HomeNetworking is a place where anyone can ask for help with their home or small office network. No question is too small, but please be sure to read the rules and the FAQ before asking for help. We also welcome pretty much anything else related to small networks.
Wireguard vs Zerotier for remote access, which is more secure?
Hey all, I am trying to establish a VPN tunnel between my router and various endpoint devices (mainly my two android phones). My router has the built in ability to spin up a wireguard server, to which I can connect via the android apps on my phone. I also know that zerotier is available as a package for the router.
My question is which would you rather use? The issue is security, I'd prefer the method that is more secure. With the wireguard server there is an option to allow access to the local network, which I would like to turn on, so that I can see some shared drives and other resources that are behind the router. Presumably this reduces the security of the tunnel? At least that's what I've been told - I don't know why this is the case though. With the zerotier package, there's no distinct option to expose LAN clients, but you can add managed routes to allow remote devices to access clients that are behind the router on which zerotier is installed.
So my question is, is there really a difference here? In terms of security? What risks do I need to be aware of?
The point of a VPN is to connect to the network. It doesn't do anything for the security of the tunnel. Good or bad. You WANT to have local access. That's the point. I don't see how this affects security in any way.
Which is effectively the same exact thing.
No. None.
If you want to get pedantic, Zerotier is riskier because you're relying on the third party connection (the Zerotier network) to connect. Basically you're connecting to their service and then to your network. Using their network as a virtual "switch" connecting them.
Ty, this really lays it out for me, I'll prob try WG first
I'd argue there is definitely more risk with ZeroTier, you are relying on them keeping their "moon" safe and secure, if someone manages to get into the web interface for your ZeroTier instance they could add whatever nodes they want to your network.
Zerotier is less cryptographically secure than WireGuard but not to the point where it's an issue. It's still secure enough.
However, no matter how you dice it when you use Zerotier you are allowing a third party to have control of what devices can join your network. They could have the most secure VPN tech in the world but it's meaningless if someone gets onto their server and just adds a new device to your secured network.
For a router and just two other peers, the situation is simple enough to just use WireGuard so I don't see why you'd bother with the extra risk of Zerotier.
Not at all. You're secure.
All addressed above.
GL, WG all the way IMO.
Ty, exactly what I needed to hear
I think u/flaming_m0e and u/zfa already covered a lot of valid points that i don't want to repeat :-)
One thing i just want to add is that as far as i know there i an option to host the zerotier infrastructure for yourself so you aren't relying on a third party which would improve the security.
Haven't looked into that myself yet since i only heard/noticed zerotier after mikrotik introduced them to their routers with v7 of their software. And i guess the OP is also using a Mikrotik router from the way he writes it ;-)
Ty, yes I think you are right about self hosted relays, I think they are called 'Moons' in Zerotier parlance. Sounds like a bit more work to set it up that way, so I'll prob try WG first, if that doesn't work then ZT it is.
>You can host your own roots (previously called "moons") in addition to ZeroTier's, but we can't provide support for removing ZeroTier's roots (unless you are a large enterprise customer).
http://web.archive.org/web/20230502072514/https://docs.zerotier.com/self-hosting/introduction/