ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier vs VPN

    Scheduled Pinned Locked Moved IT Discussion
    zerotiervpnl2tp
    18 Posts 8 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dafyreD
      dafyre @Romo
      last edited by

      @Romo said in ZeroTier vs VPN:

      Considering this use case:

      Remote users wanting to RDP into

      • Main Server (this will really be the main place to connect)
      • Accounting user's pc
      • Owner's pc

      When would using ZeroTier be a better idea than setting up a remote access VPN (L2TP/IPSec)? Would this case be a proper case to use it considering the whole lan is not necessary to be accessible?

      What are your opinions about this

      I think this is a good use Case for ZT. Just be aware that if your 'Main Server' is joined to AD, that you uncheck the Register DNS option on the Zero Tier adapter on it.

      a5f25e88-d582-426e-8927-22a11ef4b72a-image.png

      1 Reply Last reply Reply Quote 2
      • KellyK
        Kelly @wrx7m
        last edited by

        @wrx7m said in ZeroTier vs VPN:

        @Kelly said in ZeroTier vs VPN:

        In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

        I am pretty sure that it doesn't actually route the traffic through their systems. It only brokers the connections. If their system goes down, your systems will remain connected until you lose connectivity for another reason; like if you power down or disconnect from the internet.

        And, that is all predicated upon you using their service to provide the broker. If you have your own connection broker, then it has nothing to do with their systems at all.

        Yes, no, and it depends: https://www.zerotier.com/manual.shtml#2_1_1. My point still stands. ZT is a virtual private network. There are scenarios where it makes sense for them to do their magic. There are scenarios where it doesn't.

        1 Reply Last reply Reply Quote 0
        • dafyreD
          dafyre
          last edited by

          @Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT.

          RomoR 1 Reply Last reply Reply Quote 0
          • RomoR
            Romo @dafyre
            last edited by

            @dafyre said in ZeroTier vs VPN:

            @Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT

            That would involve added licensing no?


            So what they where doing is basically port forwarding rdp to the server and the other desktops. Their current router/ap combo that acts as a gateway can't do any sort of VPN. We tried getting a Zyxel USG40 they had in storage up and running as their new gateway, but it appears to have been setup previously (wrongly) and we couldn't get it to reset to factory settings yesterday.

            So I did end up setting up a zerotier test for him on two machines (he needed the access) so he could test it out and see how it worked for him. He did really like the ease of setup, as he even messaged me again when he installed the ZeroTier client on the remote system and how he easily joined the machine to the network and authed the machine once it appeared in the management portal.

            I'll talk with him later today and hear more of his opinion.

            dafyreD 1 Reply Last reply Reply Quote 0
            • dafyreD
              dafyre @Romo
              last edited by

              @Romo said in ZeroTier vs VPN:

              @dafyre said in ZeroTier vs VPN:

              @Romo -- If this is a full scale RDS setup, you could also set up the RDGW (Remote Desktop Gateway) and not have to use ZT

              That would involve added licensing no?

              Potentially, yeah - if youe don't already have RDS Cals. The RDGW can run on the same system that folks would be connecting to, so you could have an entire RDS setup (RD Licensing server, RD Host, RD Connection Broker and RD Gateway) all run on the same box.


              So what they where doing is basically port forwarding rdp to the server and the other desktops. Their current router/ap combo that acts as a gateway can't do any sort of VPN. We tried getting a Zyxel USG40 they had in storage up and running as their new gateway, but it appears to have been setup previously (wrongly) and we couldn't get it to reset to factory settings yesterday.

              So I did end up setting up a zerotier test for him on two machines (he needed the access) so he could test it out and see how it worked for him. He did really like the ease of setup, as he even messaged me again when he installed the ZeroTier client on the remote system and how he easily joined the machine to the network and authed the machine once it appeared in the management portal.

              I'll talk with him later today and hear more of his opinion.

              If ZT Works well, I see no reason to change it!

              The question then becomes: If ZT Works well, do you want folks setting up their own ZT Accounts, or would your rather have a company managed one?

