ZeroTier – home VPN without a public IP address
blog.tomaszdunia.plAlso consider Nebula: https://github.com/slackhq/nebula
ZeroTier does not use an OSI approved open-source license. It is under a freedom-restricting "Business Source License". Nebula is MIT licensed.
Nebula is much simpler and in most cases faster than ZeroTier.
Unfortunately their mobile app isn't open source: https://github.com/DefinedNet/mobile_nebula/issues/19#issuec...
Last time I checked it did not support IPv6, and the issue is still open today https://github.com/slackhq/nebula/issues/6
I tried Nebula, but ended up with Yggdrasil instead. https://yggdrasil-network.github.io/
Unlike Nebula, it gives you an IPv6 address (actually, millions of them per node, if needed).
They now also have a userspace only SOCKS 5 proxy server that can connect your app to the whole network without forcing user to install drivers or to mess with their network configuration.
Adding +1 to the Nebula recommendation.
The last time I tried ZeroTier (years ago, I admit) it wasn't possible to self-host all of it I think and I couldn't make it reliably use my own relays for good performance of non-direct connections.
I've been happily using Nebula for a while now, pretty easy to configure and self-host.
Thanks for the recommendation! I wanted a VPN like this for a long time, to manage HA in a remote propery, and this seems like a great option. Even the hosted service is very reasonably priced - https://www.defined.net/pricing/
Is nebula actually good to use now?
Do they route announcements over the network? Can I just setup two machines and expect them to just work by finding each other?
Does it support name resolution?
How does Nebula compare to Wireguard?
They are not directly comparable. Nebula is a mesh VPN. Wireguard can be used as a building block for a mesh VPN (as it is in Tailscale), but it does not have that function organically.
I have tried Tailscale / Headscale and did not find the overhead worth it. Both can saturate a 10Gbps link and that's all I need right now. Nebula's much simpler to administer. The configuration's spelled out in the client configs and in the certificates you provision. If you're already using some form of configuration management, it's quite easy to make changes. If you require a Web UI, Tailscale / Zerotier / etc may be better. There is a company that provides a Nebula-based service with a Web UI but I haven't tried it.
Which company provides a webUI for Nebula? Might be interested in checking that out :)
They're solutions to slightly different problems.
I'd characterize it as such: Wireguard is more of a plumbing solution that gives you a point-to-point connection, either it's enough for you or you can use this to build what you need.
Nebula is more of an end-user ready-to-use solution, gives you features like NAT traversal, automatic selection of direction connections if possible, the nodes don't need to know other nodes' addresses ahead of time(x) etc.
(x) except for the lighthouse
Nebula does use WireGuard, as per their go.mod file.
EDIT: actually, they just use various I/O abstractions that WireGuard developed.
Looking at that file may make you reach misleading conclusions. Some tun/io code may be use but there's that. As far as I understand WireGuard the protocol is not used anywhere:
nebula (master)> git rev-parse HEAD 2b427a7e8934f0a436fea25eb40a6b979b34ee7a nebula (master)> rg --glob '*.go' -i wireguard wintun/tun.go 6: * Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved. 9://NOTE: This file was forked from https://git.zx2c4.com/wireguard-go/tree/tun/tun_windows.go?id=851efb1bb65555e0f765a3361c8eb5ac47435b19 udp/udp_rio_windows.go 4:// Inspired by https://git.zx2c4.com/wireguard-go/tree/conn/bind_windows.go 25: "golang.zx2c4.com/wireguard/conn/winrio" overlay/tun_wintun_windows.go 17: "golang.zx2c4.com/wireguard/windows/tunnel/winipcfg" wintun/device.go 6: * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved. 9://NOTE: this file was forked from https://git.zx2c4.com/wireguard-go/tree/tun/tun.go?id=851efb1bb65555e0f765a3361c8eb5ac47435b19I stand corrected then.
It is likely an option, but as per the ReadMe:
Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration.
Hugged to death but what i like about zerotier is that I can access my Home Assistant instance (and other home services) with same ip address (resolved from dns and then TLS terminated with traefik) from home network and from zerotier.
And it does not matter if I have ZT network connected when home.
Not sure if that is possible with tailscale (from my understanding, it generates always tailnet ip for hosts).
