As systems grow in infrastructural complexity, and the push for brand-lock avoidance grows within the Enterprise, new tech stacks continue to emerge for zero-trust Software Defined Networking. How does one connect two services together safely without exposing traffic unsheathed to the open internet?
Zero-Trust SDNs have emerged ways to both orchestrate and encapsulate the flow of data between devices and subnets with far less configuration required than a traditional OpenVPN or a PTPP connection. The most notable ones are:
- Tailscale
- Zerotier
- Headscale (An Open Source Implementation of Tailscale)
But which of these should you choose for your next project? What there their pros, and cons?
Zerotier
Zerotier was my first foray into zero-trust networking. It is its own protocol and system, and there is a self hostable ring orchestrator that exists without a UI that allows you to create your own Zerotier rings without depending on Zerotier’s systems for authentication.
Zerotier at the time of writing was free for the first 25 devices, but if you install it on a router, and expose an entire C-Class /24 subnet, you can expand that by 25*254 to 6350 connection points if you build your network to support it. I have multiple exposed subnets, and I find it very easy to deploy, I may write a guide on this soon, but Zerotier has good documentation by itself.
One note; If you run Zerotier on a router, make sure you have enough horsepower to support data transfers over a tunnel without hardware offload. Zerotier consumes more CPU the more you pass data through it. I find myself frequently maxing out an EdgeRouter I have installed in my workshop, at just 35mbps of continuous stream over the Zerotier interface, however my OPNsense router with an i5-3570K and 8GB of RAM seems to handle huge amounts of throughput just fine.
Do I recommend Zerotier? Yes, absolutely. Especially for connecting machines together.
Tailscale
Tailscale was my second experience into Zero-Trust SDN. I got into it because I quickly maxed out my 25 free slots for Zerotier, but didn’t want to add yet another SaaS product to my expenses, or go through the long process of deploying a self hosted Zerotier controller.
I find Tailscale’s authentication system to be more elegant than Zerotier’s. While Zerotier is perfect for connecting machines to other machines, Tailscale excels at connecting humans to machines. It’s numerous Authentication providers allow for automatic joining of employees, contractors, and companies to your Tailscale network with access rules that you define.
It’s desktop UI is fantastic, but I have not yet found a way to be connected to more than one Tailscale network at the same time. I can connect to 3 or 4 concurrent Zerotier networks without issue. That being said, if you are looking for ways to connect humans to groups of servers that are in different places, Tailscale is great for integration with pretty much every major identity providing, including and most especially Office365 Emails
I have had great success using Tailscale with connecting remote workers to VoIP systems, and with a little bit of tinkering I was able to get Tailscale running flawlessly on FreePBX.
Do I recommend Tailscale? Absolutely. I haven’t tried Headscale yet, but when I do I’ll make a writeup on it.
So Which Zero-Trust SDN Do I recommend?
Like just about anything in systems, the answer is; It depends. For most people, I would recommend both, at the same time. Why? Because two is one, and one is none. Both are mature enough at this point to be used in pretty heavy environments without major issue, and both are cheap enough that neither should break the bank.
If you are only connecting machines to other machines? Zerotier is great, I have local machines behind NATs in my workshop that are connecting upstream to reverse proxies that have been running with near-perfect uptime.
If you are connecting people to servers? Tailscale’s authentication methods make it a breeze for an IT Administrator to deploy complex networks easily. And Tailscale’s magicDNS is a nice touch, so I can connect to a device as http://DEVICENAME instead of 192.168.192.55
What you choose is up to you, but both are great, and both are completely and totally worth a try.