I’m presently trying to do some IT support for a few outfits, and an old issue has come back up: IPsec tunnels…
- They don’t always work with NAT, but it’s about the only thing commercial routers support in general.
- VyOS has caught my eye, and while it appears to support IPsec, OpenVPN, WireGuard, etc; I don’t think it supports ZeroTier.
- OPNsense supports IPsec, ZT, and WG; but unless you use something like Vultr as your cloud host, you’re not getting that to work easily on GCP & other cloud platforms they don’t already have an image for.
- MPA guidelines may be averse to newer protocols such as ZT and WG. Newer protocols are supposed to be better than AES-256 in regards to encryption, but studios might not be convinced.
- Attempting to convince existing businesses to junk existing hardware, to make use of the likes of newer VPN protocols… that has been a hard sell in my time in IT.
Existing “SWAN” IPsec daemons are licensed GPL, so they may or may not be compatible code-wise with ZeroTier; so I’m not sure if that can be used as a starting point. It should be as easy as joining an existing ZT network, then handling IPsec keys for a router to login to the daemon with. This may not fully address issue #4 without further clarification by staff, but it’d avoid having to do a lot of other work & buying hardware / VMs to get ZT in the hands of more users.