We've been hard at work on this for a very long time, and we're obviously quite happy today! This is a must-have or really-want for a huge number of business customers.
That being said, we don't and are not going to require SSO sign-in. You'll always be able to just authorize a device. (On SSO networks that's done by setting them to SSO-exempt.) You can also self-host network controllers like always, and we're planning on making that easier in the future not harder. We're all about not forcing you into ecosystems (SSO can do that) and about decentralization.
As for other stuff coming in the near-mid future: version 2.0 is not dead. We obviously got massively derailed (mostly good but very distracting things) and under-estimated the scope and time, but it's still moving forward. We have not announced this elsewhere yet, but it's a near-total port to Rust. This is to get into a more modern language but also to use a safe language for security reasons. This has added time to the job but we're of the opinion that security-related software not written in a safe language is going to be considered a bad thing in the near future (if not already).
V2 also has some significant cryptography improvements that bring us more to parity with more modern constructions like the noise framework. This part has been going slow too because we've been moving carefully and soliciting a lot of peer review both informal and formally hired. Cryptography isn't something you just toss out the door and YOLO. :)
Last but not least we are planning on some kind of transition from the BSL back to an OSI-compliant licensing scheme, but want to think this through rather than flail around.
People at this site have really been fans and have helped us a lot over the years, and we're grateful. Thanks!
I recently tested zero tier for a company use case (mobile development, giving a dev phone access to a dev computer, or allowing sharing between dev computers; basically sharing something with a colleague).
Also tested Tail Scale.
Some feedback (only writing this to help you improve):
1. Your UI is horrible. Hire 1-2 front-end/designers and copy everything that tail scale does right.
2. You should add a concept of users with e.g. GitHub as SSO-provider, like tail scale does. Maybe that’s what you’re releasing now?
3. Your docs are very bad compared to tail scale, and you should have much more docs on common scenarios and use cases. For example, mine wasn’t mentioned but is fairly common. You are losing a lot of business here.
4. iOS VPN auto connect functionality is good.
5. You should add some type of global dns, such that we could map all devices/users like this: macbook1.jane.my-company.net (resolve via your network; you host the dns, we provide our ___domain). Basically what Consul does.
6. If user is authed (see 1 above), auth of devices should be optional.
7. Your language for network rules is too complicated.
8. My impression was that your network software is better than TailScale, but in every other way they beat you (docs, UI, usability, features).
9. iOS app is ugly and have obvious bugs, like you can’t enter text in fields in lower case without hassle.
Couldn’t actually get my use-case to work on tailscale either. They stuff they’re missing is in the works though. Will revisit you both in 6 months.
I’m rooting for you, but you must understand that it’s not only about software, all the packaging around it is also important (and you are severely lacking in this area).
Location is set to Cincinnati because we want to nucleate more engineers in this region but the position is open to anyone in the USA. We'll hire anywhere if someone is really good. We're remote-first.
Edit:
> 7. Your language for network rules is too complicated.
It's too low-level. We are researching a higher-level way to edit rules in terms of intent rather than the current pf-esque rules language that requires you to deeply understand TCP/IP and such.
That being said it is very powerful and you can do extremely neat stuff with it. It's in some ways more powerful than what you get with enterprise data center SDN products.
>That being said it is very powerful and you can do extremely neat stuff with it. It's in some ways more powerful than what you get with enterprise data center SDN products.
I think that's true, but I have basically 0 confidence that I can implement even simple rules using it, let alone anything more complicated.
The thing that was the real show stopper for me and made me switch to Nebula was that there doesn't seem to be a way to self-host a backup controller so that our network can continue to function even if ZeroTier.com is having problems. Unless, that is, I go entirely self-hosted and give up the web management UI, which I think is part of the compelling offer of ZeroTier.
Networks members will continue to be able to communicate with the controller down as long as they were online before the controller went down. Not a full solution, I know.
Otherwise, it's a difficult problem to solve. The only way we could let you run a network controller as a back up right now would be to give you the private key for the controller, which would allow you to change everybody else's network on that controller, too. Not the best of ideas giving that info away!
That's in the queue. Will probably start by making it a turn-key marketplace "appliance" in AWS, Azure, GCP, etc. marketplaces, then release for on-prem.
