 And welcome to the homelab show episode 51 and I threw a few extra words in here to try to describe it We're talking about zero tier global area SD WAN overlay networking and someone may even call it a VX LAN as well But we're gonna talk about zero tier specifically, but I made the title a little bit longer You know key wording and stuff like that and there are This is a category of networking that I think overlay networking is a good term for it But I also think people don't know what overlay networking is so I throw the word SD WAN and then of course the people at zero tier They also call it global area networking. So There's that we hopefully all the phrases that will bring people in Actually, you forgot one phrase turbo and cabulator. Oh turbo and cabulator. Yes, absolutely Word in there, too. That's important. Yeah, so we're not just making up words though Understand that this is about zero tier whatever you want to define it as whatever they define it as It's about getting connectivity to the nodes that are attached to zero tier We'll talk about some planets and moons because that is some terminology. They use that I think is great But it's a really nice System for solving a lot of connectivity problems that people have it works differently than VPN We'll talk about how and it's a great way to connect projects with limiting your exposure So this is why it's good for security and boy if anyone's been following the March of 2022 news in the hacking space You'll notice that security is well It's it's been talked about a lot due to all the all the latest Round of breaches is kind of some chaos going on out there in the world You don't want to be part of that now granted most of the chaos is centered at big companies But they don't want to be part of it either. They can think about things like zero tier and how they control connectivity Yeah, yeah, there's so much so many shenanigans going on I who don't even know where to begin but I won't because that's another show for another story for another show So yeah, yeah, maybe we'll talk about threat modeling in our future show There's there's another idea that we should probably jet down Back to we need to think a sponsor for the show and that once again is the node And by the way zero tier is a great place to run the node If you're looking for a way to get connected from your lab to a lab in the cloud such as by zero tier They've been a longtime sponsor of the show zero tiers a pretty cool product Who isn't sponsoring the show? Maybe we should reach out to them because we're gonna say nice things about them today But it is something else that would bridge the connectivity gap between you and Wherever your different cloud services are and it does so without opening any ports and without the ports being open You've added another challenge to understand how people to get connected there And it's a good way to do it and Linode is a great place to run this They've been a sponsor of the show since the beginning if you're downloading this podcast It is directly where you heard Linode and download it from their servers That's what we do all the hosting on and we don't just talk about them as a sponsor We were using them anyways and it's been great to work with them as a sponsor show And we look forward to the continued support from our users who want to sign up We have an offer code Down in the links below and just head over to Linode and sign up with our offer code It'd be great and appreciate it very much Alright Sun is doing it live in your brain switches gears for a minute and you almost forget stuff so Well, I mean it's it's like in my case I the same thing happens I have to slow myself down Constantly so it's just like you get so excited and also I don't do a really good job at reaching out to companies that probably could be a sponsor companies I talk about all the time even on my channels like I should probably contact them But I don't and then they don't reach out to me So I just keep talking about it until eventually maybe I'll reach out to them and talk to their people Yes, so anyone listening this far is probably figured out me and Jay are not Anything more really than technical people trying to figure all this out We but we're really excited about the product we want to talk about today product tool open source project It's a kind of a combination of all of them I will start with I like companies that have business models, especially in the open source community because Business model means the project isn't just supported by some volunteers who hopefully will keep maintaining it manage the security of it They actually sell this as a commercial product But it's very accessible for the audience listening here the home users that are looking at using this and it is just a Really solid way to gain connectivity between your nodes now I will start with how much the zero-tier cost and Their pricing is free for their basic tiers and the pricing public on their website By the way is the fully open sourcing itself hosted by the way is a completely free with no support So that's actually a slight difference the one I reviewed zero tier a couple of years ago They didn't have an easy way to do the self-hosted controller I've not set this up yet But it's something they're offering now is for you to download and host the control planes because there's two pieces to this There's two components you have the endpoint node Part you set up and then you have the controller that coordinates this and that's where something has to be publicly accessible or Not as a publicly accessible but accessible to all the nodes hence the reason you probably want to make this public and Why we mentioned running it somewhere in the cloud like the node that way if you have a group of different networking devices and You want them to talk to each other like I have a device at my house and Jay has one at his house And we would like these two devices to talk to each other The relaying occurs and the connection coordination occurs across the public node part of it now If you're doing this all internally technically you could create a network where everything internally only uses zero tier to communicate It would be a weird way. It's kind of like running a encrypted Sub-network within your network, but it absolutely could be possible in that circumstance You wouldn't need the node to be public because it could coordinate it all internally But it is a two player system essentially where you have the nodes that do all the talking to each other And then a coordination server that they have now They're pricing if you don't want