Tailscale does support this. Using the Subnet routing feature you can expose other devices on the network to the Tailnet. I had to use this for a while with TrueNAS because of the way it handles TS integration (eventually I moved to using a reverse proxy).
The best part of tailscale is that you can use an Apple TV as a subnet router and exit node. So even if you do not have any home networking equipment, you can utilize this by just using the Apple TV app. This is particularly great if you have a second home etc.
Oh, will have to investigate that a bit.
> from my understanding, it generates always tailnet ip for hosts
It does, but it should connect over LAN when both devices are on the same network. The tailnet IP doesn’t exist outside the WireGuard network, so it’s up to the WireGuard routing algorithm.
I thought it was Tailscale that always selects which IP to use as endpoint for other devices, and set that up for Wireguard? If I'm wrong, could I replicate that behavior (using relay on WAN, direct connection on LAN) with Wireguard without external configuration tools?
Hmm, yes, I think you’re right. Tailscale does handle the connection here, not Wireguard.
I’ve digged into it a bit and I believe it first connects over a relay, then the devices try to find a more optimal route. So for LAN, they would exchange their local IPs and try to connect over those. If they are indeed on the same LAN, they connect directly: https://tailscale.com/kb/1257/connection-types
This is not without issues, however: https://github.com/tailscale/tailscale/issues/7206
Tailscale DNS might cause a bit of trouble, but the overhead isn’t too bad, I’m measuring ~1ms ping difference, which is a lot in relative terms, but in absolute it makes 0.5ms into 1.5ms.
Yep, and there is no "ip alias" type of things. On zerotier, I route my home server ip to zerotier ip and then it just works.
I've been using Zerotier personally and professionally for some 10 years or more and as a network engineer I love the product, and have long recommended it. I've compared it to Tailscale, and while Tailscale has a lot more enterprise-y features, they too miss some key features of Zerotier like being able to use route ANY subnet IP addresses, not just limited to their 100.64/10 addressing Tailscale limits you to. Tailscale also requires you to use an oauth account for users, which has never been compelling for personal use.
I also believe it was around before Tailscale, or at least I knew of it before Tailscale, but I've never seen a compelling need to move from Zerotier to Tailscale.
I’m considering setting up a Digital Ocean virt with the static IP and then wireguard connection back to a host on my network.
I want to connect a local bare metal k8s cluster to the internet but completely walled off from the rest of my network.
I did this a few years ago and it's still chugging along great. Haproxy instance on a $6 droplet proxying back over wireguard to a taefik proxy.
Could probably redo it and skip the double proxy but honestly it's fine.
Very useful for remote lan gaming !
We used to have Hamachi, but the limited networks, the unintuitive UI and the need to create an account are all things that ZeroTier does best.
Need someone to join the network ? Just send them the ZeroTier download link, and the network ID. No account, no complicated prompts, nothing !
And you can customize everything on the backend, like ip addressing and routing.
And it's even self hostable ! (But then the users need to set the url to your server so this adds a bit of setup obviously)
Also great to bypass Netflix/Hulu/Disney geo or VPN restrictions. I run ZT on my travel Amazon firestick, connect to my home network, turn on use default gateway and all traffic goes via my home router.
Using a similar setup, a friend in Oz and I also share ZT networks, so either he or I can use them to watch content that is only available regionally. The traffic uses home IPs, so it won't get blocked or detected.
It just works.
(Disclosure: was part of the first angel round investment in ZT)
Very nice and detailed guides.
The guide for Shellys [0] is highly appreciated. I always thought about touching those, but all the guides I've found required knowledge I didn't have. I guess it's a precaution because one can cause real damage doing this wrong, but I feel now, I could do it.
Dzieki.
[0] https://blog.tomaszdunia.pl/shelly-smart-oswietlenie-eng/
Do you have any feedback regarding lag? I like the potential of Shelly products, but every single light I bought from them has a 2-second lag, as the devices seem to want to light up only AFTER being connected to the WiFi.
> want to light up only AFTER being connected to the WiFi
Do you isolate them at the switch? If you do, then it's less likely "connected to WiFi" and more likely that's the time to boot up the firmware.
If you don't, then they should always be up and connected to the wifi.
I've used Shelly lights with no issues, even pressing the button on a Zigbee switch to send a signal to Home Assistant who would in turn tell the Shelly to switch on was always instant.
