vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

T6455: (Draft) Add Support for zerotier

Open l0crian1 opened this issue 8 months ago • 0 comments

Change Summary

This is a draft PR for adding ZeroTier support to VyOS

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

https://vyos.dev/T6455

Related PR(s)

Component(s) name

zerotier

Proposed changes

This feature request is for adding support for ZeroTier. Adding ZeroTier would provide bolt-on SD-WAN support for VyOS.

Implementation plan.

Each configured ZeroTier interface will be run in a new ZeroTier process as a container. This is done for a number of reasons.

  1. Resource Utilization
    • Unless using ZeroTier, there will be no running processes or services to use system resources. A number of NOS are moving to this approach.
  2. Software Updates/Patching
    • Running in a container allows for easy updating of the software without needing to fully update VyOS. This is important if an upstream fix for a vulnerability is patched.
  3. Compatibility
    • Each interface can run as a different version for compatibility. For instance, if one version is better for remote-access VPNs, and another is better for site-to-site VPNs.
  4. Performance
    • Running services in parallel allows for great scaling of throughput using ECMP. The CPU scheduler can give unused cores directly to the process. This can allow for >40Gbps of encrypted throughput on relatively inexpensive hardware.
  5. Licensing
    • ZeroTier uses a BSL license. By running the software as a container, it pushes the requirement to acquire the software and adhere to all licensing on the user/operator, rather than the distro/maintainers. ZeroTier would not be bundled with VyOS, VyOS would simply expose configuration elements if the user wants and is allowed to run ZeroTier. Naming of the containers will be vyos_created_zt. This is to prevent any potential naming conflicts with manual installations of ZeroTier.

Configuration

The configuration of ZeroTier's local.conf file will be fully supported in configuration syntax, including the creation of custom bonding policies.

vyos@vyos# set interfaces zerotier zt3
Possible completions:
+  allow-mgmt-from      Allow management from specified subnets
   allow-tcp-fallback   Allow falling back to TCP Relay if UDP fails
   api-key              ZT API key - DO NOT share
+  bind                 Bind ZeroTier to specified IP
   bonding-policy       Bonding policy to be applied
+> custom-policy        User created ZeroTier bonding policy
   description          Description
   force-tcp-relay      Disables UDP communication and forces TCP
+  interface-blacklist  Prevent binding of ZeroTier service to interfaces
   low-bandwidth-mode   Enable low-bandwidth-mode (limits control traffic)
   multipath-mode       Multipath load-balancing mode
+> network-config       Network specific ZeroTier config
   network-id           ZeroTier Network ID to join (required)
+> peer-config          10-digit hex
+> peer-specific-bonds  Apply bonding policies per peer
   primary-port         Primary port for ZeroTier service (required)
   secondary-port       Secondary port for ZeroTier service
   tcp-relay            Define the IP/Port of a TCP Relay
   tertiary-port        Tertiary port for ZeroTier service
   version              Version of ZeroTier to use (required)

Op Mode

The following op mode commands will be added:

show interfaces zerotier 
show interfaces zerotier <interface>

show interfaces zerotier <interface> networks

show interfaces zerotier <interface> peers
show interfaces zerotier <interface> peers-all
show interfaces zerotier <interface> peers-detail

show interfaces zerotier <interface> metrics accepted-packets
show interfaces zerotier <interface> metrics errors
show interfaces zerotier <interface> metrics latency
show interfaces zerotier <interface> metrics packet-types
show interfaces zerotier <interface> metrics peer-packets
show interfaces zerotier <interface> metrics peer-packet-errors
show interfaces zerotier <interface> metrics protocols

show interfaces zerotier <interface> bonding
show interfaces zerotier <interface> bonding <node id>

restart zerotier <zt interface>

zerotier interface <interface> orbit <root id>
zerotier interface <interface> allow-default enable/disable
zerotier interface <interface> allow-managed enable/disable
zerotier interface <interface> allow-global enable/disable
zerotier interface <interface> bonding-failover <node id>
zerotier restore <backup file>

How to test

Smoketest result

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [ ] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [x] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

l0crian1 avatar Jun 08 '24 17:06 l0crian1