 So I didn't end up video last week about zero tier, how it works. And it's been pretty fascinating as I've dug into it and really get an understanding for the protocols and how it gets systems connected. And I wanted to clarify something. A few people had asked, like, what's the difference between zero tier and a VPN? And zero tier is a unique use case, but can do VPN-like functions. And I say VPN-like functions because it does support routing. It does support creating a bridge layer two interfaces, so it can be used as a VPN or to connect a remote branch network. So that is one of the use cases for it. But a lot of the basic use case makes it very handy for just getting servers connected. And we're just going to talk about some of the ways it works. It's a little bit different. So the VPN, you got your firewall, you got your main office firewall. So the main office firewall, you set up the VPN generally as the receiver. It picks up the VPN. You have the routing tables of how to get to all the different devices and different networks on your network that you build. And then you have your either a VPN client loaded, let's say, on a phone or on a laptop so people can get back into your network. And it's a direct connection that you own, per se. You have a static IP address signed to the main office. And you could also maybe when you're connecting to branch offices together, you have the firewall configured to auto call the other firewall and take care of it so there's nothing on the client side network over here. It just routed through the firewall and using standard routing protocols. And that's simple when you have one office. If you have a dozen offices, you then have to build a dozen VPNs with routing protocols because let's say if this was the use case, I should say that you needed servers at every location and you need to get to servers at all locations. That can be done. You just have to build back and forth routes between all of them. And this can be a little bit more complicated and some of the solutions for that are like NPLS where you create these private networks. That's where Zero Tier really shines as that use case. So obviously it's really simple from a home user standpoint of I want just, we're even a small dev team where you go I have a Zero Tier client over here, Zero Tier client over here. I just need these two devices to talk to each other. Now, the difference between VPN is you are routing through the Zero Tier servers. They referred to as the Zero Tier Planet servers and I go a little more in depth to how they work but it's cloud redundant. These servers are scattered around quite a bit. So no matter where you are internationally, nationally here in the US or in Europe or wherever there's a Zero Tier server nearby to you. And if you don't want to relay things because this is an open source project and you don't want to use Zero Tier servers you could one recompile it not to use a Zero Tier list or use a Zero Tier list and also have your own servers in between for relaying. That way if for some reason all the different nodes which there's a lot of them for Zero Tier were all to somehow magically fail you would still have a way to get your devices connected because they route through here because the firewalls are unaware of each other. The clients don't have to be aware of what network they're on. They only have to have routable access to the Zero Tier Planet servers and from there they'll figure out all the connections in between. So let me open up my little map a quick that I used in the last one. So you know, here's the internet with the dispersed Zero Tier servers. Here's a firewall at the office. Here's a digital ocean server I did in my other demo. My firewall at home. And each of these has two IP addresses assigned to them because they use Zero Tier to get that network information over but they're all on this 10.147 network. Pretty straightforward. They all have an extra IP address assigned to them provided the main IP. So you do instead of routing all I'm doing is going to the IP address of the devices that I want to get to. So no matter where I move any of these devices they're always going to have these Zero Tier addresses assigned so I just go to that IP address. So this one is always going to be 10.147, 18.14 so I can always just go to that particular device whenever I need to. But I want to dig a little bit further. So this is like the overview in what makes it a little bit different from VPN and obviously it's really convenient as a use case because if you have a file server or even a gaming server because I see a few people set up their servers this way you don't want to map any holes in your firewall. That's one of the huge differences. They're using UDP hole punching but it took no configuration on my part to configure these firewalls. It just uses NAT traversal versus a VPN. I've got videos on how to set up like open VPN. You do have to open up ports and maintain open VPN and configure it and write all the routes. That's not necessary when you're doing it here. So no matter where you move or even in the case of my phone when it's just wandering around on a cell network it completely works flawlessly and gets a connection on there. I wanted to show the kind of connection that's actually happening. I'm going to go ahead and I have it on my phone here. I'm going to tell it to log into something so I can create some connections and show you what it looks like in PF sense. Now, as I said, I've done no configuration on my PF sense boxes. The out of the box default PF sense or even other firewalls I've tested I've taken my phone other places with people who have consumer routers or just the one that cable one of my friends and seen of zero tour work fine. My phone connected to my boxes that have zero tier anywhere I went and it was actually really impressive. And we mentioned on how they got hacked episodes. Dave here's been using it to connect to his home network and he feels comfortable with it after auditing the security himself looking at it and going, this is really nice. It does not require him to open up any firewall parts at home at all to be able to get to his servers at home and in the cloud that he attached it to. He can lock them down so there's no external ports open and be able to jump in there. Let's show you what that looks like from like the PF sense side. So here are the two connections that we have. We have Debbie and at the office which is sitting right here and we have Tom's phone and Tom's phone is running an SSH client so we can log into this particular machine. Now you can see they're on two separate networks you can't have the whole address but 17256 who owns that real quick. Okay, T-Mobile that's a T-Mobile IP block. So 17256 1068 is the current public cellular address that my phone sees or that the device sees connecting to you right now. So I'm on the T-Mobile network and by the way, I'm gonna do when I do some of the tests here they're still reasonably fast even though my phone only has a few bars like the latency is really low. I'm browsing on my phone and connecting to here and we'll show you what it looks like from here. So we're gonna cap the off log and then you can see that I'm logging in as session user Tom. Yeah, accepted password Tom right here from 14717135. Now this is where it's really cool because it's the way Zero2 is working. It's just coming across on this private network with this secondary adapter. When you go here, change the screen size. Here is the IP address this has internal on the network and here's the IP address it has right here. So all the traversals going through not like a standard VPN but like sideways so to speak it's just traversing the private network. It comes in, I logged in from my phone even though my phone has a separate public IP address I don't see it coming from