to go through the trouble of self hosting the coordinated server part And it's not necessary you can get for free using their hosted controller Which they haven't scattered across several continents. They've got a lot of redundancy in this their route search route servers If you will they support up to 50 devices That's free. So if you don't want to go through any trouble use go, you know, I just want to quickly connect a handful of things Play games over it or whatever you want to use it for because that is actually a common use case for it You just sign up for their free tier They'll take care of everything you get a web admin panel where you can set all this up tie all the nodes together And that's for free once you go into the business ones They have all kinds of different options, you know for support agreements, etc So if you wanted to try this out, but then move to it commercially I think it's cool They have an option to support that and the nice thing is you know, no matter which tier you're going to There's not like a different version of the software. I think that's really important because they're not they're not skimping on the features They're not like oh, here's this open source basic tool. Our paid tool is way more advanced and gives you way more Features on here So you're getting to use the same tool all the way through and matter of fact when you're going to the page here having an open source client I think matters a lot to a lot of security professionals now because they want to know and understand the tools the encryption and Everything that's going into something that has this deep level access on your network right So so mouthful on there. I miss it So I could probably talk about a couple of scenarios You know, we have a lot of people of varying levels listening and things that I've run into that I feel like You know, this could be very useful for so one of which was my eldest had a Minecraft server a while back and Basically, I spun it up on the Proxmox server so I spun it up on their Minecraft server gave them access to that and I put it on his vlan and Was able to I had to open up some ports through PF sends to allow his friends to connect to it And I even gave it a DNS name because you know, I'm cool like that So I guess so his he could give his his friends a DNS name to connect to a Minecraft and it worked very very well But I had to open up ports. I had to you know spend time configuring this I can't remember how long it took but I had to really look at this You know the security and you know, if his computer gets a virus I don't want it to start affecting files or anything like that on the network shares But it worked fine. It was great, but he lost interest in it So later on was zero tier after I had a chance to check it out He came to me coincidentally he was like, you know that Minecraft server I had a long time ago. Can we do that again? And I'm thinking to myself Do I really want to open up ports and all this stuff just for something that? You know, he might lose interest in again. Well, yeah, of course, I'll encourage him and I'll still do it Anyway, but the zero tier it was a lot easier I'm like, yeah, just install this and click this tell your friends to do that and put this in the Field to connect to your you know to have your friends connect to your computer essentially directly And it just seemed to work very well in that use case, but going back even further. I remember And I think I've said this before when I was first learning networking I mean when I'm like totally green I know so little about networking and I'm I think I'm studying for network plus and at the same time I'm working at a company that had a I think they had like 12 locations around the United States and they had a I forgot what kind of networking that was some kind of WAN Connection through AT&T wasn't the fastest thing in the world but as fast enough and basically every Satellite office was linked together by IPs and all that it was a pretty good system very expensive and The when I found out how that worked It wasn't how I thought networking worked when I was first starting out Zero tier is kind of like that thought I got in my head We know when I was in college and I'm like how does how does a wide area network function? And it I just assumed in my head It was like what zero tier is now a simple way for two endpoints to talk over the network encrypted But that wasn't how it was but but here we are with zero tier We can connect our services in our home lab to you know something on the outside And we could have a private connection we could also do this with VPN, but as I think you'll talk about later That's obviously another solution, but I feel like in a lot of ways. This is a lot easier to to actually set up Yeah, there's a lot more simplicity than it because of the way it's handled So is it the same as a VPN in some ways you can call it like a VPN It has some similarities because you are taking two devices that are not in the same location But allowing to talk to each other via encrypted communications From the surface that sounds like VPN, but the methodology and implementation is very very different So if you're using zero tier, you don't need to configure it on your firewall Not that you can't not that some firewalls and support zero tier, but it's not a necessity of it You also don't have to open up any ports. So the way zero tier works and the Very unique way it works. I should say that I've I don't almost call it unique But it also say yes if you've heard of Himachi years and years ago That was the first time I'd seen networks design like this was with like the Himachi networks for those you've been working at Tech Longer, but essentially is zero tier creates an adapter on your system this extra adapter It creates on your system is essentially an encapsulated network virtualization stack is probably an easy way to describe it The zero to protocol and it's its original throw aspects of it are similar to VX LAN and IP second has to can Sexually, but closely coupled layers in the OS I model This is like I'm reading right from theirs because it's a little bit hard to describe the underlying peer-to-peer transport layer the virtual wire while VL2 is an Emulated Ethernet layer that provides operating systems and apps a familiar communication medium VL1 the zero to a peer-to-peer network and they have no name there is the link layer Essentially on there. So this it's really unique how it works these extra adapter to you has an IP address So you have your main network adapter. Let's call it a zero or whatever is called in