Perhaps this is more common than I am aware, but why cram both UX Designer and front-end engineer into one role? Usually at many places I've seen, those are two distinct roles with distinct responsibilities - this might be because the overall overlapping group that can do both UX design (wireframing, general design, etc) and engineering is a relatively small group I guess.
This just stuck out to me a bit because those seem like two distinct area of expertise
We were planning on separating those, but haven't edited the description yet. There are some unicorns who can do both but not many. Anyway if someone is interested just apply. We're not a huge company and we just use the job reqs to get applications and then decide.
Also I need to edit the part about a BS in CS and add "or demonstrably equivalent skills and experience."
>1. Your UI is horrible. Hire 1-2 front-end/designers and copy everything that tail scale does right.
I don't think that's entirely fair to say "horrible". It does everything I've needed of it quite well. The design sensibilities are just... I'm not sure what the right word is, but maybe "ugly" is good enough. I remember when I first looked at it I thought "this is going to be horrible", but once I started using it the functionality was pretty good.
For example, I'd call it better than DefinedNetworks from a usability standpoint, because you aren't clicking in and out of a bunch of things, but DN is definitely easier on the eyes.
Had something maybe similar too - some times instant connecting, sometimes slow, sometimes 0%. Fixed and happily using ZT every day now. (TY ZT!)
On both computers do: Network connections->Right click ZT network->Properties->Select (TCP/IPv4), probs 5th down. ->Properties->Advanced->Untick automatic metric-> set interface metric value to 1. Potentially reboot, though I've not needed to before.
Pretty much this ^^ You've given no detail that differentiates your issue from all the other general troubleshooting advice out there already, nor do you say what you've tried to debug it.
Have you described your reasons for not migrating to Wireguard in v2.0? Is it partially because Wireguard only really has a portable (and heavyweight) Go implementation that's also tightly bound to OS networking primitives? I'm mainly wondering if there are also cryptography or protocol limitations that make it unsuitable.
Wireguard is a really nice clean transport protocol, but there are a few:
(1) We use AES for performance and other reasons. ChaCha is much faster than AES in software but AES blows it away by 2-4X in hardware. We have customers using ZeroTier in an SD-WAN setting who are leveraging AES acceleration (with some of their own custom code) in network accelerators and other devices. We also think we can beat both in-kernel WG and ipsec in V2 on Linux using io_uring because the cryptographic part of ZeroTier is 2-4X faster than WG on "real hardware." My M1 Mac does 2GiB/sec/core and newer Intel/AMD chips with AVX VAES can do as much as 10GiB/sec/core.
(2) We have a bunch of customers who want FIPS. Yes, we know. We're not big fans either but they're large customers and whole industries. We also have a pretty good no-compromise plan for this that treats FIPS as a floor for cryptographic quality not a ceiling and doesn't add meaningful complexity. This is a V2 thing. (You can bootstrap WG with keys from a NIST ECC key exchange to get the asymmetric part of FIPS, but ChaCha is not FIPS.)
(3) We want to maintain backward compatibility with millions and millions of ZeroTier devices out there, at least as far back as we can.
(4) ZeroTier uses a construction where the identity is the outer envelope and then (in V2) the ephemeral forward secrecy keys are the inner envelope. Wireguard does it the other way around. Both are equivalent in terms of cryptographic strength (and I think in noise this is a choice, but it's been a while since I read through that). The advantage of the WG construction is that session participants can't be identified from packets. That's a disadvantage in enterprise though, because they want that. It lets us implement elegant solutions to making a mesh P2P network play nice with enterprise firewall and internal/DMZ isolation practices among other things. It also lets our roots/relays basically do something analogous to MPLS, pumping vast amounts of traffic with virtually no CPU overhead because they don't need to decrypt anything.
We toyed around with making an AES fork of Wireguard, basically use the exact same construction as WG with AES-GMAC-SIV instead of ChaChaPoly. Would be totally fine cryptographically but see #4.
We also support virtualization at layer 2 rather than just layer 3, which is important for a bunch of our industrial use cases. It would be possible though to stuff L2 into WG pretty easily, so that's not really a reason. WG is just a transport protocol so you could stuff anything into it. Fly.io used it as a light alternative to TLS I think. It's just normally used to carry L3 IP.
