly be available to one another, then ZT is the way to go.
For instance, if I’m away from home with my laptop, ZT can connect me back to my home server and, at the same time, connect me to a NAS at my parents house as well as a cloud VM in some data center.
Traditional VPN would require connecting and disconnecting from each site/network that I want to connect to.
In addition, a computer can be connected to multiple ZT networks at one time. So I can be connected to my home ZT network and work ZT network at the same time.
For instance, if I’m away from home with my laptop, ZT can connect me back to my home server and, at the same time, connect me to a NAS at my parents house as well as a cloud VM in some data center.
But with “traditional VPN” as well, those devices could all connect to a central VPN sever (say at home), instead of connecting connecting to ZT network (so openvpn connect instead of zerotier-one connect). They will all appear being on one LAN subnet. It’s the same thing. I connect all devices to a VPN on Digital Ocean, and it’s like LAN no matter where devices are.
Traditional VPN would require connecting and disconnecting from each site/network that I want to connect to.
So does ZT. Each devices needs to connect to ZT network once and be approved online. You can disconnect and connect with ZT.
With traditional VPN, the connection can be keepalive (persistent).
ZT can connect me back to my home server and, at the same time, connect me to a NAS at my parents house as well as a cloud VM in some data center.
I’m very interested in this. I wanna self host at home, but ports 80 and 443 are blocked, I could use ZT with a VPS, but per my testing, the bandwidth speed is veeery slow for my usage (Mainly Seafile and Jellyfin).