Windows for you But a zero and then we get each one, but it's usually called like you know ZT one So this is your extra network adapter assigned by zero tier So you set the IP address of that system. There's the control plane handles all of that So the when you first install it it just adds the node then you have your global available your publicly available nodes And if you're we're not gonna get too much in the self-hosted, but if you're self-hosting at wherever that is Normally a lot of people are just gonna want to use the default and join using the zero tier control plane The control plane says I see and we'll use J's place as an example J loads zero tier on his computer He gets an extra network adapter. He says I would like to join this network each device has unique ID You simply say hey, let's join this network then on my side I see it come up in the control plane and I say I approve J's joining and I want to join my computer to network and it joins a network Now the data between me and J is encrypted It does not pass through necessarily in any unencrypted form through the relay points the relay point first tries to negotiate some tunneling and The term if you want to dive deeper into this is DNS hole punching It's going to I'm sorry UDP hole punching that DNS UDP hole punching and it's gonna do UDP hole punching To kind of bend the curve between me and J and go alright We want this to talk to this and this to talk to this on these two separate ends and it automatically through the way Nat works puts these holes in the firewall to allow us to have pure communication between each other So the IP address is on my zero tier network interface is in the same subnet as J's Now any communications we want to do if we're playing a game for example I just set his zero tier IP address in my game and vice versa and now we can communicate with each other and this works for Anything he could be hosting a web server He can be running engine X and he sets up a web server and he goes hey Tom I'd like you to check this out, but I don't want to expose it to the world This is where zero tier can come along and you're essentially you're binding that port to it And you can keep binding any other service to it because it works like an extra network adapter with an IP address assigned to it Really any service you have running on that computer on that server on that device because it supports a wide variety of devices That extra IP address gives you that connectivity as if it's in the same network Now what's really clever about how this works is if you set up a series of these Zero tier nodes within one network Maybe you have a server farm of these at one location, but then when you're there You actually are using the full line speed essentially to communicate with all the other nodes when you're on the same subnet But then you can take like say a laptop and you leave that network You don't have to make any changes it will still contact It'll just do it through the external methods and the relaying server gets involved as well This makes it a really interesting because this is what makes it essentially safer than BPM because you're not opening any ports The relay can server is just going alright I see that you are here and you're asking for a resource that you are not on the same subnet for you Not on the same network for so I'm going to bridge this connection now in the event of something Like double triple Nat and tricky firewalls It does have the ability to kind of go into a slower relay mode So if no means can be met to get connectivity because of rules and Challenges that may find a network it will relay through the relay nodes as well to get the data there Obviously that comes at the cost of being a lot slower But the connectivity still exists now important things about this is all done without the opening of any port on your firewall So you part firewall remains closed on both sides because the way Nat translation in UDP whole punching works You are first requesting a resource and that resource you are Requesting is where the connection gets initiated and because both of these two separate networks are requesting resources This is where the relay server can see where those resources are coming from and Facilitate the whole punching and this is how it's able to do so without as I said in this is important part not opening up your network And I think one of the Most awesome things about this is that I feel like you know like an overlay network, you know, like this solution Zero tier is like just limited by your imagination. I mean if you just think about What you could use this for now off the top of my head you could have an Internal website and I'm not talking about a company, but literally you and family you could and you could have this really You know simple website that has family photos on there or some kind of family intranet site Even if you're at a coffee shop, you could be connected to it or you're in your house You could be connected to it set up something like piehole on a cloud instance somewhere and then have all of your computers Whether they're internal or not they're using the same DNS server Even if you are at a coffee shop, you could still be using your piehole without having to set up a VPN to your PF Sends to use something that's inside your you know proxbox You could have something like piehole on the outside of your network treated as if it's something on the inside even when even when you're not home Then you could benefit from you know, basically ad blocking wherever you go Stuff like that. Yeah, it's really one of the other use cases. We've had for this This is a really clever one was we consulted with a company and they have a lot of Respiry pies they use as sensor monitors that they send out to places But of course they're sending them out to they're in the restaurant business And so getting these devices out to restaurants means dealing with a lot of random different networks But was zero tier it solved a lot of their problems because they can always have these nodes these raspberry pies They can program them at their office or really anywhere. They can spin them up They have local connectivity to them, but with zero tier they know the IP address They know this IP address has this customer name on it This is how we talk to this device and then they tell the When they ship these to different customers, they say just plug it in plug the ethernet in it Just needs an IP address to get out to the internet. Don't worry about your firewall We don't have to call an open porch, which is actually what they were previously doing