Use zerotier as network backend?

Zerotier is a p2p virtual lan project. It can put everything into the same virtual ipv6 network, and handles nat-traversal.

Libzt lets you access zerotier as a library without creating a new tun devices.

It seems like it could make a lot of the network discovery issues easier and more consistent. Zerotier already handles NAT traversal as well as local discovery.

Sure, so does many other tunneling software.

You should be able to run Syncthing on top of this just fine.

Somehow wedging it into Syncthing seems both technically problematic and undesirable…

I am, no problem there. But it might simplify the network stack quite a bit to build on libzt.

Just saw your edit, why do you think “wedging it into” syncthing would be a problem?

There’s a golang wrapper for the library over here:

It does pretty much everything your networking stack already does while also providing better NAT traversal options.

I guess I just don’t see the advantage of using a home-grown solution when there’s a lovely open-source library that will accomplish the same goals but is a more universal standard.

I’d rather have one “discovery server” to maintain then to try and maintain one for syncthing and one for zerotier, as an example.

I’d ask you to take a look at the documentation:

Take a look at the NAT traversal options it has, and seriously consider if it’s doing a better job then you can do, especially with regards to NAT traversal and UPNP.

I don’t know of any other tunneling software that could fit into a project like this very well, so I expect you’re not familiar with what zerotier actually is. I’d appreciate it if you took a moment to familiarize yourself with it:

You’ll note that it’s a library, not a service that would need to be run along side the syncthing server.

I think you should outline the problems with the existing home grown solution and explain how this new solution would make our life better.

From my prespective, it’s a for profit company that has a library. At any point they might change their license, go bust or whatever and leave us dead in the water.

Presumably that same company controls the root servers used for discovery.

The middleware that is between the peers I also suspect is not available. So even tho it’s P2P in the best case, I suspect you still rely on the companies existance and infrastucture being operational.

It’s a C library with a Go wrapper that will completely kill our ability to cross-compile. The only reason we are still able to support such a large number of platforms is because Go allows us to cross-compile.

For node addressing and discovery, I suspect it’s impossible to do without breaking backwards compatability, and is a tremendeous amount of work. At that point it’s probably better just to fork syncthing.

Sure, it’s possible, but the benefits? A library with more bells and whistles, maybe it does something better,m aybe it does something worse and we’ll have to shoehorn stuff. I haven’t seen many convincing arguments other than “it’s cool, it’s there, you don’t have to do stuff”

Part of why opensource is interesting is because you get to learn new things. If I just get a library to do all the work, there is not much learning left.

It’s not super hard to add new protocol support, so knock yourself out if you feel bored. Sadly that’s now how I feel like spending my evenings.


As I’m both a ZeroTier & Syncthing user I must say that I really dislike the idea of integrating ZT into ST. Running Syncthing on top of ZeroTier - both being standalone - is obviously fine, but I’m strictly against binding them together for a variety of reasons.

  • Syncthing is an application that does not require any external accounts by some company and it only relies little on first/third party infrastructure. It’s quite simple to get your own discovery server and run fully independent on your own infrastructure.

  • ZeroTier on the other hand is quite different: It heavily relies on infrastructure provided by the ZeroTier company: First you have the rootservers, which are (almost) hardcoded into the application. Changing these requires fiddling with source code! Also, 99% of users will use the network controllers provided by ZeroTier which require a (free or paid) account, but ZeroTier has full control over them and they tend to be a little slacky with privacy: I’ve seen ZeroTier developers posting private information in the chat about networks created by their users without asking them beforehand (not critical stuff, but still - in theory they’ve full access to your whole network, including all traffic). Hosting your own network controller is possible but it’s a task only suitable for experts - not comparable to the simplicity of syncthing’s infrastructure.

This does not means that ZeroTier itself is bad: It just means you have two different worlds which don’t play that well together.

  1. As I mentioned earlier, ZeroTier requires a network controller. It also requires one or more networks for all your devices which need to be setup beforehand. Integrating ZT into ST would require ST to handle all this stuff, meaning ST would need to create and manage virtual networks: This seems pretty much out of scope for a sync program and as with all networks, each network needs an administrator. Many things can be automated, yes, but running completly headless without a human monitoring stuff is always a bad idea. And you can’t expect from the average syncthing user to be able to handle administration of a ZeroTier network.

I imagine even if Syncthing would one day ask users to register for a free account on some external website (for the network controller) would scare off many. Even if it was opt-in, meaning you could always turn off ZeroTier.

