undefined | Better HN

0 pointsdiscardedrefuse4y ago0 comments

I recently did a deep dive into network overlays (like zerotier); mostly because I have a few self hosted services, and overlays seem to be the hot topic in the self-hosting community. I've come away with the feeling that most people using overlay networks at home are doing it completely wrong and opening themselves up to a world of hurt.

First, network overlays are not easier to setup than VPNs. Installing and configuring a network overlay client on every device is much more work than setting up a single VPN tunnel for every network you want to access. Overlay networks are just easier to plan because there is no planning. But they're not easier to implement.

Second, and far more important, meshing all your devices into a single flat network is dangerous. There is a reason why networks are designed with isolation strategies. Introducing an overlay into your networks breaks down these barriers for you, but also for an attacker.

The only overlay network that has built in firewall capabilities is Nebula. When I started configuring its firewall rules I found myself just recreating my existing segmented networks, but in a much more obtuse way. Instead of configuring a central firewall, I was configuring firewall rules on each device.

After all my research, I'm still running the same segmented network I was running before my overlay experiments. But I would like to give some praise to both Nebula and Yggdrasil. IMHO, these are the two most existing projects coming out of this space right now.

0 comments

2 comments · 1 top-level

ElectricalUnion4y ago· 1 in thread

> Second, and far more important, meshing all your devices into a single flat network is dangerous. There is a reason why networks are designed with isolation strategies. Introducing an overlay into your networks breaks down these barriers for you, but also for an attacker.

What prevents you from meshing the individual services on a per-need basis? The fact that they're overlays makes them even more convenient for such isolation.

> The only overlay network that has built in firewall capabilities is Nebula.

Are those built in firewall capabilities really missing from the other networks?

As far as I know, ZeroTier is more of a SDN that an simple overlay (That's what made me interested in ZeroTier in the first place). If conventional "L4 transport-layer" firewall/routing capabilites are enough for real networks, then ZeroTier SDN capabilities are probably enough for it's virtual networks. Granted, it doesn't have some nice built-in high-level generic "L7 application-level" firewall capabilities, but I don't trust those in the first place.

discardedrefuseOP4y ago

I'm not suggesting overlay networks are useless (Slack uses it to connect thousands of machines around the world!). My comment is aimed at the self-hosting community using them as a VPN replacement for remote management / access. I don't see how they are any better than VPNs for this. They're probably worse once you start connecting all the devices you aim to remotely manage into a flat network (mixing internet facing devices that should be DMZ'd with internal devices).

j / k navigate · click thread line to collapse