[zingmars]

Tinc 1.1 is actually fairly easy to set up - it's only a couple of commands for defining the name of the network, getting a link nodes can use to join etc. The only problem is that it's technically not a full release, so most distros don't carry it. Compiling isn't difficult (a simple ./configure && make && sudo make install), but it could be better. My only major issue with Tinc is lack of any central authority making it really niche - revoking keys seems to involve deleting them on each connected machine. Not fun.

From what I can tell ZeroTier seems nice as long as you're okay with using ZeroTier's servers for things (a curious trend I've noticed - so called decentralised services will always be great until you want to have fully independent servers). Sure, you can find github issues telling it's possible to set up your own planets, but the software seems somewhat complex and there's no documentation for it, and moons (what is with this lame terminology anyway?) will ping ZeroTier by default.

[GekkePrutser]

Oh thanks, I wasn't aware of that change in Tinc 1.1, I'll try it out. I'm indeed using the distro version, I compliled 1.1 once to have that network view (where you see which nodes are connected) but it wasn't that useful so I didn't bother with it. Didn't realise they simplified the joining also.

Though I never thought the joining and revocation was all that difficult anyway. I just have 2 central servers which carry every key, and the others just need to have the server keys. Everything else gets distributed automatically. So keys for clients you can keep on your servers only. You don't have to delete it from all of your clients!

I know tinc doesn't really have a client/server concept but I consider clients those devices that aren't publicly reachable (behind NAT) and not used in a ConnectTo statement.

And yeah the centralised VL1 "Planet" server in ZeroTier also bothers me. I know it plays no part in the actual access rights to the network and it can't see the traffic content, but still. I just want to run it myself.

[zingmars]

yup, `sudo tinc -n %VPNNAME% invite %CLIENTNAME%` will generate an invite URL on the server side and `tinc join %INVITEURL%` will let you join it. It's definitely really easy now, but unfortunately it's being marked as a pre-release which sets tinc back a bit imho.

As for revocation, I have a similar setup and I agree. My worry is that in a theoretical situation an attacker could get access to a network and then spread his key to the entire network and there's little you can do about it. For personal use it's fine (I use it), but because of this, I would be vary of using Tinc for some sort of production use (although I've heard of people doing it). Even if it's a big IF since you need to actually have an access to a node to generate an invite, the attack surface is still there and there's no good way to undo it.

[GekkePrutser]

Yeah, 1.1 should really go into production at some point, it's been in beta for years.

It's really a good point you have about a hacker adding themselves to the network. I never thought of that. That could happen with every client so the attack surface is pretty big. It would be great if this feature could be reserved to only certain trusted devices (like the ones I have designated 'servers').

So maybe there is a good point to at least monitor the network activity with this 1.1 feature. Hmm... Thanks for getting me thinking about this!