Edit: also in V2 we are modularizing things, separating the transport protocol from the rest of the code. It'll be in open source Rust and very portable. In our (currently private) Rust repo vl1/ is only about 5K lines of Rust including tons of comments and non-crypto stuff. We also have plans to document it a lot better.
> ZeroTier uses a construction where the identity is the outer envelope
Does this mean that any node along the network path would be able to track communications between nodes? Maybe a snoop wouldn't be able to pin an envelope to a named identity, but they would be able to track which other identities its connecting to down to the communication bandwidth between each source and destination and correlate the identities of those connections between separate devices. Is this an accurate description?
Yes, and that's a downside. My opinion though is that unless you are tunneling every single bit of your network traffic through something that is concealing your identity, fingerprinting the vast majority of devices and users is trivially easy. There is just an amazing amount of surface area: browser fingerprinting, protocol version fingerprinting, network access pattern fingerprinting, DNS snooping, TCP fingerprinting, and so on. Since ZT (and Tailscale and Nebula and other similar things) are all P2P it's trivial to fingerprint someone by just collecting the IP endpoints they routinely communicate with. Anyone who belongs to a private net with a few fixed points can be easily identified over time by the fact that they talk to those things in a certain pattern.
I have some thoughts about features to really defeat this. We've got an entry on our feature queue for guard nodes you can run in the cloud and have also researched implementing a form of "light" onion routing. It wouldn't be intended to be as strong (or as slow) as Tor, but sufficient to prevent passive dragnet surveillance.
In any case there is a conflict here between goals. So far the performance, rapid startup, and enterprise goals have won out over the small privacy benefit of the ephemeral-outer-key construction. It's a scope thing. So far we've never scoped ZeroTier as a meta-data-concealing protocol like Tor, just as a P2P mesh protocol for easy remote access between devices and locations.
Still... it's tempting to try to find something in the V2 design to at least mitigate this issue. It's something we're thinking about.
I like the guard nodes idea ("gateway" or "proxy" nodes?). Maybe introduce a gateway node type, and add a way to pass traffic through a particular gateway (with a second tor-like encryption layer) defined using an extension to the current flow rules language. That would collapse all the traffic behind the gateway into a single identity (the gateway's), and probably be general enough to support all kinds of fancy features like onion-routing, monitored link balancing, etc.
I think the difference in privacy between identity(ephemeral(x)) and ephemeral(identity(x)) is not significant. It's more honest to tell people that our product offers only content privacy not meta-data privacy unless we are truly implementing strong countermeasures against tracking by ISPs or others that can pervasively sniff the net. Just nixing the identity key visibility is not a strong countermeasure for the reasons I described.
I almost launched a zerotier alternative for business SSO only. I'm very excited by this. Quick question.
Our use case is simple as are many businesses.
We have users that authenticate using Google lets say. We want to give them remote desktop access from their home. They ARE NOT techies.
Ideally we could give them an SSO login (it sounds like this will make that possible). And then authorize them to connect to nodes Y and Q. We don't need "networks" at this level, just user A authorized to connect to node Y or node group 5 etc.
if we have users and user groups and nodes and node groups you can then basically do whatever a business is used to doing (this breakout is common in many smaller businesses using Active Directory, Google etc).
This seems boring but the competition is pretty poor. Sonicwall and friends with VPN setups are time consuming and pretty complex to manage and deploy. Anydesk and friends have just horrible business practices (try cancelling).
Cloudflare is getting there sort of with WARP, but it's also awkward and they keep moving their product positioning around.
Note - we happen to use some mikrotik for fun as well as sonicwall supported by our third party MSP - we've started to see zerotier show up on mikrotik which has been fun.
The gui for this is not there. Biz users are used to clicking nodes, adding users to nodes (in traditional form these are lan subnets or computers).
Even CLI oriented used to things like
Node Group A ALLOW FROM User 1, 2, 3
I might not have spent enough time playing with it.
