0

We want to use zero tier to connect from one cloud machine to multiple remote machines. We do not want remote machines to access each other. What would be a good approach?

  • Use a single network and set rules based on tags to restrict access
  • Run multiple networks, each having cloud machine and a remote machine

Are there limits to

  • Number of members in zerotier network
  • Number of zerotier networks a machine can connect to at a time - tun interfaces, ip conflicts or performance impact
rmvpaps
  • 147
  • 1
  • 9

1 Answers1

1

I would use a single network and use rules to prevent peering between the machines. For instance, you could set the 192.168.141.0/25 portion of the network to prevent peering, and allow only defined network paths between hosts.

Just a personal rant here: You don't want to do that. Really. You're going to make a headache for yourself when you have to scale horizontally (which you will if you're successful). I would STRONGLY recommend taking a mTLS approach to service authentication instead. Somewhat more work at the start, but a lot easier in the long run.

PaulProgrammer
  • 16,175
  • 4
  • 39
  • 56
  • By rules I had meant zero tier network rules https://www.zerotier.com/manual/#3_3. I will create a rule that says only members tagged 'cloud' can access a certain port. And tag can be added when members are authorized. Wont that be scalable? – rmvpaps Jul 30 '19 at 05:59
  • Yeah that sounds better. But mTLS is still more flexible in the long run. – PaulProgrammer Jul 30 '19 at 18:04
  • So on top of zero tier network stuff, within services that access each other through network we can have mTLS auth setup. We are accessing local http service in remote machines so this should be ok. It would be great if you could share reference to a system making use of mTLS over zero tier – rmvpaps Jul 31 '19 at 05:05
  • ZeroTier presents as a standard network, so any mTLS system will work fine. Such systems can be configured with [tomcat](https://www.lrz.de/services/compute/grid_en/step-by-step_en/apache-tomcat/), [node.js](https://gist.github.com/pcan/e384fcad2a83e3ce20f9a4c33f4a13ae), [apigee](https://docs.apigee.com/api-platform/system-administration/keystores-and-truststores), [fusion](https://technology.amis.nl/2017/05/10/oracle-soa-suite-two-way-ssl-with-tls1-2/) and just about any others. – PaulProgrammer Aug 03 '19 at 03:35