Syncthing could rewrite ZeroTier and provide own roots and network controllers, but that would still leave some issues open: a) this simply shifts the trust and reliability issue; b) this would pretty much require Syncthing to rewrite to run as much as possible on ZeroTier, but that comes with it’s own issues:

  1. ZeroTier needs to use UDP (there’s a TCP fallback to the roots but not P2P). From my own experience, in some middlebox heavy enviroments UDP has a horrible performance compared to TCP. Syncthing currently always prefers TCP, but ZeroTier would force ST to run TCP on top of UDP which is horrible for performance in some enviroments. A TCP-only option should always remain, but that means NOT using ZeroTier.

There are many more things to consider that I haven’t even mentioned. In the end it all boils down to one simple fact for me:

ZeroTier is only for people who want it and have the knowledge to work with it. This is incompatible with Syncthing at least for a subset of users.

You could also say that it’s probably not even worth the effort: ZeroTier’s features are not magical, it’s NAT traversal is nothing out of the ordinary. It works as good (or bad) as most other software. The gain is likely minimal in most network setups.

TL; DR For the people who really want Syncthing over ZeroTier there’s already a working solution, so why complicate things.


In fact ZeroTier is a virtual ethernet network and supports everything ethernet does: It is not limited to IPv6.

1 Like

You can run your own root servers. It is difficult to make it so that those are the only root servers, and not root servers in addition to the main ones, but if you have a root server on your lan and no internet access everything will just work.

No it doesn’t? Try joining 93afae59632ef739 without an account, everything works fine.

It is, and you don’t have to rely on the companies infrastructure at all.

How would a company going bankrupt change anything? It’s still an open source library that’s partially community driven.

Yeah, that is a big problem.

Because one of these is a documented general-purpose solution to this problem space and the other is a home grown solution. How do you deal with transport encryption? Do you prevent replay attacks? Don’t roll your own crypto, basically.

Apparently someone has been flagging all my comments as spam, and banned links to zerotier. So I can’t even reference things.

So that’s kind of a dick move, and I can’t really see myself contributing to this project ever if that’s how you’re going to deal with discussions.

Who said we roll our own crypto? I don’t think using TLS counts as rolling our own crypto. On the other hand doing non-stream based crypto (packet based crypto) does sound like rolling your own crypto.

This claim in general feels like you haven’t spent much time trying to understand how the homegrown solution works, yet are trying sell something as better.

So who provides TURN servers, or is this a lesser solution that does not do that? NAT punch through is not always possible and you do need a third party.

Regardless, no cross compiling is sort of a no-go for us, and as I said, I don’t really see an edge over what we do. Yes, it’s home grown, our implementation might be opinionated and more buggy, but it’s good enough.

I’ve unmarked the posts as spam, which were marked by an automated system dealing with spam.


I wasn’t talking about no-internet access scenarios, I was talking about running independent which ZeroTier makes really difficult. Moons are not a solution. Yes it’s possible to host own roots - I explicitly said this, but it’s more work than it’s worth.

Might as well throw myself into a shark tank. Public P2P networks that circumvent all external firewalls are really good solution, sure. Let’s give everyone full access to everything, right?

Seriously, to maintain a reasonable security level - that syncthing currently has -, every syncthing cluster would need it’s own private network. And this requires either an account, or self hosting of a controller.

But someone needs to host infrastructure and ZeroTier’s central infrastructure is significantly more complex than syncthing’s. ZeroTier’s roots provide the same relay services syncthing’s community relays do, but whilst syncthing’s relay are fully dynamic and don’t require money from the project maintainers, ZeroTier requires hardcoded unflexible server lists paid for by the project. Syncthing also seperates relay and discovery functions, which are both integrated into the central servers in ZeroTier, where self-hosting get’s difficult due to the fixed construction.

Funny that you mention this, because that’s excactly what ZeroTier does [they’re using a security protocol developed in-house]. Their security model is okay, but nothing that is exciting for me (it’s stateless/static, so no PFS). Syncthing on the other hand uses the most popular security protocol available today.

It feels like you haven’t really familiarized on how Syncthing and it’s components work.

I know the backend of both projects and I see simply no benefit in throwing away the components that were carefully developed over years with something that does exactly the same, but more complicated with more pitfalls. Syncthing already has all compononents - port forwarding, NAT - that ZeroTier can offer.

ZeroTier’s heart lives in simplifing networks that are distant to each other. It’s one of the fastest things to connect two computers on different continents and let them talk like they’re in LAN. But ZeroTier is hardly useful for a single application, that only has a single connection - a whole network just for one TCP connection? That just sounds overkill.