was dealing with opening ports and things like that Which is always Tricky because there's not a consistency because it was going out to any company that ordered it It wasn't like there was always a consistent stack So using it in methodologies like that makes it really interesting when you are doing this I've even had a few of my Friends who work for red teaming and getting in and pentesting networks find it to be a very useful tool They were actually shocked at how few networks seem to detect it Maybe maybe that's changed as yours here's become more popular But it was interesting when I first started doing videos on it one of my red team friends goes I popped it right in and it went through all of our security. It seems it doesn't seem to trip anything It just I had connectivity inside the network to the raspberry pie So it's really clever From that aspect of it because it just it understands how to get out and understands how to get networking and let you focus on only Connecting the devices and getting things to where you're at This can also be helpful for people who are traveling and want to use it for you know Setting it up on your Plex server binding your Plex server to it And when you're outside of your network, which you would like to get to some of those services Being able to have some of that tied to that IP address or any of your media or file sharing This is a pretty solid use case for it. It really is another simple use case might be Setting up another storage server and then you know actually sending that over to a family member's house Have zero tier installed on it and on your machine or your local nas and then have you know Zero tier be the means by which you actually sync your nas at home to the other one for off-site backup And you have that look that you know direct IP address that you just are sync everything straight over to and you don't have to worry about You know calling that family member and trying to walk them through logging into their your access point or route or whatever and you know Opening up ports or whatever you don't even have to worry about that Just plug it in put an ethernet cable in there and just yeah, you're everything will be fine Yeah, and at that point you have off-site backup Yeah, this is this is actually a really great way to Bridge that gap of things like off-site backup as well The fact that it works in and on platforms not just windows not just Linux But also like BSD and arm so we got a pretty broad support of compilations for it that are going to allow for a Diverse use case for this you can get it set up on a lot of different devices Now if you're wanting to dive into a little bit more advanced use cases for it There are ways that can be built into or compiled into firewalls There's ways you can integrate it so it acts as a routing device It's not its usual use case, but there are ways to do that. You can control some of the rules There's also on the control plane you can granularly go into the default is going to be anything you trust on the node can talk Full protocol talk back and forth no problem but that may not be how you want to set things up you may want to build firewall rules for it and Essentially access control lists they have their own methodology and language by which to do this But it's a really clever way to Maybe restrict the node so you trust the nodes enough to have them within your zero tier But then you can also create some extra rules So only certain nodes can talk in certain directions and that may be one more way to set up the restrictions But I think this type of overlay network is something we're going to see more and more of as we go forward because it offers another Another level of security. It's very different than VPNs and it's not like you're using username and password to authenticate a device on So network you're joining that device that particular laptop that particular server or workstation As you add into your node it makes the request you join it And it's not like where someone would to do something like grab your password to the VPN now There's with anything this is not a perfect security solution. There are of course risks One of the risks is going to be If someone gets control of your control plane They will then be able to add other nodes in that in that stack So if you get the control plane compromised, they can simply start approving nodes into the network that you set up That's obviously a risk But if on your side you've done due diligence and you've restricted For example on a server you implicitly have a firewall rule on that server going Yes, it is attached to this particular zero to your IP But I only expect data to come from these other IP addresses So now you've added one more layer of protection. And by the way, that's not authentication. That's just getting connectivity Even internally, you know, I have VPNs that gets you in places But that only gets you as far as the login screen You still have to have the username and password for that So these tiered layers do add a lot more security to your configuration when you're setting this up This is different ways to think about security, but you know kind of we mentioned in the beginning Especially for your larger company, this is a really deep thought in security They're looking at maybe, you know username password VPNs with a cell phone backup Where people can do a sim swap and target someone and grab that password may not be the best idea Maybe there's other solutions out there And I think this is this or other similar tools that are like this would be popular as a solution To lock things down a little bit further Yep, it's always good to lock things down further and you know, of course automate things if you can you can Absolutely use something like Ansible to install the client and that you know, basically like you would anything else I did a video about this recently. I don't know how recent it actually was But it was so simple to set up and I was just blown away by it It was something that I've been meaning to check out for like two years And you know when he first mentioned it on your end, I'm like whoa, that sounds so cool I can't wait to check it out. I'll check it out tomorrow and then a couple years later Hey, here's a video but I got around to it eventually and It's one of these solutions that I think is just so much easier in my opinion than VPN I don't mean to knock VPN or anything like this But I would work with a lot of clients for example that would have something like AWS in a local data center They would have a VPN connection in between both so that the 80 and it