Overlay Network, SDWAN, and Open Source Mesh VPN Solutions Explained 

A Nebula guide would be awesome!!!

While experimenting with zerotier and tailscale I did some tests. First I tried the maximum speed I could archive I used two LXC Containers on a ryzen 9 3950x Both "external interfaces" are connected to the same subnet -> ZeroTier Nodes can talk to each other directly iperf3 standard test is used Both LXC Container 8C 8-CPUlimit 27.0 Gbits/sec direct connection 1.59 Gbits/sec over ZeroTier 43,75% CPU usage by Zerotier on sender and reciver Both LXC Container 8C 1-CPUlimit 26.9 Gbits/sec direct connection (no suprise since iperf is single threaded) 1.16 Gbits/sec over ZeroTier 12,3 % CPU = One Thread Both LXC Container 8C 0.1-CPUlimit 2.70 Gbits/sec direct connection (now we are seeing a reduction to 10% since one core can only max out at 10%) 108 Mbits/sec over Zerotier again ~10% the performance Both LXC Container 1C 1-CPUlimit 26.9 Gbits/sec direct connection 2.02 Mbits/sec over Zerotier this should have no diffrence to 8C 1-CPUlimit I find especially the last two tests interesting, both should get the same amount of cpu power but the first can split across multiple threads, the 2. one cant. This test was done in May 2020. I am not sure if those speeds would change if I run them now. The 2. test I did was between two Hetzner Cloud VMs with iperf and one CPU core 1.29 Gbits/sec - Directly 10.1 Mbits/sec - ZeroTier (but I think something is broken here) 243 Mbits/sec - Tailscale Tailscale goes up to 80% CPU on single core while doing 240-260Mbits ZeroTier going 100% CPU while doing 10-20 Mbits Now with 8 vCores on each system 1.12 Gbits/sec via ZeroTier CPU @ ~25% usage 419 Mbits/sec via Tailscale CPU @ 30% usage So Tailscale was able to get decent speeds on a weak system, but Zerotier got way faster if you give the server the horsepower for it. Now for my personal use of those two. I had a zerotier controller and two moons set up, for those who do not know what a moon is, it is supposed to "proxy" the traffic between two nodes if they cant establish a direct connection. As of May 2020, those two moons never worked as I thought they would, if two devices didnt manage to create a direct connection the proxied one was not even stable enough for SSH to work properly, and yes, they were set up in all clients aswell, and showed up. Tailscale didnt and still doesnt seem to have this issue, connections to any of my machines work flawlessly and are so fast I do not notice the "VPN" stuff behind it at all. One can use the "tailscale status" command to get information about the connections between the devices [ID] linux TailscaleIPof Server1 fra *PublicIP:41741*, InternalIP:41681 [ID] windows TailscaleIPof Server2 fra *PublicIP:41631*, InternalIP:41741 the two ** indicate what connection is used beween two devices. the first couple of pings after a reboot or reconnect are in the 100ms range, thats when the connection is still proxied over tailscales server, in the background they test the IPs and Ports of the remote machine that they got from the controller and after maybe 5s. the direct connection is there and youll see close to line pings. Currently I use tailscale, but with a grain of salt since currently you are bound to their service AND a google or microsoft account. If zerotiers moons would work as I think they should I would instantly switch back again. Because with Zerotier you can create multiple Networks, define your own IP ranges, assign IPs to the clients yourself, and route 0.0.0.0/0 through a definded node ! Tailscale is a great "it just works" MeshVPN to connect your different devices without having to care about anything behind it.

I just want to thank you for all of the videos you upload and all of the work you do for us. You help to keep me up to date and informed and you really help to provide stability in sometimes a very all over the place profession of IT. Keep up the great work! I will continue watching and trying to grow and prepare myself in IT thanks to your help! :)

Thanks Tom - Awesome info. I would definitely like to see Nebula in action. I found out about Zerotier from one of your videos and it has been useful to maintain connectivity to my home and work labs. Keep them coming!!

Was looking at Zerotier to solve an issue, appreciate the overview and comparison.

Ooooo you did check out Nebula, cool! Was happy to get the notification for this video.

Interesting concept for sure. I do agree with Tom that a traditional VPN is more suitable for a use case such as connecting to your home (or office) network remotely.

Thanks Lawrence. Great video!

Definitely more interested in how to fix that firewall/ACL workaround.

An awesome channel for technuprenuers

Thanks for the video!

14:20 You can install zerotier on your routers, this way it basically acts like a bridge between the routers and you don't have to do anything else besides adding some static routes on the zerotier UI. Edgerouters work very nicely for that. And then it's just business as usual configuring your firewalls

• The ability to push DNS configuration to members, a long requested feature that will be valuable in enterprise environments with internal DNS servers or Windows domain controllers. The network controller side of this can be edited in ZeroTier Central by adding ?dns=1 to the end of the /network/ URL when viewing or editing a network. This will reveal a DNS configuration box in the network settings area beneath multicast configuration. On the client you must allow DNS setting management for a network in the ZeroTier UI or via the command-line interface with zerotier-cli set allowDNS .

Tom tweets about Nebula, makes video over following day. 🤣

I am using the key-networks self hosted controller. It does work as advertised, and I have had no major issues - but it is a little rough. A few issues here and there with values being cached, or taking several attempts to update properly.

