comparison-of-self-meshing-vpns.md 7.2 KB
layout: page title: Comparison of self-meshing VPNs permalink: /blog/comparison-of-self-meshing-vpns/ keywords: vpn,self-meshing,mesh,tinc,n2n,tailscale,zerotier,nebula description: In this blog post, I'll review various self-meshing VPN solutions such as Tinc, n2n, or Zerotier and take a look at which ones are ready for use on a Virtual Internet Exchange Point (VIXP). lang: en date: 2023-12-13 00:00:00 +0100
feed: true
SERNET has been operating SERNET-IX for some time now. This provides a new type of virtual internet exchange point (VIXP). Instead of all participants connecting to a centralized server, modern technology makes it possible for participants to connect to each other automatically. This creates a large Ethernet switch. The operator of the VIXP then only has to provide the route server (RS) and the coordinator for this technology.
There are various modern solutions for self-meshing networks - unfortunately not all of them are usable (according to my criteria). I have therefore looked at some of these technologies and compared them with each other.
| Criteria | Tinc (There Is No Cabal) | n2n | Tailscale/Headscale | Zerotier | Nebula |
|---|---|---|---|---|---|
| License | GPL-2.0 | GPL-3.0 | BSD | BSL (proprietary) | MIT |
| Free software | Yes | Yes | Yes | No | Partly |
| Android support | Yes | Yes (uses proprietary component) | Yes | Yes | Yes (source-available, no free software) |
| - In F-Droid | Yes | No | Yes | No | No |
| - In IzzyOnDroid | No | No | No | Yes | No |
| Windows support | Yes | Yes | Yes | Yes | Yes |
| Linux support | Yes | Yes | Yes | Yes | Yes |
| - In Arch Linux | Yes | Yes | Yes | Yes | Yes |
| - In Debian packages | Yes | Yes | No | No | Yes |
| - In Alpine Linux | Yes | Yes | Yes | No | Yes |
| Centralized server | No | Yes | Yes | Yes | Yes |
| Federated server | - | Yes | No | No | Yes |
| Self hosting of the server | - | Yes | with headscale | Yes | Yes |
| Dezentalized | Yes | Yes | No | No | Yes |
| Authentication and encryption methods | RSA/Blowfish/SHA-1 (Legacy), TLS1.2-Like Ed25519/AES-256-CTR/SHA-256 (SPTPS) | Various, including AES-256-CTS or ChaCha20 | WireGuard | Curve25519/Ed25519, Salsa20/Poly1305 | Curve25519, AES-256-GCM |
| - perfect forward secrecy (PFS) | Yes (SPTPS) | ? | Yes | No? | ? |
| Tunnel | Layer 2/3 | Layer 2 | Layer 3 | Layer 2 | Layer 3 |
| Tunnel over | TCP/UDP | TCP/UDP (IPv4-only) | UDP | UDP | UDP |
| Full IPv6-Support | Yes | No | Yes | Yes | Yes |
| Full IPv4-Support | Yes | Yes | Yes | Yes | Yes |
Since a table with a lot of entries quickly becomes ugly, here are a few remarks:
- Tinc fulfills many criteria, but is no longer being actively developed. The main developer still processes pull requests, but is no longer actively working on the code itself due to time constraints. Issues are therefore only sporadically processed or fixed.
- Tinc version 1.0 uses a cryptography system that is not modern. In the new pre-release version, Tinc uses the specially developed SPTPS protocol, which even implements PFS. The development of the pre-release version Tinc 1.1 has been going on for a very long time. Tinc 1.1 is in almost no official package sources. It can be obtained from Alpine Linux via the community repository or from Arch Linux via AUR.
- n2n can only transport data via IPv4. This makes it impossible for IPv6-only nodes to participate in an n2n network.
- n2n also has an Android app. This is itself under a free license, but includes many non-free, privacy-unfriendly components.
- The Tailscale Client itself is free software. However, the actual Tailscale server is proprietary. However, an alternative server implementation is available under the name headscale.
- Tailscale also has an Android app, which is even available in F-Droid. Unfortunately, the app has an anti-feature - it sends debug logs to the developers without consent.
- Zerotier was available for some time under the GPL 3 license. However, the developers have changed to the proprietary BSL license. It allows the use of Zerotier for non-commercial or non-profit purposes.
- Nebula is unfortunately only partially free software. The Linux client is FLOSS and even in the Debian package sources. However, the Android app, which is produced by the same developers, is proprietary.
My criteria are actually quite simple:
- I want full IPv6 support. This is particularly necessary in networks like the dn42, where there are also IPv6-only networks.
- I want full IPv4 support. Although IPv4 is a legacy protocol, it is still used by many - including me - in the dn42.
- The VPN solution should use a fairly secure encryption. This can also include PFS. PFS means that if the long-term key for the connection is compressed, not all old connections can be subsequently decrypted.
- The software should be completely FLOSS. For me, this means preferably under a license that is recognized by both the FSF and the OSI. There are various reasons for this. In this context, it means above all that you can compile it yourself, the security can be audited independently and simple packaging for operating systems is possible.
- I mainly use Debian on my servers. Therefore, the software must be available for Debian. Since I don't just want to determine the freedom of the software myself, the software must also be in the official package sources.
- An Android app could be added as a bonus. However, this is not necessary, especially in the context of a VIXP, but would be more of a gimmick.
| Criteria | Tinc | n2n | Tailscale/Headscale | Zerotier | Nebula |
|---|---|---|---|---|---|
| Full IPv6-Support? | Yes | No | Yes | Yes | Yes |
| Full IPv4-Support? | Yes | Yes | Yes | Yes | Yes |
| Uses modern cryptography? | Yes | Yes | Yes | Yes | Yes |
| PFS? | Yes | ? | Yes | ? | ? |
| Is Free Software? | Yes | Yes | Yes | No | Yes |
| Is Fully FLOSS? | Yes | Yes | No | No | No |
| In Debian? | Yes | Yes | No | No | Yes |
In conclusion, it can be said that only Tinc in the pre-release version fully meets my criteria.