Best posts made by adam.ierymenko

No we are not dead. Quite the opposite. We're growing a lot and have been very busy.

(1) We did finally push a Chocolatey package update but it got kicked back. We're going to have to institute more of a process for maintaining our vast surface area of ports and packages. It's horribly annoying since every package manager and package repository has its own unique way of being a pain in the you-know-what.

(2) Windows auto-updates as of 1.2.0. 1.2.6 will be coming pretty soon.

(3) Yes we did rev our community system yet again. We're trying to iterate toward something as low-friction and interactive as possible.

Since you folks have been interested in ZeroTier we've decided to announce our new hardware product here:

https://www.indiegogo.com/projects/zerotier-edge-open-source-enterprise-vpn-sd-wan/x/17167082#/

It's a layer 2 bridge SD-WAN appliance powered by ZeroTier. We've just launched a pre-order campaign for it and we haven't announced it more generally yet. We'd like to announce it to customers and users first. (Feel free to pass it around if you'd like.)

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

@FATeknollogee Two ways:

1. Run ZeroTier on the device(s) themselves. Right now this varies in terms of do-ability, but we're planning more in the future here.

2. Bridge them with an auxiliary device.

Bridging is a subject that needs more documentation, but it's not terribly hard to do.

Let's say you have a ZeroTier network with the IPv4 subnet 10.10.10.0/24 and you have ten devices you want to bridge in.

The simplest thing would be to:

1. Edit the network's IP auto-assignment configuration and reduce the assignment range to reserve, say, everything above 200 for non-ZT devices.

2. Set up ZT on a Linux machine such as a Raspberry Pi or a Linux VM on your network. (If it's a VM, be sure the hypervisor allows bridging. Some like VMWare have a setting for this.) Designate this device as an "active bridge" at the network controller level, which means it's allowed to bridge other things in. (The active bridge setting also alters its behavior in terms of multicast a bit. Bridges use slightly more bandwidth since they see more multicast traffic.)

3. Create a Linux bridge device (instructions differ by Linux distro) br0 and add zt0 and eth0 (or wlan0, etc.) to it.

4. Assign your phones and other devices IPs like 10.10.10.201, 10.10.10.202 manually and attach them to the network that is bridged to ZeroTier via the ZT bridge you configured above.

ZeroTier emulates L2 Ethernet, so what you've done is created a single Ethernet network consisting of a physical wired or WiFi network bridged to a virtual ZeroTier network by a bridge device. The bridge device "glues" them together, passing packets back and forth and such. Linux's bridging driver is very good and handles a lot of edge cases like MTU mismatch, etc., and we've found that it works pretty good in practice.

Now a ZT device with IP 10.10.10.100 should be able to ping 10.10.10.201, etc.

Raspberry Pi's work great for this kind of thing. They're great for cheap DIY low-power network devices like bridges, routers, NAS boxes (connect a USB drive), etc.

Also IRC isn't gone. The IRC FreeNode #zerotier channel is linked to that chat system's #general channel bidirectionally by a bot.

@dafyre Well here I am! (Author/founder of ZeroTier)

Reading the above, it seems the issue is active directory DNS. While I know tons about networking, I am not unfortunately an AD expert.

Pertino it seems highjacks DNS. This stuff is in the category of things we want to avoid-- ugly, nasty hacks that fix one thing but likely break everything else. This "enterprise" approach is how Windows networking got in such a bad state to begin with -- in digging into Windows one can see how this or that hack was put in place to make this or that work in an "enterprise" environment, and each hack results in a fractal explosion of edge cases that in turn demand more and more ugly hacks, and so on, until the entire thing becomes the ridiculous ball of garbage that it is today.

But in some cases we have simply been forced to do it. In all such cases we've tried to build such hacks as far from the ZeroTier core as possible. Here's one from WindowsEthernetTap:

https://github.com/zerotier/ZeroTierOne/blob/master/osdep/WindowsEthernetTap.cpp#L902

So let me explain my understanding of this Windows AD DNS issue:

Windows AD DNS likes to automatically register DNS entries for all adapters in the system. When ZT adapters are added, these can collide with, override, or pollute the DNS space with undesired entries. Is this the problem?

If not, can someone explain the issue in a bit more detail? What precisely is going on under the hood? Maybe we can figure out and document a fix that's more elegant.

We recently improved our docs on this: https://github.com/zerotier/ZeroTierOne/tree/master/controller

Do an update. We released new binary builds for Linux that should address this.

