Bridge to IPSec for commercial router support

I’m presently trying to do some IT support for a few outfits, and an old issue has come back up: IPsec tunnels…

  1. They don’t always work with NAT, but it’s about the only thing commercial routers support in general.
  2. VyOS has caught my eye, and while it appears to support IPsec, OpenVPN, WireGuard, etc; I don’t think it supports ZeroTier.
  3. OPNsense supports IPsec, ZT, and WG; but unless you use something like Vultr as your cloud host, you’re not getting that to work easily on GCP & other cloud platforms they don’t already have an image for.
  4. MPA guidelines may be averse to newer protocols such as ZT and WG. Newer protocols are supposed to be better than AES-256 in regards to encryption, but studios might not be convinced.
  5. Attempting to convince existing businesses to junk existing hardware, to make use of the likes of newer VPN protocols… that has been a hard sell in my time in IT.

Existing “SWAN” IPsec daemons are licensed GPL, so they may or may not be compatible code-wise with ZeroTier; so I’m not sure if that can be used as a starting point. It should be as easy as joining an existing ZT network, then handling IPsec keys for a router to login to the daemon with. This may not fully address issue #4 without further clarification by staff, but it’d avoid having to do a lot of other work & buying hardware / VMs to get ZT in the hands of more users.

I am using an edgerouter from Ubiquiti, which has a fork of VyOSon it.
Installing zerotier was easy. I have ipsec an zerotier tunnels up and running on it very relieable.