EDIT:
Edited to add another look at rules engine I see absolute ZERO mentions of users. How are folks doing my use case in rules? User logs into let's say two machines and phone. They should have access to Node X inside our firewall for RDP. Permissions are tied to user identity. I wasted enough time chasing folks saying this is easy before, please CONFIRM it is easy before telling me it is.
The deficit in Tailscale ACLs (as I found while evaluating) is they can't make use of groups from your SSO supplier so you have to explicitly list users in there.
I landed on Perimeter 81 as a useful alternative that does what we needed
I love it. I've been an extremely happy home user (server, laptops, phones) for years and I want to pay them something, but the minimum plan was a barrier for that in the past. But they get my $5 immediately.
Yep I'm on the free tier but the new pricing suits my business a lot better so I will now be a paying customer even though I need zero of the new features.
I use Bitvise SSH commercially as a $100 one-time cost to secure port forwarding for RDP (Windows Pro) with Active Directory + TOTP auth. It's free for personal, partial-AD use.
* Tailscale is layer 3 and ZeroTier is layer 2, which is a significant difference for some applications.
* Tailscale requires an SSO solution, ZeroTier doesn't.
* Tailscale uses Wireguard, ZeroTier has its own custom protocol (correct me if I'm wrong)
* Tailscale provides an automagical DNS service for all nodes, with ZeroTier you need to roll your own: you need to physically install and run it on one of your nodes. ZeroTier will automatically propagate it for you.
Can someone explain what kind of difference being layer 3 v/s layer 2 mean? Does this mean with Zerotier I can deploy applications that don't use IP or something like that?
I used to be with the SSO-wall-of-shame crowd...until I had to maintain and support SSO within a production app. G-suite/Social SSO? Fine. Not a problem. SAML? Good luck automating that and not having to reset certs / tweak things per-client. That's why it costs money.
Another problem I have with the "SSO should be free, because it's security-related" argument is that it's a misunderstanding of why it costs money. It's not because companies want to gate security features. It's because when you're trying to create a pricing model for an otherwise free product, going from "I'm ok with manually inviting/deactivating users" to "I now need SSO, because this product has enough adoption within the company to merit it" happens to be an almost a perfect way to delineate between casual freemium users and business users who should be paying. That, combined with my initial point, is why I dropped out of the SSO tax crowd.
Long story short: it has almost nothing to do with the cost of providing SSO features (which is what upsets security nerds, because we know it's not that expensive to get these features right, though they are tricky).
Rather: the SSO tax is much more about making services cheap/free for small customers, and charging "what they're really worth" (the core service! the whole thing! not just the SSO feature!) to companies that demonstrate that they're large enough by demanding SSO.
You don't have to like it! I sure don't! We SSO everything and are relatively small and the tax takes a bite. But it's at least worth understanding the logic behind it.
Good defense and I agree, but I also agree that the SSO tax sucks.
Not a day goes by that I don't dedicate some thought to better business models for software and services, especially for FOSS and otherwise pro-freedom pro-user software. It's hard for many reasons. User-hostile software (surveillance, loot box games, cryptocurrency scams) is easy to make money from, but that's not my thing.
SSO is a fairly decent "are you a business or an individual" lever, which is why the SSO tax exists. Otherwise businesses will not pay anything and then complain when you disappear.
As I always say: people will pay $10 every day for a latte and a donut at Starbucks but you have to twist their arms to get them to pay much less than that for software they get tons of value from.
The problem is mostly tax being across all vendors.
Sure, you can do it, but then it's $5/seat for thing A, $3/seat for thing B, $4/seat for thing C, and you can end up paying $50/seat for all the random software associated.
Yeah, for high value employees that's nothing. But for a warehouse worker to login and checkoff a compliance form once a month? It's not worth it, give them a shared login.
And then once shared logins happen, it'll just become habit for a bunch of small stuff that snowballs.
So that's why the first thing I look at for software is that if it has a per-seat cost, I'm going elsewhere because I want all my staff, not just the high-value staff, to be able to access and get what they need done.
> SSO is a fairly decent "are you a business or an individual" lever.
Arguably, a "are you a business rich enough to afford better security concepts" lever. So the smaller companies are left stranded :(
I understand your point, but at the same time I'd rather go for other levers. Maybe charging extra for SSO on support plans, while making SSO features themselves freely available (without support)?