Nebula Links www.defined.net/ slack.engineering/introducing-nebula-the-open-source-global-overlay-network-from-slack/ github.com/slackhq/nebula#what-isnebula www.zerotier.com/ Self hosted Zeroitier tool (I have not tested) key-networks.com/ztncui/ My review of Zerotier ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Bl_Vau8wtgc.html Review and Tutorial of Nebula ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-94KYUhUI1G0.html

Nebula video is a must! :-)

Love zeroteir. Use it for both my vpn access (split tunnel) to internal resources and cross site transport (eoip for layer 2 bridge + routed subnets)

Interesting video. It seems like you may get some benefits running this over DMVPN which that local network example you gave. I assume you could just setup on of these servers and possibly point your routed LAN interfaces default gateway to the server and then point the default gateway of the server to your nat firewall then? Are these tunnels pretty much ipsec/gre meshes? It would be interesting to see a video demo on nebula.

Thank you very much for the video and why didn’t I know about those projects huh. Its actually sounds perfect for what I is using vpn for because that is only to manage my online servers and right now it’s using normal vpn with client-to-client activated. Also it would also lower my ping and a little bit better speed when transfer because of the 1 less route hub

How is UDP punch through different from WebRTC? You have a STUN server that coordinates two clients and sort of spoofs for that initial connection to allow direct client-client UDP traffic (potentially falling back to a relay just like zerotier) and usually firewalls don't matter unless they are blocking the STUN servers. Great video thanks!

After speaking with one of the developers of Nebula their update for IPV6 support will be coming soon, allowing more situations where Nebula will work, especially when involving CGNATs. I'm running the development branch of their outside_ipv6 and it works flawlessly. Punching through EEs CGNAT. I moved away from Tailscale as I don't appreciate that they can add any devices to my network0. If/when they open source the server, Ill reconsider.

A couple of months ago I did looked into Nebula and thought it's a cool project to link two sites together and room to grow when more sites get added. Would love to see the video about it on here.

cool so if I use zerotier, can I access to the printer without install on it the other day the app, I mean if I install only on a laptop, can I have access to the entier local network

Let’s say I have a deployment where my lighthouse is in the cloud and I have 4 other hosts. 1 and 2 are in the same cloud as the lighthouse and 3 and 4 are in a different cloud. When I connect from host 1 to host 2 does it use the public IP and goes over the Internet? Wouldn’t that be really inefficient? Can it go over a private Cloud Network?

Cool, you explained the same thing again. But what about performance compared to a traditional VPN? Especially when considering remote desktop.

I always had issues getting ZeroTier to handle multiple subnet routing.

I made the experience that virtual network adapters added by third party software will often be removed by windows updates. Is that an issue with this product?

Tinc Mesh VPN is another one. It has a nice integrated GUI in Tomato (FreshTomato) Firmware.

is this similar to n2n - L2 P2P VPN

I was ready to use Zerotier Edge appliances everywhere (cabin, parents house etc.), but now it's EOL so looking for another solution where the client does not have to be on / routing to other non PC devices.

dude you rock :)

Nebula setup? Yes please!!!!!

Nebula video please! I use ZeroTier currently to access cloud resources on a private network. After you get over 50 devices there is a cost to use ZeroTier. I would prefer to spend that money on a self hosted solution that I have better control over.

It reminds me of Hamachi from LogMeIn, not the same but also kind of similar.

Guide would be nice 👍🤠

👏 👏 👏

Tutorial would be appreciated.

At the end of the day, if you don’t control the firewall, SSL VPNs are the only solution (and you do have more control and requires less dependency or trust in entities that you do not know).

I use Zerotier because my ISP have double nat and I can't access my pc through traditional VPN

nebula video will be nice

Nebula Demo please

You can load Zerotier on a Edgerouter X to work as a traditional VPN / expose your LAN kruyt.org/zerotier-on-a-ubiquiti-edgerouter/

The problem that i can see here is that Wireguard is at least twice fast compared to nebula. I prefer to do more configuration to know that i'm getting the best in terms of speed and performance. If the throughput you need is very low, nebula could be take into consideration. Imagine that i can put Wireguard on Ubiquiti ER-4 and get minimum 300Mbps in throughput (with wireguard) and 70-80Mbps with Zerotier.

Zerotier would be greate on a client Pfsense Box, they are behind a silly ISP who donb't give they an public IP !!

i think nebula vpn like wireguard in methodology .isn't it ?

Tutorial on Nebula 🙏🏽

One of my ISP Block All UDP Traffic😫😫

the question is do they include default 'multicast' video and related 'one to many' streaming options to bypass the likes RU-vid censorship and passthrough etc, ie a far better data saving than unicast video streaming for the end users and small scale self hosted providers on mass, as per its original intent before the world's consumer isp's unilaterally blocked native end user 'multicast' data streaming at their isp end point routers etc. basic good multicast real life setup ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-fIg_9wJlQX4.html Multicast 30,398 views•Jul 30, 2016,CWNE88 ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-KI0LuIcFM98.html Raspberry Pi Multicast TV server 1,415,977 views•Aug 2, 2016,CWNE88 ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-ZPzYKVar13c.html TV Technology - Part 10 - Raspberry Pi TCP IPTV Server (aka multicast to unicast video streaming) 16,455 views•Apr 7, 2019,CWNE88

What a complete waste of time that nebula was. I have been testing this over the weekend, don't waste your time. Nebula does not currently support relaying through the lighthouse so with devices behind multiple NAT you just get problems. They have been trying to get hole punching better but it looks like its way behind the current zerotier offering.

Could post your content to odysee or lbry? Everything shared between these platforms. No one person or government can get in the way. It only takes 2 mins to sync your RU-vid videos Thank You for your HELP!! Its RU-vid just on a different plat form. All OpenSourced on github 1. Signup with an email and create a password 2. login in 3. Sycn your RU-vid Videos, these videos can NOT ever be delete because its not GOOGLE.

first!