ZeroTier vs VPN
-
@Romo said in ZeroTier vs VPN:
Considering this use case:
Remote users wanting to RDP into
- Main Server (this will really be the main place to connect)
- Accounting user's pc
- Owner's pc
When would using ZeroTier be a better idea than setting up a remote access VPN (L2TP/IPSec)? Would this case be a proper case to use it considering the whole lan is not necessary to be accessible?
What are your opinions about this
What is on the Main server?
Are you going to use RDP to connect to these systems? -
In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.
-
@Kelly said in ZeroTier vs VPN:
In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.
I am pretty sure that it doesn't actually route the traffic through their systems. It only brokers the connections. If their system goes down, your systems will remain connected until you lose connectivity for another reason; like if you power down or disconnect from the internet.
And, that is all predicated upon you using their service to provide the broker. If you have your own connection broker, then it has nothing to do with their systems at all.
-
@Romo said in ZeroTier vs VPN:
Considering this use case:
Remote users wanting to RDP into
- Main Server (this will really be the main place to connect)
- Accounting user's pc
- Owner's pc
When would using ZeroTier be a better idea than setting up a remote access VPN (L2TP/IPSec)? Would this case be a proper case to use it considering the whole lan is not necessary to be accessible?
What are your opinions about this
I think this is a good use Case for ZT. Just be aware that if your 'Main Server' is joined to AD, that you uncheck the Register DNS option on the Zero Tier adapter on it.
-
@wrx7m said in ZeroTier vs VPN:
@Kelly said in ZeroTier vs VPN:
In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.
I am pretty sure that it doesn't actually route the traffic through their systems. It only brokers the connections. If their system goes down, your systems will remain connected until you lose connectivity for another reason; like if you power down or disconnect from the internet.
And, that is all predicated upon you using their service to provide the broker. If you have your own connection broker, then it has nothing to do with their systems at all.
Yes, no, and it depends: https://www.zerotier.com/manual.shtml#2_1_1. My point still stands. ZT is a virtual private network. There are scenarios where it makes sense for them to do their magic. There are scenarios where it doesn't.
-
@Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT.
-
@dafyre said in ZeroTier vs VPN:
@Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT
That would involve added licensing no?
So what they where doing is basically port forwarding rdp to the server and the other desktops. Their current router/ap combo that acts as a gateway can't do any sort of VPN. We tried getting a Zyxel USG40 they had in storage up and running as their new gateway, but it appears to have been setup previously (wrongly) and we couldn't get it to reset to factory settings yesterday.
So I did end up setting up a zerotier test for him on two machines (he needed the access) so he could test it out and see how it worked for him. He did really like the ease of setup, as he even messaged me again when he installed the ZeroTier client on the remote system and how he easily joined the machine to the network and authed the machine once it appeared in the management portal.
I'll talk with him later today and hear more of his opinion.
-
@Romo said in ZeroTier vs VPN:
@dafyre said in ZeroTier vs VPN:
@Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT
That would involve added licensing no?
Potentially, yeah - if youe don't already have RDS Cals. The RDGW can run on the same system that folks would be connecting to, so you could have an entire RDS setup (RD Licensing server, RD Host, RD Connection Broker and RD Gateway) all run on the same box.
So what they where doing is basically port forwarding rdp to the server and the other desktops. Their current router/ap combo that acts as a gateway can't do any sort of VPN. We tried getting a Zyxel USG40 they had in storage up and running as their new gateway, but it appears to have been setup previously (wrongly) and we couldn't get it to reset to factory settings yesterday.
So I did end up setting up a zerotier test for him on two machines (he needed the access) so he could test it out and see how it worked for him. He did really like the ease of setup, as he even messaged me again when he installed the ZeroTier client on the remote system and how he easily joined the machine to the network and authed the machine once it appeared in the management portal.
I'll talk with him later today and hear more of his opinion.
If ZT Works well, I see no reason to change it!
The question then becomes: If ZT Works well, do you want folks setting up their own ZT Accounts, or would your rather have a company managed one?
-
@dafyre FFS just stop with all the stupid.
-
@Romo said in ZeroTier vs VPN:
Remote users wanting to RDP into
- Main Server (this will really be the main place to connect)
This is a windows server correct?
Then you need RDS licensing for this no matter what, even to remote into it from in the office. The only reason to use ZeroTier is simply to not expose RDS to the public internet.- Accounting user's pc
- Owner's pc
ZeroTier on these devices is a very typical use case.
-
@Kelly said in ZeroTier vs VPN:
In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.
I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.
With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.
I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.
-
@JaredBusch said in ZeroTier vs VPN:
@Romo said in ZeroTier vs VPN:
Remote users wanting to RDP into
- Main Server (this will really be the main place to connect)
This is a windows server correct?
Then you need RDS licensing for this no matter what, even to remote into it from in the office. The only reason to use ZeroTier is simply to not expose RDS to the public internet.Licensing is already set as that is what they have been using internally as well for the users that need to RDP into the server.
From what he told me today, externally he really only wants access for himself to connect to the server as the admin, apparently, he is his own IT.
- Accounting user's pc
- Owner's pc
ZeroTier on these devices is a very typical use case.
He just mentioned a couple of more users but all of them will be only RDP into their own machine as well. Guess zerotier will serve him well without the need to acquire a new router for now.
-
@Pete-S said in ZeroTier vs VPN:
I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.
It is. But it does lots of things.
-
@Pete-S said in ZeroTier vs VPN:
I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right?
You can, but you don't have to. They have made gateway products for years. And now it is available on Ubiquiti edge points.
-
It's listed on my OpnSense box also. Takes a bit of effort. Haven't tried it yet
-
@scotth said in ZeroTier vs VPN:
It's listed on my OpnSense box also. Takes a bit of effort. Haven't tried it yet
It works well on OPNSense. I'm using that now as the router for a lab now.
-
@Pete-S said in ZeroTier vs VPN:
@Kelly said in ZeroTier vs VPN:
In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.
I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.
With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.
I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.
You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.