[0x100000]

Hey thanks for posting this!

I'm an engineer for one of the projects over at ZeroTier. It's neat to see this pop up on HN. If anyone has any questions about our technology or services, let us know. We'll keep an eye on this thread!

[viraptor]

It was the best thing I found lately for creating a network without defining specific endpoints. I was pretty much looking for something like Hamachi, but more professional. End to end encryption is great too.

I was pleasantly surprised that I can just create a network with ipv6 and broadcast enabled and things like mdns/avahi "just work". Being able to enable "any protocol" rather than just ip4/6 is great too. In practice you get private encrypted network with non-colliding addressing, route optimizing (two hosts behind a nat will talk directly), mdns working out of the box. What else would you ever need? Android app is a cherry on top.

[api]

(ZeroTier founder here.)

iOS app is shipping next week. Approved by Apple, just waiting on a DUNS number (sigh).

[zrail]

How does the iOS app work? Does it add a new VPN type or something?

Edit: this is super exciting, btw. This will finally let me run some of my services exclusively on my ZT network instead of publicly.

[api]

The iOS app creates a VPN connection, yes, but it runs p2p. Same as Android.

It's approved. We're just waiting on a DUNS number for ZeroTier, Inc. :P

We also have experimented internally with network containers for iOS and Android apps, but that's a whole different use case:

https://www.zerotier.com/product-netcon.shtml

Network Containers is our experimental tech for allowing apps to join virtual networks with no kernel/OS involvement via a private mini IP stack. You can do P2P networking between instances of your app, other apps, servers, and anything else ("connect all the things") using standard network code, Posix network APIs, and familiar protocols like HTTP.

[jonathanoliver]

Is there any way to turn compression off to reduce CPU consumption by the ZeroTier process?

Also, one big concern we have is using the standard/default discovery servers to run our network. Is there any guidance on self-hosting the discovery servers ourselves?

Lastly, can ZT assign IPs for us automatically using some kind of DHCP? Is there any documentation about how it works in case of network partitions?

[api]

(ZeroTier founder here.)

Turning off compression: noted. We also might permit a no-encryption mode for trusted backplane networks for data center SDN use in the future.

There's no federation for the root servers yet. We have numerous ideas on how to implement this but it's not a current priority. It has to be done with care to avoid sacrificing speed, security, or ability to upgrade.

You can read some of the reasoning behind ZeroTier's design here:

http://adamierymenko.com/decentralization-i-want-to-believe/

TL;DR: we chose a design that delivers instant-on zero-configuration operation, security, and very fast (<5s) connection setup between any two devices on Earth at the expense of adding a small amount of centralization to the system. We also avoided certain technologies like DHTs because we wanted the endpoint software to be small enough to run on small embedded devices with limited bandwidth, CPU, and memory and on mobile phones with bandwidth and power limits. Our root server based architecture achieves all this.

The root servers are two-times redundant. There are two root servers and each of these is geo-distributed across six nodes. These are also spread across four cloud hosting ISPs. Any combination of up to 11 roots total can fail without the system being significantly impacted since each root individually has enough power to carry the whole net. All roots are secured with physical two-factor authentication and only permit ssh access from a set of secret gateway IPs (also secured with 2fa).

Root locations are: San Francisco, New York, Dallas, Toronto, Amsterdam, Paris, Franfurt, Johannesburg (SA), Sao Paolo (BR), Tokyo, Sydney, and Singapore. Almost everyone on Earth gets <100ms ping to at least one.

[raarts]

As far as I understand it, the binary contains compiled-in ip addresses for public nodes operated by zerotier. By recompiling you can run your own, they are not special in any way as I understand it. And if they go down your network wil not suffer, they are only used for initial setup.

Separate from this you also have to option of running your own network manager. This will allow you to create and manage your own virtual networks, with your own GUI, billing etcetera. The Zerotier binary can be compiled with a special option to extend the build-in REST API for that.

See: https://github.com/zerotier/ZeroTierOne/tree/master/service

[wccrawford]

So, does it find the best route between 2 computers, or just a route? For instance, if half the computers are on a local network together, does it find them via that network, or does it go to the internet and then back to connect them to each other?

[viraptor]

The initial configuration requires talking to a node on the internet. But I have two nodes behind the same NAT and they're happy to talk directly using UDP (verified with wireshark), without routing over internet. The standard encryption is still used.

I'd be interested to know if it uses something like STUN/ICE to punch through two different NATs... don't have two NATs to try at the moment.

[wccrawford]

Thanks! I'm fine with a constant connection to the net, and even locating each computer that way, but I want the computers to then talk directly to each other. (At least until the IPs change, etc.) It sounds like it'll do it. Thanks for the info!

[ptman]

This is a bit late, but do you have any performance numbers for ZeroTier? Also, is it multithreaded? tinc is not, and that limits the throughput to ~ 0.5Gbps.

[nefariousoctopi]

Hi, I just did a short test and it looks really promising. It has also an android app! This is really the selling point for me :)

BUT I really do not believe that this is the way a rpm package should look like. I know that it is not easy, especially for smaller companies, to provide packages for all the platforms. In this state, it would be much better to just provide .tar.gz archive. Its just my opinion ;)

[api]

(ZeroTier founder here.)

We're working on better RPMs and DEBs and on getting into Debian itself and hopefully EPEL/Fedora. Right now the packages are minimal and not entirely correct (though they do work).

[4684499]

Hi, I'm trying to authorize my nodes, but I can't find the “authorized” check box. I tried click the black tick sign, it didn't work.

Edit: I followed this blog post: https://www.zerotier.com/blog/?p=176

[viraptor]

Are your nodes marked as "online" or "offline" in the panel? Does your node think it's online? (zerotier-cli info)

Have you tried turning it off and on again? ;) (restart zerotier-one)

I added the node id manually in the panel and the nodes saw each other within seconds of joining.

[4684499]

Thanks! I added manually and it works now. :D