This is painfully close to something that could be much better. Sadly this "p2p" system is strongly centralized. I cannot make a private network without zero-tier's authorization. I cannot add nodes to a private network without zero-tier's authorization. If zero-tier servers fail or the company dies, the network goes with it. Because the strong centralization, future viability of the network hinges on a single small companies continued existence. I cannot use this to build anything meaningful. It could only serve as a competitor to other vpn providers, not an improvement over the status quo.
It's almost completely open source[1]. The only component that isn't open is the web interface itself, but there's complete documentation on the internal data structures, how to run a super node, and how to reconfigure the clients to serve up those super nodes instead of the ZT-provided ones.
I rather happy about that, it saves me a lot of work. I've already cloned the repo on github (and a few local machines). Essentially I currently plan on unwrapping their administration system and switching to a shared secret model.
It was a breeze to set up.
I've been using it as a VPN to connect all my boxes and ssh to my machines that are behind NAT, and it's been very reliable.
And, if I want, I can connect my boxes to the big cjdns mesh network "Hyperboria" and do my part for promoting a decentralized internet.
I really like CJDNS, but it is more suitable to run on real routers than to use for virtual networking. Its overlay network and routing does not take into account real latency or congestion of the rest of the internet.
Look at the netconf-master/ subfolder -- you can make private networks without using the web UI. But it's hard right now. It'll probably be made easier in the future.
As far as pure decentralization goes: that's very hard, much harder than NAT-t and cryptography. I've prioritized zero-configuration instant-on and performance because that's what 95% of users want.
Yep. It pulls the actual config from a Redis database.
A 16-digit (64-bit) network ID consists of two parts: the 40-bit ZeroTier address of the node responsible for serving network configuration to members, and an arbitrary 24-bit network ID. When you join a network it just queries the netconf master for the network configuration. It's pretty simple. That's why all the network IDs you create at zerotier.com right now begin with the same 10-digit hexadecimal number. That's the ID of the node responsible for them and there's only one right now (though it's set up to fail over to another server, so it is fault tolerant).
BTW... network configuration servers can go down and networks will keep working. You just can't change their configuration. So it's also fault tolerant in that way.