I actually described it incorrectly. I was indeed talking about the response time after using a light switch to turn on the lights the dumb, old-fashioned way.
So, yeah, you’re right, it must be the time it takes for the firmware to boot up. My question still stands, then – can this boot-up time be reduced or avoided?
Probably not. The way these lights are supposed to be operated is indeed always on. If you want to keep the old-school switch, you can put a smart relay behind it.
It’s really nice to here that you like my guides I have 0 money from making them but a lot of dopamine coming from such comments!
Cloudflare tunnels https://developers.cloudflare.com/cloudflare-one/connections...
I can type a short url into any web browser and get to home assistant and jellyfin running in my home network
You don’t have a public IP address, but you want to remotely access your Home Assistant? No worries, you can do it using ZeroTier and I have a tutorial for you.
Error establishing a database connection
Hug of death
Problematic design. It's a static page, and should be served as such; a Raspberry Pi could probably handle that, and it's easy to put behind Cloudflare or similar.
i am not the poster, but i am in a similar situation with my own blog.
just because my blog could be hosted on a static page, i am not going to go through the effort to set up a separate server just for that when i am already hosting a website with dynamic content and my goal is to host my blog with a minimum of effort on the same site. and i am especially not going to buy a raspberry pi just for that. and if i put it behind cloudflare i am just going to annoy the other half of hackernews readers asking why everything has to be behind cloudflare.
I'm not suggesting a separate server or a Raspberry Pi (that was just an example of the low resource needs), just having non-dynamic pages to not be hitting the database, so be cached somewhere (hopefully automatically), or using a server configured to serve them statically.
the platform i use stores everything in a database. it doesn't even support reading static files from disk. and why should that even matter. the filesystem is just a different kind of database. as for purely static pages, i happen to have a small website that is purely static too, served from the same platform. and already maintaining the navigation for a few pages is a pain. i could use a static site generator, but then i'd have to use different tools from the rest of the site. and that also increases the maintenance effort and adds dependency on yet another tool. my current plan is to keep the pages static but use js to create the navigation. that would add the cost of a REST API call to get the list of pages and affect the cacheability for the navigation part. if only html had an <include> tag then maintaining the navigation would be a lot easier without js.
Hugged to death - archive up at https://archive.is/HdmGX
How does it with the darlene of HN, Tailscale?!
Tailscale has magic DNS. Can you use a custom domain and DNS entries in any of these mesh VPNs?
ZeroTier charges by device. Tailscale charges by user.
ZeroTier is a lot cheaper if you only need to connect a single device for each employee. It gets a lot more expensive if you have a lot of devices.
Tailscale is the opposite. Cheaper if you have a lot of devices, but if each employee only has a single laptop which needs to be connected, then it's a lot more expensive.
Tailscale's documentation is way better and walks you through it like a beginner. ZeroTier's documentation assumes you are already knowledgeable about networking.
I think the ZeroTier free tier is much more generous. I also like the client app, which lets you be connected to more than one network without switching. The API is also nice... I've hooked it up to an Ansible play, and it works well.
ZeroTier is great. It just works. Makes it really easy to SSH in or access Samba shares from anywhere.
You can use it for remote LAN gaming, just like we used Radmin or Hamachi to play Minecraft.
How is this better than DDclient + WireGuard?
Not all ISP provide a public IP address.
Some ISP force you to change your IP every 24h. So you'd have to reconnect your VPN.
DDclient (or an alternative) takes care of the IP change and wireguard is as good as stateless anyway.
Wireguard connects to an IP endpoint. It does not resolve the domain for each packet.
Maybe this has to be solved on the application layer then. All I can say is that my setup with a dynamic DNS entry and WG tunnel on android works flawlessly.
Gotcha but a restart every IP change and you’re good.
Tailscale or pure WireGuard is cool.
tailscale clone?
The other way around. Tailscale cloned zerotier, but they diverged quite a bit. You can find VPN connected hardware with zerotier if you've got such needs, and that's simply not possible with tailscale.
Also, ZeroTier is layer 2, whereas Tailscale is layer 3. So you can bridge your LAN to ZeroTier at layer 2. https://docs.zerotier.com/bridging/
ZT came first
which like, they're open source, so hosting your own is totally possible
True but you can use this compatible one with the official apps https://headscale.net/stable/
cannot open this page