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch
                last edited by

                @dafyre FFS just stop with all the stupid.

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @Romo
                  last edited by

                  @Romo said in ZeroTier vs VPN:

                  Remote users wanting to RDP into

                  • Main Server (this will really be the main place to connect)

                  This is a windows server correct?
                  Then you need RDS licensing for this no matter what, even to remote into it from in the office. The only reason to use ZeroTier is simply to not expose RDS to the public internet.

                  • Accounting user's pc
                  • Owner's pc

                  ZeroTier on these devices is a very typical use case.

                  RomoR 1 Reply Last reply Reply Quote 2
                  • 1
                    1337 @Kelly
                    last edited by 1337

                    @Kelly said in ZeroTier vs VPN:

                    In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

                    I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

                    With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

                    I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

                    scottalanmillerS KellyK 3 Replies Last reply Reply Quote 0
                    • RomoR
                      Romo @JaredBusch
                      last edited by

                      @JaredBusch said in ZeroTier vs VPN:

                      @Romo said in ZeroTier vs VPN:

                      Remote users wanting to RDP into

                      • Main Server (this will really be the main place to connect)

                      This is a windows server correct?
                      Then you need RDS licensing for this no matter what, even to remote into it from in the office. The only reason to use ZeroTier is simply to not expose RDS to the public internet.

                      Licensing is already set as that is what they have been using internally as well for the users that need to RDP into the server.

                      From what he told me today, externally he really only wants access for himself to connect to the server as the admin, apparently, he is his own IT.

                      • Accounting user's pc
                      • Owner's pc

                      ZeroTier on these devices is a very typical use case.

                      He just mentioned a couple of more users but all of them will be only RDP into their own machine as well. Guess zerotier will serve him well without the need to acquire a new router for now.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @1337
                        last edited by

                        @Pete-S said in ZeroTier vs VPN:

                        I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

                        It is. But it does lots of things.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @1337
                          last edited by

                          @Pete-S said in ZeroTier vs VPN:

                          I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right?

                          You can, but you don't have to. They have made gateway products for years. And now it is available on Ubiquiti edge points.

                          1 Reply Last reply Reply Quote 0
                          • S
                            scotth
                            last edited by

                            It's listed on my OpnSense box also. Takes a bit of effort. Haven't tried it yet

                            dafyreD 1 Reply Last reply Reply Quote 3
                            • dafyreD
                              dafyre @scotth
                              last edited by

                              @scotth said in ZeroTier vs VPN:

                              It's listed on my OpnSense box also. Takes a bit of effort. Haven't tried it yet

                              It works well on OPNSense. I'm using that now as the router for a lab now.

                              1 Reply Last reply Reply Quote 1
                              • KellyK
                                Kelly @1337
                                last edited by

                                @Pete-S said in ZeroTier vs VPN:

                                @Kelly said in ZeroTier vs VPN:

                                In the strictest sense ZT is a VPN. It is just a one to one IaaS that is routed through the cloud on ZT's systems instead of your edge. You can achieve the same effective security through rules on most VPN servers. ZT just makes it simpler, and reduces your ongoing effort assuming that 1 to 1 or 1 to few is your primary access model.

                                I haven't used it but why does ZT makes it easier? You have to install it on every machine you want access to, right? And I assume you have to setup some kind of routing on a computer if you want access to something on the network where you can't install ZT, like an appliance or something like an ilo interface.

                                With an OpenVPN (SSL VPN) connection through the firewall you have a routable VPN and no NAT problems. You can put whatever access to whatever resources you want without installing anything anywhere. And you have everything in one place.

                                I though ZT was a peer to peer network. So it would make most sense when there are no LAN or central resources and everything is spread out. But that not the network layout in this case.

                                You do have to install it on every machine. It is easier in the sense that to achieve the same level of lockdown paired with user specific access you would need to do a fair bit of work on your edge and keep it maintained. Deploying software to clients should be pretty straightforward if you're using quality tools: https://chocolatey.org/packages/zerotier-one.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post