ZeroTier Review
-
@quicky2g Welcome to the community!
-
@scottalanmiller Thanks! Co-worker put me onto this article and seems like a pretty cool site. Might have to stick around
-
Awesome! Great to see people starting to steer others over here!
-
@quicky2g said:
@scottalanmiller Thanks! Co-worker put me onto this article and seems like a pretty cool site. Might have to stick around
Welcome aboard & Thanks for the code update!
-
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
-
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
-
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I did Wireshark on the traffic yesterday. All I saw was encrypted data inside a UDP packet. Not sure if there are any vulnerabilities or security holes in the dependent applications.
-
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I've got two locations, one with the worst "high-speed" internet you're likely to find outside of satellite (good riddance to satellite!) 1 vm host and 1 backup target at each location. Ether XenServer or ProxMox running on the servers. I'm thinking I'll be able to manage most things at both sites with a jumpbox vm. Maybe even make xrdp available as well, tho that would be painful with the DSL connection (756kb/250kb actual measured 600kb/300kb.)
-
@dafyre said:
What kind of use case are you seeing for it?
The use case I see is a primarily mobile workforce. But also something like more modern offices mostly seen on the west coast - just let anyone on the network because the network is just a connection medium. ZT over the physical is what would actually allow you access to services for the company.
-
@travisdh1 said:
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I've got two locations, one with the worst "high-speed" internet you're likely to find outside of satellite (good riddance to satellite!) 1 vm host and 1 backup target at each location. Ether XenServer or ProxMox running on the servers. I'm thinking I'll be able to manage most things at both sites with a jumpbox vm. Maybe even make xrdp available as well, tho that would be painful with the DSL connection (756kb/250kb actual measured 600kb/300kb.)
ZeroTier must use some kind of compression so might help with your speed issues. I have 5mbps upload at home. Did an upload test with iPerf between my house and my work office and saw 5mbps with Hamachi:
Did the same test with ZeroTier between the same endpoints:
-
@quicky2g said:
@travisdh1 said:
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I've got two locations, one with the worst "high-speed" internet you're likely to find outside of satellite (good riddance to satellite!) 1 vm host and 1 backup target at each location. Ether XenServer or ProxMox running on the servers. I'm thinking I'll be able to manage most things at both sites with a jumpbox vm. Maybe even make xrdp available as well, tho that would be painful with the DSL connection (756kb/250kb actual measured 600kb/300kb.)
ZeroTier must use some kind of compression so might help with your speed issues. I have 5mbps upload at home. Did an upload test with iPerf between my house and my work office and saw 5mbps with Hamachi:
Did the same test with ZeroTier between the same endpoints:
O.o. That'd be some crazy compression!
-
@quicky2g said:
@travisdh1 said:
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I've got two locations, one with the worst "high-speed" internet you're likely to find outside of satellite (good riddance to satellite!) 1 vm host and 1 backup target at each location. Ether XenServer or ProxMox running on the servers. I'm thinking I'll be able to manage most things at both sites with a jumpbox vm. Maybe even make xrdp available as well, tho that would be painful with the DSL connection (756kb/250kb actual measured 600kb/300kb.)
ZeroTier must use some kind of compression so might help with your speed issues. I have 5mbps upload at home. Did an upload test with iPerf between my house and my work office and saw 5mbps with Hamachi:
Did the same test with ZeroTier between the same endpoints:
That makes me go "What is going on here, something is not right."
-
Something seems flawed with the test - shouldn't doing speed test with compressible data.
-
@Dashrender said:
Something seems flawed with the test - shouldn't doing speed test with compressible data.
True. I haven't seen similar results, although a thought just hit me.
@quicky2g -- Were you running this test on ZeroTier to another device that is connected to the same physical lan?
(IE: Two ZeroTier devices in the same building?)
-
@dafyre said:
@Dashrender said:
Something seems flawed with the test - shouldn't doing speed test with compressible data.
True. I haven't seen similar results, although a thought just hit me.
@quicky2g -- Were you running this test on ZeroTier to another device that is connected to the same physical lan?
(IE: Two ZeroTier devices in the same building?)
Was going across a WAN.
When I did a LAN test between 2 devices on the same Gigabit switch I also got better results than Hamachi and almost as good as LAN IP's.
Gig LAN iPerf (Regular LAN IP’s):
Hamachi LAN iPerf:
ZeroTier LAN iPerf:
-
@quicky2g -- Those are some good numbers to see. It is important to note that if two ZT devices are on the same network subnet, then ZT will communicate directly over the LAN (the traffic will never leave your network). That's likely the reason for the good speeds.
Also are you doing your WAN test with UDP or TCP? (I think with UDP, you could see the higher rates, as UDP doesn't have to confirm delivery of the data).
-
"What encryption algorithms are used?
ZeroTier currently uses 256-bit Curve25519 elliptic curve Diffie-Hellman for shared key agreement and Ed25519 for elliptic curve signatures. 256-bit Salsa20 with Poly1305 authentication is used to encrypt traffic in transit. The construction and use of these algorithms is identical to the well-regarded NaCl cryptographic library."I could wish for 512 bit where it's available, but 256-bit ECCDH and Salsa20 + Poly1305 should be all right. I know Steve Gibson is using NaCl and ECCDH in his SQRL protocol, so should be ok. So long as implementation isn't funky, it should be good.
