ZeroTier — Programmable Layer-2 Overlay Network

Introduction

ZeroTier is an open-source SD-WAN/VPN that creates a global flat Ethernet-style overlay network. It lets laptops, servers, cloud VMs, containers, and even embedded devices join the same virtual LAN even when they sit behind NATs, firewalls, or across continents — without manual routing or tunneling setup.

What ZeroTier Does

• Builds encrypted, peer-to-peer Layer-2 networks that look like a single Ethernet segment.
• Performs NAT traversal automatically using root servers ("planet/moon") for signaling.
• Lets you route real IPv4/IPv6 subnets over the overlay, not just host-to-host.
• Exposes a Controller API so networks, rules, and members can be provisioned from code.
• Supports a rules engine for microsegmentation, tagged capabilities, and ACLs.

Architecture Overview

Each node runs zerotier-one, a daemon that authenticates with a network Controller and exchanges peer metadata through globally-operated "planet" root servers. Once peers know about each other, they attempt direct UDP connections using hole-punching. If direct paths fail, traffic relays through a root. All payloads are end-to-end encrypted with a Curve25519/Ed25519 identity bound to the device. The Controller is the policy plane — it issues certificates, pushes flow rules, and manages membership.

Self-Hosting & Configuration

• Run your own controller with ztncui or zero-ui for full control and no external dependency.
• Deploy "moons" (custom roots) to reduce RTT or satisfy data-sovereignty rules.
• Use /var/lib/zerotier-one/local.conf to set port, physical interfaces, and allowed peers.
• Rule DSL supports drop/accept/tee/redirect, tags, and capabilities — version-control the rules.
• A REST API and a Terraform provider automate network and member provisioning.

Key Features

• True Layer-2 overlay: broadcast, multicast, and arbitrary protocols just work.
• Cross-platform: Linux, macOS, Windows, FreeBSD, iOS, Android, and a libzt embeddable library.
• Fine-grained flow rules and capability-based microsegmentation.
• P2P first; relays are only a fallback — latency is usually near direct-link.
• Open-source BSL with a free hosted controller tier.

Comparison with Similar Tools

• Tailscale — WireGuard-based L3 mesh with polished UX; ZeroTier is L2 with richer rule engine.
• Netbird — WireGuard mesh, self-hostable, L3.
• Nebula — Slack's mesh overlay, cert-based, great performance, L3 only.
• OpenVPN/WireGuard — classic tunnels; you manage routing, NAT, and membership.
• Headscale — open-source Tailscale control plane; different crypto and L3 model.

FAQ

Q: Is ZeroTier actually peer-to-peer? A: Yes, after a brief exchange through root servers, nodes try direct UDP. Root relaying is only a fallback.

Q: Do I have to use the hosted controller? A: No. ztncui, zero-ui, and the open-source controller let you run it fully on your own infra.

Q: Can I bridge a ZeroTier network to a physical LAN? A: Yes, enable bridging mode and add route announcements in the network settings.

Q: What ports does it need? A: UDP 9993 by default; it can fall back to TCP and hole-punch through most NATs.

Sources

• https://github.com/zerotier/ZeroTierOne
• https://docs.zerotier.com/