6/3/2023 0 Comments Raspberry pi 4 routeros![]() ![]() I recommend you analyse your options and pick the least painful one satisfying your security and performance requirements. One platforms with crypto acceleration IPsec can be even faster because it can be configured ciphers and modes that can be offloaded hardware, but it’s a massive pain in the posterior to deploy and operate especially across multiple vendors. If you feel comfortable managing network appliances like MikroTik routers you’ll find that the in-kernel WireGuard implementation available on all platforms since RouterOS v7 is a lot faster and can make use of multiple cores with a single tunnel interface, but you loose the ZeroTier automatic meshing and centralised control plane. You don’t have to terminate high bandwidth VPNs on a network appliance. The nice thing about ZeroTier is that it supports all common desktop operating systems (Windows, macOS, most Linux distros and even *BSDs) and requires local configuration (you only have to join correct set of networks). Boasting an impressive feature set including a captive-portal for registration and remediation. On a fast desktop you can push more than 1Gb/s through it with brute force, but the slower CPU cores used in low power routers lack the single thread CPU throughput to keep up with a desktop. These constraints limit how efficient the current implementation of ZeroTier can be. The frames are encrypted/decrypted in userspace and tunneled over UDP sockets which again require one system per packet. Moving a Ethernet frames through the tap interfaces requires one system call per frame. Each tap interface appears as an Ethernet interfaces to the kernel network stack. On Linux and *BSD it’s implemented using the tap(4) pseuo-interface. ![]() ZeroTier can be very fast for what it is: a portable Layer 2 VPN over UDP implemented in userspace.
0 Comments
Leave a Reply. |