I’m looking for a solution to replace my OpenVPN server, which is helping me to manage:
ca. 200 Win7 POS systems + ca. 30 Win10 PC + a few iOS laptops +Android + IPhones mobiles
separated in 100+ groups (restaurants) (10.8.1.x, 10.8.2.x, etc )
having 1 master group to “rule them all” = reach every device from my own PCs + phone. (10.8.250.x)
20+ years long, without any problem.
But creating new groups (networks) + setting up new firewall rules + generating keys + renaming everything + administration + installing and setting up clients with different keys + crt, etc…
Takes a lot of time and hassle.
So I’ve tried many other solutions during the last 2 years, like:
SoftEtherVPN (fixed IP / DHCP problems + too high server load)
Wireguard (unstable client routing + problem with reconnections + no “master group” / no rules)
HeadScale (too complicated ACL rules for 100+ groups, risky having only 1 masterkey for everyone)
ca 5 other solutions … none of them had Win7 32bit clients.
… and after long long search I’ve found this site, pointing me to ZT.
So finally I have found this awesome, Open Source, self-hostable solution.
Yesterday I’ve spent the whole night testing speed and connection stability.
Sadly the results are very disappointing, forcing me to drop ZT completely
… unless, there is a solution to increase connection stability ?
Here are my test results:
Speed is ca -25% slower than OpenVPN.
15MBit/s vs 20MBit/s … 15-17ms vs 10-12ms (I would not care, if that would be the cost of higher security, just mentioning it…)
If pinging with bigger packets ( 20000 bytes):
experiencing ca 20% Loss ! (ca. every 5th echo)
If connecting via TightVNC:
picture stops, timeout within max 2 minutes
RDP connection keeps “reconnecting…”
Longer SQL transactions fail, (scrolling through a menu table)
loosing all uncommited data, compete program freeze within 5 sec!
As comparation:
I’ve left the old OpenVPN connection on all the PCs, running side-by-side with ZT.
no ping-packet drop during the tests,
no VNC + RDP loss,
stable SQL queries
Conclusion / reason:
(I write this based on my 30+ years of programmer and system engineering experience on networking + cryptography, but it would be great to be able to see detailed logs.)
IMHO there is some kind of continuous connection re-authentication happening behind the scene on VL1 layer, instead of keeping the connection steady already established.
Short-burst pings are working well, because it takes only 3-12ms to finish, so even if the connection completely dropped and re-established every 2 sec, there is no problem with those.
Some of your speed & latency issues may be related to 2 things:
Windows 7 - We haven’t supported Windows 7 since the 1.6.x releases. We’re up to 1.12.x, and 1.14.0 is coming soon. Microsoft themselves EOL’d Windows 7 in January 2020. Unfortunately it’s not possible for us to keep supporting EOL’d operating systems with the latest & greatest versions of ZeroTier.
32-bit - The 32-bit x86 ISA doesn’t have the native cryptographic primitives used by ZeroTier, so things have to be done the slow way.
As for your other results, I wonder if you’re getting direct connections between peers, or relaying through the root serves. ZeroTier operates peer-to-peer rather than routing traffic through a central VPN server. If traffic ends up having to be relayed, traffic is forwarded on a best-effort bases, but can generally add latency and cause increase packet loss as well. From an administrator command prompt, you can see the peer direct connection or relayed status via the zerotier-cli peers. If the peers have the RELAYED status, that means something (router/firewall most likely) is preventing ZeroTier from establishing direct connections and is relaying packets.
Thanks for the fast replay and the command!
I’ve checked, all connections are: DIRECT .
(Although I don’t really understand, why it would matter other then a few percent slowness.)
As I’ve mentioned before: I would not care, if the connection between points would be stable.
But they are NOT.
I can run some extra tests between a Win10+Win11 PC running both the latest clienst, but from my point of view: it does not matter, because 80% of my clients are still using Win7 32bit systems every each day.
OFF :
Just because something is a bit older, does not mean it is not much better.
It is obvious that Win7 is so stable, nobody would have changed it ever, if MS wouldn’t force us to, and they need to make money to please the shareholders.
5% of my clients are still using Windows XP without ANY problems every each day. 80% Win7 → 1-2 tiny problems / year. 15% Win10 → new problems all the time, unsolvable disasters every each week. (For example: last month Win10 started an unstoppable upgrade without asking, and went into an infinite restart/upgrade loop. The whole pizzeria had to shut down for that day until someone rushed there to reinstall the whole OS. Needed +8 hours to set up everything again during night.
An other day the OS killed the thermal printer’s drivers. No printing = no kitchen ticket + no invoice for the customer … )
These facts tell everything about “not supported” vs “buy new OS & drop your current PC to trash” …
