ZeroTier

The last candidate in the field is ZeroTier. The project's first code on GitHub originates from mid-2013. ZeroTier generates an overlay network as a combination of software and service. The website, however, compares it with a WLAN. Peer-to-peer connections forward the data, similarly to Skype or BitTorrent. A virtual network is assigned one ID for identification, and there are public and private networks (Figure 6).

Figure 6: ZeroTier uses pure peer-to-peer connections and differentiates between public and private networks.

The software is available for download [4] for Linux, Mac OS X, and Windows 7. DEB and RPM packages are available for Linux, and a generic installer package is available for Intel's 32-bit and 64-bit architectures, as well as the Raspberry Pi. In the lab, I ran the installer on Gentoo Linux; the source code is available from a GitHub repository [10].

As with the other packages, you should first load the tun module. The init script you installed then starts the service. ZeroTier registers with the P2P network. You can manage ZeroTier connections using the zerotier-cli program; there is even a graphical interface for Windows and Mac OS X.

The zerotier-cli listpeers command will provide you with a list of connected nodes, and you should check whether the computer has found its way into the ZeroTier network. The output looks a bit like Listing 1. The status subcommand can also be used; however, it returns only the version, the specific node ID, and the Online or Offline status.

The Earth network [11] with 8056c2e21c000001 as the ID is suitable for trying out the service for the first time. You should enter this via

zerotier-cli join 8056c2e21c000001

The listnetworks subcommand displays the connected networks and the connection status, and ifconfig -a references the zt0 for the first network.

The daemon did not configure an IP address for the interface in the test. There is, however, a network configuration in the /var/lib/zerotier/networks.d/ 8056c2e21c000001.conf file, including the IP address assigned by the network.

Users should proceed in public networks with the same precautions as in a public WLAN. This means: Firewall rules and encrypting the traffic using ZeroTier. A tcpdump on the zt0 interface immediately returned broadcast packets from other nodes. However, in contrast to the rest of the Internet, the ZeroTier tunnels are encrypted.

If users want to create a private network, they first need an account [12]. There they can, as shown in Figure 7, create a network and fine-tune the parameters. Private networks are free for up to 10 participants, ZeroTier asks for $4 per month for bigger networks. You need to enter the node IDs manually (from zerotier-cli info) or confirm them after a connection attempt, to make it impossible for all and sundry to join your private network.

Figure 7: ZeroTier only has a graphical administrator interface for Windows and Mac OS X.

ZeroTier is designed for easy operation. Participants may be able see who the client is communicating with, but they cannot control this. The technical and security FAQs [4] provide a good overview of how the network works and what algorithms it uses. ZeroTier provides an easy-to-use solution for users who want to bypass firewalls. However, this is a genuine headache for security admins who do not want tunneled connections. A quote on the homepage (Figure 8) shows which side the ZeroTier project takes.

Figure 8: ZeroTier wants to enable simple collaboration for people in organizations and companies, even if they need to evade the IT department's security policies to do so.

Conclusions

The programs presented here are quite different from one another. Tinc and Freelan only work if the VPN user also controls the incoming Internet traffic, whereas this doesn't matter at all for IPOP and ZeroTier. A feature they all share is that they let you screen traffic from the eyes of the Internet and create direct links in the form of overlay networks and tunnels.

Tinc and Freelan stand up to comparison with established solutions such as OpenVPN, although Tinc has proved to be fairly impractical for larger networks because of its complex key distribution. In IPOP, the amount of time it takes to establish a connection can be a genuine pain – although maybe this just reflects the tester's impatience. The solutions cause worries in corporate security departments because they make it easy for users to undermine installed protection mechanisms.