ZeroTier

ZeroTier is a software-defined networking (SDN) platform that creates virtual Ethernet networks over the internet, enabling devices anywhere in the world to communicate as if they were on the same local area network. With a combination of an open source client, a managed network controller service, and peer-to-peer tunneling, ZeroTier provides flexible, secure network connectivity without the complexity of traditional VPN infrastructure.

The virtual network model in ZeroTier is built around the concept of a ZeroTier network, identified by a 16-digit network ID. Any device with the ZeroTier client installed can join a network, after which it receives a virtual IP address in the network's address space and can communicate directly with all other authorized members of the network using standard TCP/IP protocols.

The underlying transport mechanism uses UDP for peer-to-peer tunneling with multiple layers of encryption and authentication. ZeroTier's transport protocol employs Curve25519 key exchange, AES-256-GCM for data encryption, and Ed25519 for packet authentication. The cryptographic identity of each node is derived from a public-private key pair generated on the device, ensuring that node identities are mathematically unforgeable.

Network membership is controlled by the network controller, which can be the ZeroTier Central managed service or a self-hosted controller. When a device requests to join a network, the controller can approve or deny the request, assign the virtual IP, and configure access rules. Access control lists define which IP addresses can communicate with which other addresses on the network, enabling implementation of zero-trust segmentation within a ZeroTier network.

NAT traversal in ZeroTier uses the ZeroTier planet (root servers) and moons (custom root servers) for initial peer discovery and hole punching. Once two peers have established direct connectivity, subsequent communication is peer-to-peer without any root server involvement. When direct connectivity is not possible due to restrictive NAT or firewalls, traffic is relayed through a RELAY service but remains end-to-end encrypted.

The self-hosting option for the network controller allows organizations to run their own ZeroTier network infrastructure without depending on ZeroTier's managed service. The ZeroTierOne controller software is open source and can be deployed on any Linux server. Self-hosted controllers are particularly useful for air-gapped environments and organizations with strict data sovereignty requirements.

ZeroTier supports Linux, macOS, Windows, iOS, Android, FreeBSD, and many embedded Linux platforms, making it one of the most broadly compatible virtual networking solutions available.