@Dashrender "That is no lie - So I can't get what I want, you'll give me this little thing over here, OK I'll just create a way to get what I want through that little thing.. done.. yeah - huge problem!"

You can't secure things by breaking them. People will find ways around your barriers because they need things to work, and the things they cobble together will probably be less secure than what you started with. You have to secure things by actually securing them.

Fundamentally the endpoint is either secure or it is not. If it's not, all someone has to do is get into something behind your firewall and they own you. Increasingly that something could be a printer, a light bulb, or a microwave oven. How often do you patch your light bulbs? If the cloud killed the firewall, then IoT will dig it up and cremate it and encase it in concrete and re-bury it.

My approach to security is: secure everything as if it will be totally exposed on the public Internet, then add firewalls and such as an afterthought if appropriate. If something is not secure enough to be exposed to the public Internet without a firewall, it's not secure enough to be connected to any network ever.

Yeah that's in our feature queue but after a ton of other stuff.

@dafyre Yes, the upcoming product is called ZeroTier Central and will consist of the UI you see at https://my.zerotier.com/ plus additional features people would want for in-house usage. We are talking to some potential users about that right now. Potentials include integration with in-house access control mechanisms like active directory and LDAP, etc. So you on-board a user and add them to LDAP and add their ZeroTier device IDs and they now have access to all the correct networks for their job and access levels.

We caught a network glitch on the web site, but this should not have affected actual virtual networks. If it did then please explain what you saw -- the system should not be vulnerable to this.

FYI network controllers issue config and certificates to network members but are not (by design) a point of failure for actual network communications. If a network controller goes down the network continues to work, but it just isn't possible to change the network (add new devices, de-authorize devices, change IP assignment settings, etc.).

We're doing a round of infrastructure upgrades in the next few weeks anyway. Web will go to redundant bare metal servers and the root infrastructure (which is critical) is getting even more robust and geo-distributed. (It's already spread across three providers on four continents and all nodes are independent.)

@dafyre You can bridge ZeroTier to standard Ethernet, though at the moment it requires some manual configuration work and some expertise with Linux and bridging and such.

Edit: pretty easy to do with a Raspberry Pi although the USB-wired 100mbit Ethernet on those won't work for really really high bandwidth stuff. Fine for ordinary use though, since the WAN is usually slower than that.

@dafyre Bridging works much better than I thought it would when I developed that feature. At first I was like "well, technically this is possible but I'm going to call it experimental until we see how it works in practice." I've heard of people using it with whole big LANs behind it, so I'm a bit stunned.

@scottalanmiller We are also working on our enterprise offerings. See https://www.zerotier.com/product-ss.shtml -- we haven't made a big announcement quite yet but we are working with a few customers in the IoT and device space and this is also applicable to large enterprise SDN. We will offer live real-time monitoring of network quality of service and proactive investigation of problems as a service, and one of our engineers has a machine learning background so we are planning to leverage advanced quantitative analytics and deep learning against circuit test data eventually. We're also looking forward to pitting deep learning against harder scenarios in NAT traversal in the near-mid future.

Pricing on that page is still being refined. We might add something more fine grained in the future. Existing model is actually geared more toward IoT device vendors.

@Dashrender That's not true. If a ZT device is on the same local network, then it will just have two ports that go to the same network. It would be like putting two NICs in the device and running two cables to the same switch. Confusing, but nothing "wrong" with that.

ZT emulates a smart Ethernet switch. Think of it the way you would think of a switch. An "active bridge" is a port set to permit bridging to another switch (some smart switches let you control that) while a regular ZeroTier endpoint is a port that only goes to a single device.

If you're thinking of it any differently you're over-thinking it. Pertino adds a whole ton of complexity by operating at L3 and none of that applies here. VPNs also add a lot of complexity by fragmenting the network with tunnels and such, and that's also irrelevant. Just imagine a switch with invisible wires going to it.

@dafyre In the shorter term a more detailed HOWTO would probably be best. We can gear it to Debian since the Pi is Debian and makes a great bridge device, but you could also use a Debian VM or regular machine.

@dafyre Your OS's DNS resolver decides how DNS works. ZeroTier gives you a port to a virtual LAN, nothing more.

@Dashrender ZT does precisely nothing to DNS... at least right now.

https://chocolatey.org/packages/zerotier-one/1.1.12

I also just learned that this works:

msiexec /i https://download.zerotier.com/dist/ZeroTierOne.msi

Didn't know msiexec could do that.

We're revamping our web site and will have one-liner installs for most platforms.