was excuse me AWS resources Would be treated as local resources and there's a lot of configuration on both sides You have to get the model number of the other end point You have to set up the profile properly with all the right things and it's just this long back-and-forth process And it works fine once you get it connected But then you went through a lot of work, but something like zero tier it just tells me that that kind of Complex customization. It's not really needed. We there's better ways to do that Whether it's a better way depends on you know your mindset, but it's at least simpler when it comes to how to set something up So I think it gives homeland people a way to have resources in the cloud that are closed off They could firewall and not allow, you know, public access except maybe through zero tier So your external resources are just the same as internal resources. Yep Now one more thing I'll mention on this and this is one differentiator when it comes to being a solution for multi-node environments, let's say we have site AB and C now Untraditional VPN you would think of them relaying through the VPN to get to any one of these sites And of course once you start going ABCDEFG now you have quite a few different nodes and you have a really complicated You have an exponential complicated network at some point where you have a lot of sites to connect So your tier solves this because you're only assigning IPs to the devices not necessarily the subnets you want So you're only assigning all the different devices also if all these are all on different public IP addresses or a group of developers who all work at different locations the Ability for the developers to have site a talked to site D and site C talked to site G is completely there The network is a one to many relationship or I should say many to many relationship where any one node can reach out To the node and we'll find the most efficient route to that node if that other node and two developers are working In the same subnet they're gonna have fast communication and the same with another group of developers at another subnet But then individually each one of them can talk to each other It's kind of a little bit to wrap your head around how it works But it's the simplicity of it is it's really is that simple like Jay said when you set these up And you just have these extra IP addresses you start binding everything to it And I seen someone asked in the comments about like tail scale and a comparison I've done a comparison to zero two on tail scale They work differently zero chairs protocol is different because tail scale is a Wire guard system on the back end with a front-end system from tail scale. There's a little bit different I do have a video comparison of those two on my channel. It's literally titled tail scale versus zero chairs So it's pretty easy to find And I will mention to I'd seen someone else mention. I like that zero chairs multi-tenant So if you are in IT business such as myself and you need to manage Groups of networks because you don't want everyone in the same network with all your customers But you can set up different groupings together to represent different companies or however You want to set up a hierarchy for it. That is something within their control panel That's allowed in there You can build a group of networks called these are all the game servers I have and a single node can belong to more than one zero tier Just like you can have multiple ethernet adapters. You can have multiple zero-tier adapters on a single computer Awesome. Yeah, you know, I don't have a whole lot more to say about this is not a In tutorial because I have those tutorials and how to set it up Eventually, I'll do a tutorial on how to set up the self-posted controller. They do have some instructions on that We wanted to talk about this as a topic because this also kind of solves people with that CG NAT problem that they run into of You can't host something publicly Easily you want to get back to your home office, but you're behind, you know A carrier grade NAT solution because of you know, your ISP and what you have available to you where you live This is a good workaround for that So you can set it up on your laptop and when you travel with your laptop to somewhere outside of your network You can get back to those resources very easily. This is one of the reasons you want to cover it If there's enough interest in the comments on it, we certainly can dive into tail scale, which works differently It's gonna be very similar in terms of video. I have a video on that on my channel as well There were go over kind of how it works. What makes tail scale different? There's lots of considerations when you're considering these different products like this. Well, I'm definitely interested I have never used tail scale. So it might be for a fun topic Yeah, maybe they'll make it the next topic. We will let the audience decide by leaving comments and using our feedback form at the Home lab dot show Absolutely. Yeah, hopefully that happens because that'd be a lot of fun And I have another potential topic that I just came up with that I will not mention But it might be a fun topic if we want to go through that But we're always coming up with ideas for the show So we have all kinds of things to talk about but we should probably do a Q&A I would think what within the next few episodes or so if people can get enough questions Yeah, is it what we do stack up the questions. We love hearing back from all of you. It is greatly appreciated You know all the feedback we get even if it's just to say hi, we don't mind we read those two We don't you know, we don't discriminate We do like to just to know that people are able to use the form because we do get a few confusing questions occasionally But hey, that makes it more fun the more technical the question You know, it gives us something to dive into and and we also always looking for you know Topics to make sure we're listening to the audience and make sure we stay aligned with what people on the Audience that are in the homelab audience are really wanting to know Yeah, yeah sending your ideas It might just be a crazy enough idea for us to cover because we're homelab people We always have crazy ideas and we want that reaction. You're doing what at home Because that's always fun, but send us in your ideas your questions will do a Q&A Your suggestion might end up being a topic either for this Podcast right here. Maybe we'll use it in one of our own videos. Who knows? Yeah, absolutely Well, thank you all for joining us and I'll see you next time Thank you