ZeroTier: is this a good time to use...

dafyre

@Dashrender said:

@dafyre said:

@wrx7m said:

In terms of the gateway feature, is it Linux connector + bridged mode?

That is supposed to be the way it works, but I haven't been able to get it to work like that.

If I want it as a "gateway", I just set it up as a router, and add static routes on the physical routers on each site.

that doesn't allow for ethernet level access - definitely not the same thing at all.

Sadly, you are very much correct.

scottalanmiller

That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.

Dashrender

@scottalanmiller said:

That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.

That's what I thought, but @dafyre is saying he's been unable to get it to work.

Jason

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

dafyre

@Dashrender said:

@scottalanmiller said:

That's why ZT refers to it as a bridge, not a router. It's true bridging functionality that is needed to make it work as intended.

That's what I thought, but @dafyre is saying he's been unable to get it to work.

I have not been able to get it to work. I got a post out on their community, but haven't heard anything back yet, lol.

FATeknollogee

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

scottalanmiller

@FATeknollogee said:

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.

Dashrender

@scottalanmiller said:

@FATeknollogee said:

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.

The whole trusted network issue. LAN vs LAN-less

As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.

Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.

dafyre

@Dashrender said:

@scottalanmiller said:

@FATeknollogee said:

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.

The whole trusted network issue. LAN vs LAN-less

As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.

Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.

I think that it is beyond time that we stop trusting machines on our local lan. Even my home network has the service discovery disabled, and each machine has its firewall turned on for that very reason.

Dashrender

@dafyre said:

@Dashrender said:

@scottalanmiller said:

@FATeknollogee said:

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.

The whole trusted network issue. LAN vs LAN-less

As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.

Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.

I think that it is beyond time that we stop trusting machines on our local lan. Even my home network has the service discovery disabled, and each machine has its firewall turned on for that very reason.

I go back and forth on using the home networking features that Windows has these days.

dafyre

@Dashrender said:

@dafyre said:

@Dashrender said:

@scottalanmiller said:

@FATeknollogee said:

@Jason said:

@FATeknollogee said:

Type 3: Users (are contractors), they connect via VPN from overseas

Seems like a bad idea. Usually employees are given VPN access from company owned devices. a VPN is too much exposure for non-company owned devices and for people who aren't full employees. I would look into some other form of access, RD Gateway with RDS or Ctirix etc for these people.

Are you saying access via ZT is not a good idea?

Correct. ZT is a VPN. VPNs from arbitrary devices is normally a bad idea. The only exception to this is when you would have happily exposed the LAN to the Internet and this is purely a handy control of IP addresses. If security is your goal, you are bypassing security using a VPN in this role. VPNs are very dangerous because they are about exposure.

The whole trusted network issue. LAN vs LAN-less

As more and more things move to networks that are not local to our computers, we're changing seeing how we trust things.

Traditionally we trust machines that are on our local LAN, but, if flip that on its ear and trust nothing, and always setup authenticated/trusted communications no matter where device is in comparison to us, then we are much safer.

I think that it is beyond time that we stop trusting machines on our local lan. Even my home network has the service discovery disabled, and each machine has its firewall turned on for that very reason.

I go back and forth on using the home networking features that Windows has these days.

I use them because they are there. I also have linux boxes at my house too, so there's that.