So again we return to the question, what use has ZeroTier in Syncthing? With the addition of QUIC I can not imagine anything improving for the end user. But I can imagine lot’s of things that get worse.

Plus, there’s always the magical question of “who would implement this”?

I always feel like I’m running in circles here, but to say it again: ZeroTier is only useful for a handful of users and it should be really easy to run ST on top of ZT. So everyone who wants that can do that, there’s nothing stopping you from doing that. If you don’t want to see the tun interfaces created by ZeroTier, run both programs in the same docker container (or do some other container magic, IDK).


That’s true, mostly I just brought it up because I was at the shopping mall and sync-thing didn’t work until I turned zerotier on on my phone, even though both were connected to the local LAN.

I think the root nodes can be set to act as TURN servers as well, which can make things a fair bit easier when you have multiple roots, including your own.

Thanks, the way the bot phrased it implied that it was administrative action.

Yeah, I agree. If libzt gets better support for cross-compiling I might bring it up again.

Well I’d encourage someone to generalize it into a library I can link my own projects against. Especially if you think it’s solved the problem in a better way, as that reduces the overhead of running relay infrastructure.

You understand that using libzt the library provides a local socket, and doesn’t provide an internet interface? It wouldn’t be possible to expose other services over that libzt connection because it’s a socket interface running in the same process as syncthing/whatever.

I don’t think you’re understanding the difference between running zerotier as a library and using it as a tunnel device.

That’s why I didn’t go into very much detail in my first post, I was expecting to say “here’s a cool thing, take a look at it”. I wasn’t expecting to write out a big thing explaining the potential advantages, and I wasn’t expecting a “yes we should use this”. I was expecting people to take a look at it, and when they start seeing problems that it could solve they’d be aware it exists.

But when people did misunderstand things, like the whole “it would make us dependent on some company” thing, I felt the need to explain further. At this point I’m confident you understand what it actually does, and if it does end up being useful I think you’ll remember it exists.

1 Like

Skipping all the rest to respond to just this. For one, zerotier doesn’t appear to run on some of the operating systems / architectures we already support, and would require a complex cross compilation process for the ones it does. For the other, it’s GPL which means we can’t link to it and distribute the result without becoming GPL ourselves.

Both of those points are hard showstoppers by themselves, regardless of the excellence and desirability of the end result.


The forum software does this automatically for trust level zero users (new accounts, who have not spent much time reading around on the forum yet) repeatedly posting links to the same domain. Sorry about that. Not an intentional dick move. Try not to take it personally.

Edit: I’ve now read the rest and saw this was already explained. Never mind, carry on. :slight_smile:


Just an aside, I’m a noob to Zerotier, and I’m appreciating all the comparing and contrasting between how Syncthing and Zerotier do firewall-punching things. I’m actually glad that there are two separate Open Source solutions, that are doing “firewall-punching”.

Let’s see if both projects are surviving five years from now. I feel confident at this time that Syncthing will still be around then. :slight_smile: I don’t know enough about the culture of the Zerotier community yet to form an opinion (let alone comment) on how long-lasting that project will likely be in the future.

This is a bit offtopic from the original topic, but since you indirectly asked:

Both Syncthing and ZeroTier’s first public release were in 2013, so the projects roughly have the same age. Behind ZeroTier is an actual company doing (almost) the whole development, Syncthing is more community driven.

A recent (26.6.2019) statement of the founder and CEO of ZeroTier, Inc, concerning the state of the company & project can be found here.

1 Like

Great link, @Nummer378 , and very relevant, IMHO.

My sense, after reading it, was that waiting until Zerotier 2.0 would be a wise thing, because then they will introduce “full decentralization of the ZeroTier root server plane”.

I feel this is worth noting, because Syncthing already offers such decentralization now (when it comes to using relays). And that decentralization is worth a lot to me. Thanks for designing Syncthing that way, oh Syncthing devs. :slight_smile:

BTW: Zerotier also claimed that they will “Open source the Edge 3D printer files so you can print nifty Edge cases for espressobin boards if you so desire.” That’s a nice gesture of them! They didn’t need to do that. That wins some brownie points with me. Also cool was their suggestion to make a Zerotier appliance out of a Raspberry Pi 4.

PS: I wish them the best of luck as they get their business model all together, and stabilize their revenue stream. Indeed, good customer support will be really hard to provide, on any enterprise-grade open source product, which has customers who know little about open source, and will stumble all over the place (and loathe admitting they don’t know WTF they’re doing), because they are still just learning the basics. Been there, done that, don’t ever want to be in that line of work again!