A private subnet across multiple datacenters, that works for multiple OSes, that is fast, easy to manage en reasonably secure? That sounds like a piece of software that is to good to be true, but zerotier has it all, I think.
For those that do not know zerotier, it is peer to peer based virtual network tool. It is run by ZeroTier, Inc, the same company that provides the free web-interface (Zerotier Central) for managing the virtual networks, and they host some proxying (STUN) servers. Zerotier is also completely opensource, so no need to use the services provided by ZeroTier, Inc.
It works by creating a network which gets an unique ID, which then can be used to join the network from every client. If the network is public, only this ID is needed to join the network, but if the network has been defined as private this client will need approval first. The approval can be given via the Zerotier Central interface.
And that is basically how you setup the network. It is disturbingly easy. You create an network in the Zerotier Central, chose an IP range for your clients, then you join the network with your clients, approve them in the Zerotier Central and you are done, no more weird extra steps.
I was surprised setting up such an VPN could be so easy, since I just came from Tinc which is much harder to setup. I was also pleasantly surprised by the android and windows client working directly out of the box.
The only problem I ran into was that network connectivity was very slow at the start, until I realized I had not opened port 9993/udp yet, and thus ZeroTier was tunneling through their STUN servers. And to be honest, the fact that the vpn did work without opening any port is actually quite awesome!
Speaking about the performance, well it is okay. Running speedtest between two servers in the same datacenters results in the following:
Client connecting to server1_public, TCP port 5001 TCP window size: 162 KByte (default) ------------------------------------------------------------ [ 5] local server2_public port 57966 connected with server1_public port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0-10.0 sec 687 MBytes 576 Mbits/sec [ 4] local server1_public port 5001 connected with server2_public port 55612 [ 4] 0.0-10.0 sec 652 MBytes 545 Mbits/sec
Where running the same test without ZeroTier results in the following speeds:
Client connecting to server1_public, TCP port 5001 TCP window size: 221 KByte (default) ------------------------------------------------------------ [ 5] local server2_public port 50446 connected with server1_public port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0-10.0 sec 1.35 GBytes 1.16 Gbits/sec [ 4] local server1_public port 5001 connected with server2_public port 38492 [ 4] 0.0-10.0 sec 1.11 GBytes 956 Mbits/sec
Now I will only need some kind of DNS server to finish it all. I was thinking about an direct integration with Consul, but that is an project for later!