Question for anyone who knows: say I've got a few VMs in a private network (on e.g. DigitalOcean), and want to connect them to a corporate Intranet. If I've got a Docker container sitting on a public bridge interface of one of those VMs, running a VPN daemon, is that container separated enough from its host to be effectively used as the VPN gateway for the rest of the network the VMs are on—including the VM hosting the container? Or do I really need a separate VM to serve that function?
I ask because, in the case where I've only got one VM to bridge into a corporate Intranet, I always want to set that VM up with a network-to-network VPN (instead of just making it a VPN client) in case its network grows from one node to several. But adding a whole extra VPN gateway instance just to serve a "network" of one machine is a pretty high overhead for a small project.
You can run this inside Docker containers with a few extra capabilities (allow tap, allow ioctls) which is probably similar to what you need for other in-container solutions. You can also run it on intranet servers, desktops, phones, etc., and connect everything to a common virtual backplane.
Edit: you can also bridge this to docker0 since it supports Ethernet bridging and run it on a Docker host. We're working on better/cleaner Docker integration but it's all do-able now. Just takes a bit of sysadmin know-how.
ZeroTier looks amazing and exactly like what I've been searching for. I'm testing and installing it right now, hopefully we'll be happy users soon.
One minor comment: while reading through the home page the question I first wanted to see answered was 'how do I control who joins my private network', because the technical FAQ says 'Certificates are used instead of access control lists to permit huge networks. An access control list for a network with millions of devices would become unmanageably large.'
I understand this is the technical implementation, but from a user's perspective it actually is an access control list, as on the web interface it is simply a list of IDs which can be approved or declined.
The VPN space really needed a solution like this, congrats for rocking!
It looks very promising and I just installed ZeroTier One on my Mac (running El Capitan). However, the app appears as a blank grey window with no text/buttons. Are there prerequisites to running the app?
I can't use the mouse wheel to scroll at all on your homepage and have to use the scroll bars. Please don't break scroll behavior for whiz-bang effects.
How's the performance of this utilizing the Docker controlled NAT? Especially with UDP, it seems like the significant latency overhead of Docker would dramatically impact the viability of running a VPN server.
You may optionally add "--net=host" to the "docker run" command to let the container use the host's network stack directly. That should eliminate the overhead I think.
Author here. To add or manage VPN users, you can modify "run.sh" and build a new Docker image from the source repo on GitHub. Please refer this README [1] for more info.
Any issues you're aware of with making an arm version of this container? Would love to drop this on my RPi to get an easy VPN pipe back into my home network.
I haven't looked into this yet, but I think it could work on the latest Raspbian 8 [1] which is based on Debian Jessie. You are welcome to clone the source repo on GitHub and give it a try.
I ask because, in the case where I've only got one VM to bridge into a corporate Intranet, I always want to set that VM up with a network-to-network VPN (instead of just making it a VPN client) in case its network grows from one node to several. But adding a whole extra VPN gateway instance just to serve a "network" of one machine is a pretty high overhead for a small project.