there. I see it as coming from this local IP address there. Now this is what it looks like from the PF Sense firewall. I've blurred out my public IP address but when I look at the connections and what's going on in my firewall and like I said, I've done nothing to this PF Sense there's no ports open for zero tier. It's just host 172 5610 68 that T mobile address that's assigned to my cellular network and you can see it's connecting to the internal 192 address in there. It comes through our 50 dot public IP address then lands on the 192 address and away we go. In fact, I can even I pulled up a shell so it has a couple more connections in there that stay open. But this is what's really interesting. Like I said, it's very much like a VPN in terms of I still have that connectivity but it's not like a VPN because I had to do no configuring in any of the firewalls and the clients didn't any special configuring you just load the zero tier client add them to the network on there and away you go. Now the last thing I'll show you that I want to dig into that that was really interesting close this and I decided to do a full packet capture and wire shark for how it goes on there. So I want to see if I could see any information in here. So this is that internal IP address again and unlike a traditional VPN there's a couple of things in here you can ignore. This is the zero tier talking to my phone that 17256 network again. It sees nothing. It sees just some encrypted UDP as I talked about before in my longer video they're using encryption and top to bottom with all this. So cause it's all traverses the public net but I did track and these are the connections it does to the zero tier clients. Once again, all connected. The only thing they are able to see is that metadata going back and forth but once it connects to the zero tier planet servers it then brokered that connection to go through the UDP hole punch right here and there's just no, it's all just no data in here. Works exactly as expected in terms of encryption. I tried decoding some of this I wasn't able to get any information out. It's just all general chatter but it's all encrypted going on or so still like a VPN you're still using encrypted and it does contact a handful of servers kind of for redundancy which is really slick and I did try a couple of things like when you move networks it establishes really quick and that's part of the reason it connects to quite a few of them at once and these are all the different. I think I didn't like every one of these but I know the three, five one on at least a handful of others are all these zero tier servers. So really clever the way this works I'm still impressed with it even looking at Wireshark I was not able to gleam any data out of a full packet capture and I did this capture from startup. I did a startup packet capture so watching it walk through talk to the firewall directly and it goes through and sees what it can gather back and forth trying to get the session started. Okay, you know it's trying to do NAT PMP it's trying to get things opened up we don't have the automatic NAT traversal turned on and if you're NAT PMP you can look it up it's the auto mapping it's the UPNP mapping it actually it makes the request for it but my firewall has that turned off PF Sense does my default out of the box so it does try to open up a couple ports to make the whole punch solid but like I said my firewall declines it but it still works so in here's all the little data going back and forth so like I said after a week of really digging in and me and not just me people way smarter to me have been digging into this protocol for a while it's really impressive it does work very similar to VPN it does have the ability as a more advanced use case to create bridges and routing and I may stand up a server just for that to do some more testing because it can do full layer two routing and you can bridge it into a switch and create two networks where other devices don't need to be loaded in client but they load across one client sounds a little complicated they do have documentation how to do it and I may follow through and look at that but for a use case of I need to connect my couple boxes or something I have at home or a server I have loading zero tier on even a Windows computer and then being able to access the resources on there as if it's just another network adapter makes your tier like a really simple way to just get connected and without the complexities of having to set up a VPN and it's referred to as an SD-WAN solution because it is software defined and you can software redefine it on the fly which is really impressive like I said, watch my longer video on this for more in depth of how to join and move networks and of course, you know, RTFM they have a ton of documentation for being an open source project which is great cause it's nice when all these protocols aren't, you know, done a mystery but I will at least comment on one thing I know this will be a concern of some people yes, you notice because it is your my box here is now reaching out and talking to all these zero tier servers and I did mention metadata zero tier will know all the devices you're connecting so they're gonna see my phone here at the 172T mobile address they see this computer coming from my public 50.com cast address that we use here so they do have that metadata but they don't have the details maybe, okay, they do have what you name the server and things you put into the zero tier software but they don't have any actual data traversal so it's all metadata so that it could be marked as a disadvantage cause if you want a VPN to be discreet but then again, is it really discreet because all the hops you go through still see the two end points connecting to each other so once again, metadata has been collected they know that this firewall and this firewall has a VPN client between it granted you're just adding zero tier into the list of people that know you're making TCP IP connections but there's not much of a way to really avoid that at some point, someone's gonna know you're making TCP IP connections across the internet and they could piece together some of the devices so if that's a concern of yours knowing the public, having zero tier know the public IP addresses of where all your devices are connecting from well, then maybe don't use it but you probably, if you have a nation state level looking at that kind of stuff you may really wanna dig further into how you're doing things and also probably don't do anything illegal cause it's a bad idea but nonetheless, that is at least one thing I'll throw if you're doing a VPN versus zero tier that is a difference, they do have that metadata but like I said, this is all encrypted and they have nothing else all right, go ahead, give zero tier a try if you're interested in it like I said, it doesn't cost anything to sign up on their website and start building these software defined networks it's a slick system and if you wanna go and use it professionally they do have paid support packages and tickets and can confirm from friends I've talked to their dev team is responsive if you have questions or concerns or need help standing up a network in a commercial environment they do offer that paid support for it all right, thanks thanks for watching if you like this video, give it a thumbs up if you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post if you wanna hire us for a project that you've seen or discussed in this video head over to laurancesystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us also, if you wanna carry on the discussion further head over to forums.laurancesystems.com where we can keep the conversation going and if you wanna help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again, thanks again for watching this video and see you next time