Secure Client Isolation Howto please?

Hi - I really appreciate the Zerotier open source efforts - very nice!

Question: I could not infer from the Documentation how to create a secure client isolation with Zerotier - from what I understand a zerotier network seems to be quite “open” and clients seem to be not protected by default.

It would be very important to clarify this in the Documentation and also provide a default flow configuration that isolates clients.

Would you please like to publish an official reference configuration for client isolation on a Zerotier network, e.g. when accessing a file server?

I could only find this piece in the knowledge base:

tag server
id 2
enum 0 No
enum 1 Yes
default No;

# if both members are not servers, break
break not tor server 1;

# This is required because the default action is 'drop'.

But this example does not make sense - what does the “tor” mean?

Also the text says

"See the “Tags Matrix” in the section below after saving the rules. Set your servers to “Yes”

but there is no section below that text.

I believe it would be important to make this information more accessible and allow people to build more secure VPN networks without having to study the whole manual in depth.

I speak btw from the experience of a guy proudly showing me his zerotier network - which had of course no client isolation at all - he was not aware about that and what it means.

You do a very good job in making VPN tec accessible to non-tec people, however you should put more effort into taking care that people do not shoot themselves in the foot unknowingly… also I believe a client isolation should be active per default.

What do you think?

And - BTW I wanted to tag this post with “Security” - but this word is not availlable as a tag, what is very strange for a VPN software community…

Thanks for writing. If we made “client isolation” the default, then 99% of new users would think ZeroTier doesn’t work. The first two devices you join to a network wouldn’t work. My phone would be isolated from my laptop.

That tags based client isolation rule set is good for certain use-cases.
There are docs for “tor” in the “rules help” below the rules editor and in the manual.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.