This feature request is for adding support for ZeroTier. Adding ZeroTier would provide bolt-on SD-WAN support for VyOS.
Implementation plan.
Each configured ZeroTier interface will be run in a new ZeroTier process as a container. This is done for a number of reasons.
- Resource Utilization
- Unless using ZeroTier, there will be no running processes or services to use system resources. A number of NOS are moving to this approach.
- Software Updates/Patching
- Running in a container allows for easy updating of the software without needing to fully update VyOS. This is important if an upstream fix for a vulnerability is patched.
- Compatibility
- Each interface can run as a different version for compatibility. For instance, if one version is better for remote-access VPNs, and another is better for site-to-site VPNs.
- Performance
- Running services in parallel allows for great scaling of throughput using ECMP. The CPU scheduler can give unused cores directly to the process. This can allow for >40Gbps of encrypted throughput on relatively inexpensive hardware.
- Licensing
- ZeroTier uses a BSL license. By running the software as a container, it pushes the requirement to acquire the software and adhere to all licensing on the user/operator, rather than the distro/maintainers. ZeroTier would not be bundled with VyOS, VyOS would simply expose configuration elements if the user wants and is allowed to run ZeroTier.
Naming of the containers will be vyos_created_zt<num>. This is to prevent any potential naming conflicts with manual installations of ZeroTier.
Configuration
The configuration of ZeroTier's local.conf file will be fully supported in configuration syntax, including the creation of custom bonding policies.
vyos@vyos# set interfaces zerotier zt3 Possible completions: + allow-mgmt-from Allow management from specified subnets allow-tcp-fallback Allow falling back to TCP Relay if UDP fails api-key ZT API key - DO NOT share + bind Bind ZeroTier to specified IP bonding-policy Bonding policy to be applied +> custom-policy User created ZeroTier bonding policy description Description force-tcp-relay Disables UDP communication and forces TCP + interface-blacklist Prevent binding of ZeroTier service to interfaces low-bandwidth-mode Enable low-bandwidth-mode (limits control traffic) multipath-mode Multipath load-balancing mode +> network-config Network specific ZeroTier config network-id ZeroTier Network ID to join (required) +> peer-config 10-digit hex +> peer-specific-bonds Apply bonding policies per peer primary-port Primary port for ZeroTier service (required) secondary-port Secondary port for ZeroTier service tcp-relay Define the IP/Port of a TCP Relay tertiary-port Tertiary port for ZeroTier service version Version of ZeroTier to use (required)
Op Mode
The following op mode commands will be added:
show interfaces zerotier show interfaces zerotier <interface> show interfaces zerotier <interface> networks show interfaces zerotier <interface> peers show interfaces zerotier <interface> peers-all show interfaces zerotier <interface> peers-detail show interfaces zerotier <interface> metrics accepted-packets show interfaces zerotier <interface> metrics errors show interfaces zerotier <interface> metrics latency show interfaces zerotier <interface> metrics packet-types show interfaces zerotier <interface> metrics peer-packets show interfaces zerotier <interface> metrics peer-packet-errors show interfaces zerotier <interface> metrics protocols show interfaces zerotier <interface> bonding show interfaces zerotier <interface> bonding <node id> restart zerotier <zt interface> zerotier interface <interface> orbit <root id> zerotier interface <interface> allow-default enable/disable zerotier interface <interface> allow-managed enable/disable zerotier interface <interface> allow-global enable/disable zerotier interface <interface> bonding-failover <node id>