What are your thoughts on Using Zerotier as VPN to highly secure networks.

ElecEng

What are your thoughts on Using Zerotier as a VPN to highly secure networks?

JasGot

@eleceng said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

What are your thoughts on Using Zerotier as a VPN to highly secure networks?

How will you be configuring access to the network assets and resources? Devices at the other end of a VPN are only as secure as their environment. Be sure to consider all protections before making your decision.

Sometime HR problems with employees are your biggest security risk. For example, an employee who leave their laptop unattended in a Panera and their password is on a sticky note. Sounds silly, but it happens. When this happens, your very Secure VPN is not so secure!

dafyre

I'll echo @JasGot here. Make sure the endpoints are as secured as corporate devices.

The short answer is yes, ZT can be configured to do that.

The slightly longer answer is:

If you don't have routers that support ZT (Ubiquiti is the only one I'm aware of that does this), then you will need a VM on each network to act as a router between the ZT subnet and the other networks it is connected to.

JaredBusch

@eleceng said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

What are your thoughts on Using Zerotier as a VPN to highly secure networks?

It cannot do it. Because ZeroTier is not a VPN.

JaredBusch

@jasgot said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

How will you be configuring access to the network assets and resources? Devices at the other end of a VPN are only as secure as their environment. Be sure to consider all protections before making your decision.

While 100% true and important to consider, ZeroTier has a very flexible rules engine that will let you be very specific as to what traffic flows over it.

When COVID lockdowns hit, I simply added a new group and let that group only get RDP over ZeroTier, while others with company controlled laptops still got file sharing.

Emailed instructions on how to install ZT on their home shit, I installed it on the work desktop, and hten sent them instructions on how to RDP.

scottalanmiller

@eleceng said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

What are your thoughts on Using Zerotier as a VPN to highly secure networks?

ZeroTier isn't the issue. VPN is the issue. As VPNs go ZeroTier is great. But that's as VPNs go. VPNs are just a tool, like a hammer. They can be used to build a house, but was more often they break things.

VPNs are super high risk and should be used with extreme caution.

scottalanmiller

@jaredbusch said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

@eleceng said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

What are your thoughts on Using Zerotier as a VPN to highly secure networks?

It cannot do it. Because ZeroTier is not a VPN.

What do you mean? It's definitely a VPN.

scottalanmiller

@dafyre said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

If you don't have routers that support ZT (Ubiquiti is the only one I'm aware of that does this), then you will need a VM on each network to act as a router between the ZT subnet and the other networks it is connected to.

Only if you want a gateway style situation. There are other ways to do it.

Dashrender

@scottalanmiller said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

@dafyre said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

If you don't have routers that support ZT (Ubiquiti is the only one I'm aware of that does this), then you will need a VM on each network to act as a router between the ZT subnet and the other networks it is connected to.

Only if you want a gateway style situation. There are other ways to do it.

right, isn't the point of ZT to talk directly to other clients on the ZT network?

Devices like printers are where you run into issues, so setting up a gateway to handle them might be easiest.

ElecEng

Can zerotier work as a gateway so that all devices on a lan can be accessed? Much like Logmein hamachi in gateway mode?

scottalanmiller

@dashrender said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

right, isn't the point of ZT to talk directly to other clients on the ZT network?

Not the point, exactly, but more the "base design" that they started from.

scottalanmiller

@eleceng said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

Can zerotier work as a gateway so that all devices on a lan can be accessed? Much like Logmein hamachi in gateway mode?

Yes, exactly.

scottalanmiller

@dashrender said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

Devices like printers are where you run into issues, so setting up a gateway to handle them might be easiest.

Yes, completely.

scotth

@dafyre OPNSense has a plugin for Zerotier. Since OPNSense is a fork of PFSense, I'm guessing that PFSense might have a plugin as well.

dafyre

@scotth said in What are your thoughts on Using Zerotier as VPN to highly secure networks.:

@dafyre OPNSense has a plugin for Zerotier. Since OPNSense is a fork of PFSense, I'm guessing that PFSense might have a plugin as well.

I've used the ZT Plugin for OPNSense, it seemed to work well enough for what I used it for.