-
@dafyre said:
@quicky2g -- Those are some good numbers to see. It is important to note that if two ZT devices are on the same network subnet, then ZT will communicate directly over the LAN (the traffic will never leave your network). That's likely the reason for the good speeds.
Also are you doing your WAN test with UDP or TCP? (I think with UDP, you could see the higher rates, as UDP doesn't have to confirm delivery of the data).
Wasn't sure if iPerf used TCP or UDP as default so had to check in Wireshark. Looks like TCP is default. Makes sense that UDP would get better results but have never been able to find a different combo of options for iPerf that got me better results. Anyone else use iPerf?
-
@travisdh1 said:
I could wish for 512 bit where it's available, but 256-bit ECCDH and Salsa20 + Poly1305 should be all right. I know Steve Gibson is using NaCl and ECCDH in his SQRL protocol, so should be ok. So long as implementation isn't funky, it should be good.
Some odd seeming results for me as well. This is between the two locations here.
iperf over ZeroTier
*pm7:~# iperf -c 10.147.17.117Client connecting to 10.147.17.117, TCP port 5001
TCP window size: 35.2 KByte (default)[ 3] local 10.147.17.239 port 55229 connected with 10.147.17.117 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.1 sec 11.1 MBytes 9.21 Mbits/sec
pm7:~# iperf -c 10.147.17.117Client connecting to 10.147.17.117, TCP port 5001
TCP window size: 35.2 KByte (default)[ 3] local 10.147.17.239 port 55231 connected with 10.147.17.117 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.2 sec 13.2 MBytes 10.9 Mbits/sec*ZertoTier Network Traceroute
pm7:~# traceroute 10.147.17.117
traceroute to 10.147.17.117 (10.147.17.117), 30 hops max, 60 byte packets
1 10.147.17.117 (10.147.17.117) 105.785 ms 106.404 ms 106.404 mstraceroute between the two external networks
@virt2:~# traceroute ???????.poweredbyclear.com
traceroute to brouter2.poweredbyclear.com (24.166.55.233), 30 hops max, 60 byte packets
1 192.168.4.5 (192.168.4.5) 0.746 ms 1.035 ms 1.341 ms
2 oh-71-51-112-1.dhcp.embarqhsd.net (71.51.112.1) 33.373 ms 35.036 ms 36.967 ms
3 mnfd-agw1.inet.qwest.net (75.160.216.17) 38.446 ms 40.185 ms 42.587 ms
4 chp-brdr-04.inet.qwest.net (67.14.8.238) 66.026 ms 68.712 ms 70.119 ms
5 206.111.2.153.ptr.us.xo.net (206.111.2.153) 70.872 ms 73.320 ms 75.035 ms
6 207.88.15.89.ptr.us.xo.net (207.88.15.89) 77.473 ms 49.607 ms 53.741 ms
7 216.1.94.146 (216.1.94.146) 55.634 ms 57.847 ms 59.770 ms
8 bu-ether39.chcgildt87w-bcr00.tbone.rr.com (66.109.1.67) 68.413 ms bu-ether19.chcgildt87w-bcr00.tbone.rr.com (107.14.17.193) 65.995 ms bu-ether39.chcgildt87w-bcr00.tbone.rr.com (66.109.1.67) 70.655 ms
9 bu-ether11.chctilwc00w-bcr00.tbone.rr.com (66.109.6.21) 72.059 ms 74.765 ms 77.680 ms
10 be1.clmkohpe01r.midwest.rr.com (107.14.19.17) 85.908 ms 89.504 ms be3.clmkohpe01r.midwest.rr.com (107.14.19.61) 90.992 ms
11 be1.pltsohae01r.midwest.rr.com (65.29.1.29) 100.139 ms 102.326 ms 107.417 ms
12 tge9-1.mlbgoh0202h.midwest.rr.com (24.33.101.101) 68.140 ms 67.154 ms 69.541 ms
13 tge18-10.mlbgoh0201m.midwest.rr.com (24.164.100.6) 71.648 ms 74.098 ms 86.917 msSo far nothing I can see should be getting that sort of speed, unless some major compression is happening somewhere. In which case I'm going to shoot for that xrdp setup.
-
@travisdh1 said:
@quicky2g said:
@travisdh1 said:
@dafyre said:
@travisdh1 said:
I'm really liking how easy it is to setup. Just want to see some security review by a trusted security person before I go ahead and roll it out. Anyone seen a review on it from someone like Steve Gibson, Brian Krebs, or the like?
If you haven't read up in the FAQ yet, check it out here: https://www.zerotier.com/tech_faq.shtml -- especially the security section.
What kind of use case are you seeing for it?
I've got two locations, one with the worst "high-speed" internet you're likely to find outside of satellite (good riddance to satellite!) 1 vm host and 1 backup target at each location. Ether XenServer or ProxMox running on the servers. I'm thinking I'll be able to manage most things at both sites with a jumpbox vm. Maybe even make xrdp available as well, tho that would be painful with the DSL connection (756kb/250kb actual measured 600kb/300kb.)
ZeroTier must use some kind of compression so might help with your speed issues. I have 5mbps upload at home. Did an upload test with iPerf between my house and my work office and saw 5mbps with Hamachi:
Did the same test with ZeroTier between the same endpoints:
That makes me go "What is going on here, something is not right."
I'm going to tag @adam-ierymenko and see what his take on that is. He's one of the ZT Guys.
