# ZeroTier — Programmable Layer-2 Overlay Network > Open-source SD-WAN that builds encrypted peer-to-peer Layer-2 overlays spanning NATs, clouds, and edge devices with a rule engine and controller API. ## Install Save as a script file and run: # ZeroTier — Programmable Layer-2 Overlay Network ## Quick Use ```bash # Linux / macOS / Windows installers curl -s https://install.zerotier.com | sudo bash # Create a free network at my.zerotier.com, then join it sudo zerotier-cli join # Authorize the device in the web UI (or via API), then: sudo zerotier-cli listnetworks ping ``` ## Introduction ZeroTier is an open-source SD-WAN/VPN that creates a global flat Ethernet-style overlay network. It lets laptops, servers, cloud VMs, containers, and even embedded devices join the same virtual LAN even when they sit behind NATs, firewalls, or across continents — without manual routing or tunneling setup. ## What ZeroTier Does - Builds encrypted, peer-to-peer Layer-2 networks that look like a single Ethernet segment. - Performs NAT traversal automatically using root servers ("planet/moon") for signaling. - Lets you route real IPv4/IPv6 subnets over the overlay, not just host-to-host. - Exposes a Controller API so networks, rules, and members can be provisioned from code. - Supports a rules engine for microsegmentation, tagged capabilities, and ACLs. ## Architecture Overview Each node runs `zerotier-one`, a daemon that authenticates with a network Controller and exchanges peer metadata through globally-operated "planet" root servers. Once peers know about each other, they attempt direct UDP connections using hole-punching. If direct paths fail, traffic relays through a root. All payloads are end-to-end encrypted with a Curve25519/Ed25519 identity bound to the device. The Controller is the policy plane — it issues certificates, pushes flow rules, and manages membership. ## Self-Hosting & Configuration - Run your own controller with `ztncui` or `zero-ui` for full control and no external dependency. - Deploy "moons" (custom roots) to reduce RTT or satisfy data-sovereignty rules. - Use `/var/lib/zerotier-one/local.conf` to set port, physical interfaces, and allowed peers. - Rule DSL supports `drop/accept/tee/redirect`, tags, and capabilities — version-control the rules. - A REST API and a Terraform provider automate network and member provisioning. ## Key Features - True Layer-2 overlay: broadcast, multicast, and arbitrary protocols just work. - Cross-platform: Linux, macOS, Windows, FreeBSD, iOS, Android, and a libzt embeddable library. - Fine-grained flow rules and capability-based microsegmentation. - P2P first; relays are only a fallback — latency is usually near direct-link. - Open-source BSL with a free hosted controller tier. ## Comparison with Similar Tools - **Tailscale** — WireGuard-based L3 mesh with polished UX; ZeroTier is L2 with richer rule engine. - **Netbird** — WireGuard mesh, self-hostable, L3. - **Nebula** — Slack's mesh overlay, cert-based, great performance, L3 only. - **OpenVPN/WireGuard** — classic tunnels; you manage routing, NAT, and membership. - **Headscale** — open-source Tailscale control plane; different crypto and L3 model. ## FAQ **Q:** Is ZeroTier actually peer-to-peer? A: Yes, after a brief exchange through root servers, nodes try direct UDP. Root relaying is only a fallback. **Q:** Do I have to use the hosted controller? A: No. `ztncui`, `zero-ui`, and the open-source controller let you run it fully on your own infra. **Q:** Can I bridge a ZeroTier network to a physical LAN? A: Yes, enable bridging mode and add route announcements in the network settings. **Q:** What ports does it need? A: UDP 9993 by default; it can fall back to TCP and hole-punch through most NATs. ## Sources - https://github.com/zerotier/ZeroTierOne - https://docs.zerotier.com/ --- Source: https://tokrepo.com/en/workflows/ceb43612-38d6-11f1-9bc6-00163e2b0d79 Author: Script Depot