Comments
PhilipLGriffiths88 t1_iqvvigj wrote
Here is one I am working on looking at Wireguard and OpenZiti (comments very appreciated):
Wireguard is a better VPN. It is more secure, easier to use and set up, and delivers much better performance than many other VPNs. Its design principles make it easy to set up full mesh networks of connected machines by being ‘default-open’. Wireguard is also fully open source and self-hosted. Wireguard creates P2P connections using UDP and STUN, so inbound firewall ports are not needed. Wireguard can be tricky to manage at scale due to key management and the large amount of P2P tunnels that need to be maintained, and UDP sometimes being blocked. For this reason, many companies have created their own SaaS implementations of Wireguard, including Tailscale, Netbird, Netmaker and more. These are a mixture of proprietary and open source.
OpenZiti can be a better VPN while being designed to do much more. Rather than connecting machines, it cares about connecting "services" with zero trust networking concepts, including least privilege, micro-segmentation, and attribute-based access (though you can also set up a whole CIDR if you want). OpenZiti also uses the embedded identity to build outbound-only connections into a mesh (think Cloudflare tunnels), so we can close all inbound ports. This can all be surmised as Wireguard being 'default-open' whereas ZT is 'default-closed'. Wireguard is normally combined with a firewall to deliver ACLs and network segmentation controls.
Whereas Wireguard uses UDP and hole punching, OpenZiti uses TCP and a mesh overlay (with the outbound only at source and destination). This is how Tailscale implements Wireguard to ensure it works easily in all situations. It also allows you to control the internet routing and provide higher redundancy, resiliency, and control for routing traffic according to policy (e.g., low latency or geo-restrictions). All of this is open-source and native to OpenZiti, not in Wireguard.
Due to OpenZiti's uses of identity in the endpoints and fabric for routing, you also get a private DNS and unique naming (e.g., send from IoT endpoint service to IoT server rather than from 192.xxx.xxx.xx to 100.xxx.xxx.xx). This also means we do not need to use floating or static IPs, easily handle overlapping, no need for port forwarding.
Finally, where it really differentiates is that with OpenZiti you can start with "network-based zero trust" (installing a router in private IP space) and progress to "host-based zero trust" (using an agent/tunneller); it also has a suite of SDKs to embed in apps themselves for "application-based zero trust". This allows it to run in clientless, serverless, confidential computing, unikernel and more. It also means an application does not even need to trust the underlying host network or know the port/IP.
P.S., Wireguard get a lot of well-deserved love! OpenZiti uses the Windows TUN (WinTun) that the Wireguard project made as (at least) part of our Windows tunneler. Thanks, Wireguard!
dovholuknf OP t1_iqvvv4r wrote
100% agree! We just "need to get it done". It's been on our doc issue list for a while. https://github.com/openziti/ziti-doc/issues/74
A whole suite of comparisons is coming too and it's also in the same "we just need to get it done" bucket.
cyberflunk t1_iqw84wr wrote
Nice!
cylindrical_ t1_iqy297d wrote
I'd love to read it! My first thought when seeing OpenZiti was "hmm, how does this compare to boring proxy?" Then immediately realized that I might not know enough about the difference between a mesh net and a zero trust platform.
dovholuknf OP t1_iqy6tka wrote
OpenZiti vs BoringProxy has some similarities for sure. The simplest OpenZiti deployment is similar to a boring proxy deployment. The main differences will be that the listening ports "on the network" are going to be from the OpenZiti edge-router which will authenticate before allowing any connection using a strong x509 identity (not a token) and then after that the same identity can be authorized to access one or more services. That's one killer difference to me. There are lots of other things OpenZiti is doing that boringproxy isn't trying to as well. I filed an issue to do a comparison to that some day https://github.com/openziti/ziti-doc/issues/176 thanks for the idea! :)
Boringproxy doesn't seem to me to purport to be a mesh network. OpenZiti is a mesh network (a zero trust mesh network). That means that all the components use mutual TLS (mTLS) to connect to one another. Each node has its own identity as well. We'll write it up soon, hopefully.
Thanks for the interest, I was terse here but I'd be happy to answer other questions if you have any.
-- EDIT: -- I totally forgot that OpenZiti is very different insofar as it's trying to get those zero trust principles into applications themselves. That means there's a bunch of SDKs you can use to embed into "your own" applications. I can't leave that out of any comparison - even if the comparison is terse!!! :)
dovholuknf OP t1_iqvifdm wrote
I am a dev on this project and I personally think that all applications will have zero trust principles baked into them soon enough, if not with OpenZiti then with some other SDK/overlay (but clearly I'm hoping OpenZiti is the choice). I just found this sub and thought that y'all might think this is a cool project. There's a lot to the project but I think it's really cool stuff - you might too. :)
cyberflunk t1_iqvpvdp wrote
I think it'd be good for this kind of application to explain the differences between a mesh network (like tailscale/headscale/etc) and a zero trust platform.
I find that it's confusing for most people,
I'd write it up, but I don't have a firm grasp on ZT to do it justice.