Change Details

This feature request is for adding support for ZeroTier. Adding ZeroTier would provide bolt-on SD-WAN support for VyOS. ## Implementation plan. Each configured ZeroTier interface will be run in a new ZeroTier process as a container. This is done for a number of reasons. 1. Resource Utilization - Unless using ZeroTier, there will be no running processes or services to use system resources. A number of NOS are moving to this approach. 2. Software Updates/Patching - Running in a container allows for easy updating of the software without needing to fully update VyOS. This is important if an upstream fix for a vulnerability is patched. 3. Compatibility - Each interface can run as a different version for compatibility. For instance, if one version is better for remote-access VPNs, and another is better for site-to-site VPNs. 4. Performance - Running services in parallel allows for great scaling of throughput using ECMP. The CPU scheduler can give unused cores directly to the process. This can allow for >40Gbps of encrypted throughput on relatively inexpensive hardware. 5. Licensing - ZeroTier uses a BSL license. By running the software as a container, it pushes the requirement to acquire the software and adhere to all licensing on the user/operator, rather than the distro/maintainers. ZeroTier would not be bundled with VyOS, VyOS would simply expose configuration elements if the user wants and is allowed to run ZeroTier. Naming of the containers will be `vyos_created_zt<num>`. This is to prevent any potential naming conflicts with manual installations of ZeroTier. ## Configuration The configuration of ZeroTier's local.conf file will be fully supported in configuration syntax, including the creation of custom bonding policies. ``` vyos@vyos# set interfaces zerotier zt3 Possible completions: + allow-mgmt-from Allow management from specified subnets allow-tcp-fallback Allow falling back to TCP Relay if UDP fails api-key ZT API key - DO NOT share + bind Bind ZeroTier to specified IP bonding-policy Bonding policy to be applied +> custom-policy User created ZeroTier bonding policy description Description force-tcp-relay Disables UDP communication and forces TCP + interface-blacklist Prevent binding of ZeroTier service to interfaces low-bandwidth-mode Enable low-bandwidth-mode (limits control traffic) multipath-mode Multipath load-balancing mode +> network-config Network specific ZeroTier config network-id ZeroTier Network ID to join (required) +> peer-config 10-digit hex +> peer-specific-bonds Apply bonding policies per peer primary-port Primary port for ZeroTier service (required) secondary-port Secondary port for ZeroTier service tcp-relay Define the IP/Port of a TCP Relay tertiary-port Tertiary port for ZeroTier service version Version of ZeroTier to use (required) ``` ## Op Mode The following op mode commands will be added: ``` show interfaces zerotier show interfaces zerotier <interface> show interfaces zerotier <interface> networks show interfaces zerotier <interface> peers show interfaces zerotier <interface> peers-all show interfaces zerotier <interface> peers-detail show interfaces zerotier <interface> metrics accepted-packets show interfaces zerotier <interface> metrics errors show interfaces zerotier <interface> metrics latency show interfaces zerotier <interface> metrics packet-types show interfaces zerotier <interface> metrics peer-packets show interfaces zerotier <interface> metrics peer-packet-errors show interfaces zerotier <interface> metrics protocols show interfaces zerotier <interface> bonding show interfaces zerotier <interface> bonding <node id> restart zerotier <zt interface> zerotier interface <interface> orbit <root id> zerotier interface <interface> allow-default enable/disable zerotier interface <interface> allow-managed enable/disable zerotier interface <interface> allow-global enable/disable zerotier interface <interface> bonding-failover <node id> ```

This feature request is for adding support for ZeroTier. Adding ZeroTier would provide bolt-on SD-WAN support for VyOS.

This feature request is for adding support for ZeroTier. Adding ZeroTier would provide bolt-on SD-WAN support for VyOS. ## Implementation plan. Each configured ZeroTier interface will be run in a new ZeroTier process as a container. This is done for a number of reasons. 1. Resource Utilization - Unless using ZeroTier, there will be no running processes or services to use system resources. A number of NOS are moving to this approach. 2. Software Updates/Patching - Running in a container allows for easy updating of the software without needing to fully update VyOS. This is important if an upstream fix for a vulnerability is patched. 3. Compatibility - Each interface can run as a different version for compatibility. For instance, if one version is better for remote-access VPNs, and another is better for site-to-site VPNs. 4. Performance - Running services in parallel allows for great scaling of throughput using ECMP. The CPU scheduler can give unused cores directly to the process. This can allow for >40Gbps of encrypted throughput on relatively inexpensive hardware. 5. Licensing - ZeroTier uses a BSL license. By running the software as a container, it pushes the requirement to acquire the software and adhere to all licensing on the user/operator, rather than the distro/maintainers. ZeroTier would not be bundled with VyOS, VyOS would simply expose configuration elements if the user wants and is allowed to run ZeroTier. Naming of the containers will be `vyos_created_zt<num>`. This is to prevent any potential naming conflicts with manual installations of ZeroTier. ## Configuration The configuration of ZeroTier's local.conf file will be fully supported in configuration syntax, including the creation of custom bonding policies. ``` vyos@vyos# set interfaces zerotier zt3 Possible completions: + allow-mgmt-from Allow management from specified subnets allow-tcp-fallback Allow falling back to TCP Relay if UDP fails api-key ZT API key - DO NOT share + bind Bind ZeroTier to specified IP bonding-policy Bonding policy to be applied +> custom-policy User created ZeroTier bonding policy description Description force-tcp-relay Disables UDP communication and forces TCP + interface-blacklist Prevent binding of ZeroTier service to interfaces low-bandwidth-mode Enable low-bandwidth-mode (limits control traffic) multipath-mode Multipath load-balancing mode +> network-config Network specific ZeroTier config network-id ZeroTier Network ID to join (required) +> peer-config 10-digit hex +> peer-specific-bonds Apply bonding policies per peer primary-port Primary port for ZeroTier service (required) secondary-port Secondary port for ZeroTier service tcp-relay Define the IP/Port of a TCP Relay tertiary-port Tertiary port for ZeroTier service version Version of ZeroTier to use (required) ``` ## Op Mode The following op mode commands will be added: ``` show interfaces zerotier show interfaces zerotier <interface> show interfaces zerotier <interface> networks show interfaces zerotier <interface> peers show interfaces zerotier <interface> peers-all show interfaces zerotier <interface> peers-detail show interfaces zerotier <interface> metrics accepted-packets show interfaces zerotier <interface> metrics errors show interfaces zerotier <interface> metrics latency show interfaces zerotier <interface> metrics packet-types show interfaces zerotier <interface> metrics peer-packets show interfaces zerotier <interface> metrics peer-packet-errors show interfaces zerotier <interface> metrics protocols show interfaces zerotier <interface> bonding show interfaces zerotier <interface> bonding <node id> restart zerotier <zt interface> zerotier interface <interface> orbit <root id> zerotier interface <interface> allow-default enable/disable zerotier interface <interface> allow-managed enable/disable zerotier interface <interface> allow-global enable/disable zerotier interface <interface> bonding-failover <node id> ```