[Ed.: I see you reworded your post a bit:]
> I agree. We do have plans to support free "social SSO" in the future with certain providers.
I guess that could cover most realistic small-business use cases. Or rather, if you can afford a "complicated" SSO solution, you can actually afford a SSO surcharge on services too. Sounds like a better lever?
FWIW - all of the prices listed on sso.tax look to me like reasonable amounts for anything that can call itself a business in the western Europe or the US.
One can view it as the SSO-enabled offering being a product, and the SSO-less option being a demo. Which, let’s be fair, it really is.
So, would you advocate the removal of the SSO-less trial discount ?
The issue isn't so much that one single separate service is priced in a certain way. When you add up dozens and dozens of services for various split needs for the business, and each one of them has a $/user/month thing and then to build decent security into it all, you double or triple that amount per service. It adds up, very quickly.
For the good of the Internet, the security of the global entirety of things, it is very very wise if everyone makes an attempt to make the defaults sane and secure, including things like this. It surely is a differentiator between "individual" and "business", but it shouldn't have to be. I agree wholehartedly with the sso.tax site that it's just one way for business to attempt to make revenue out of a basic need that any modern company would have.
Make the profit of real value added services for enterprises, automation, integrations, support, advanced features that gives insights or saves money or whatever; but don't be sneaky with the security aspect, is basically what I'm saying.
Compare it with streaming services. No one can argue against Netflix being particularly expensive. Anyone can afford it. It's just one latte per month. But when you not only want to consume what is on Netflix, you have to get another service, and another, and another, and another. Very very soon the aggregated cost starts to be very noticeable for a lot of people. And piracy makes a comeback.
Yes, I would advocate the removal of the SSO-less trial discount. Rationale: most of these "trials" are otherwise fully capable and lend themselves very well to becoming long-term ways of doing things. "Nothing is more definitive than the temporary."
Or, to view it from a different angle - SSO is not a/the feature that should be removed to make it the "trial".
And from yet another angle: you could consider removing (or not offering) SSO similar to selling a car without seat belts (ignoring aspects of legality). It's not a problem until it is. But if you want the seat belts to be effective, you need to always have and use them from minute zero.
Why would we care about anyone not in the richest countries. It's not like they need security by default to not become another botnet and DDoS Europe or US businesses.
I would like to see you justify paying sso.tax to business owner in countries where sysadmin is payed less than those services ask in a month
> As I always say: people will pay $10 every day for a latte and a donut at Starbucks but you have to twist their arms to get them to pay much less than that for software they get tons of value from.
I guess there's a lesson or two in market positioning and distribution in there somewhere.
It's almost like they'd seen those arguments and behaved accordingly. They don't make you call for pricing. They don't have SSO bundled into a higher pricing tier. It's à la carte for $5.
We've been hard at work on this for a very long time, and we're obviously quite happy today! This is a must-have or really-want for a huge number of business customers.
That being said, we don't and are not going to require SSO sign-in. You'll always be able to just authorize a device. (On SSO networks that's done by setting them to SSO-exempt.) You can also self-host network controllers like always, and we're planning on making that easier in the future not harder. We're all about not forcing you into ecosystems (SSO can do that) and about decentralization.
As for other stuff coming in the near-mid future: version 2.0 is not dead. We obviously got massively derailed (mostly good but very distracting things) and under-estimated the scope and time, but it's still moving forward. We have not announced this elsewhere yet, but it's a near-total port to Rust. This is to get into a more modern language but also to use a safe language for security reasons. This has added time to the job but we're of the opinion that security-related software not written in a safe language is going to be considered a bad thing in the near future (if not already).
V2 also has some significant cryptography improvements that bring us more to parity with more modern constructions like the noise framework. This part has been going slow too because we've been moving carefully and soliciting a lot of peer review both informal and formally hired. Cryptography isn't something you just toss out the door and YOLO. :)
Last but not least we are planning on some kind of transition from the BSL back to an OSI-compliant licensing scheme, but want to think this through rather than flail around.
People at this site have really been fans and have helped us a lot over the years, and we're grateful. Thanks!