ZeroTier
ZeroTier is a software-defined networking (SDN) platform that creates secure, virtual private networks (VPNs) allowing devices worldwide to connect as if on a single local network, without relying on traditional hardware infrastructure.[1] It facilitates end-to-end encrypted, peer-to-peer connections that are resilient to network disruptions, enabling rapid deployment in minutes via a centralized dashboard for management and scaling from small teams to enterprise-level operations supporting up to 10,000 devices.[1] Founded in 2013 by Adam Ierymenko as an open-source side project born from frustrations with inefficient networking in a U.S. government initiative, ZeroTier quickly expanded with ports to major operating systems including Windows, macOS, iOS, and Android, alongside its first managed service (Central) and paying users.[2] The platform gained momentum during the COVID-19 pandemic with a 20% monthly usage surge. It secured angel investment in 2019 and, in 2024, Series A funding from Battery Ventures and Bonfire Ventures, which supported its growth to connect over 2.5 million daily active devices across more than 230 countries as of 2024.[2] By 2024, Andrew Gault assumed the role of CEO, with Ierymenko serving as CTO, leading a team that includes key executives like CCO Robert Stevenson and Head of Engineering Jules Petrarca.[2] ZeroTier's defining features include its hardware-agnostic approach, leveraging software for direct device communication to enhance privacy and performance, and compatibility across diverse environments such as IoT devices, cloud services, and edge computing.[1] It supports critical use cases in sectors like defense, banking, education, and IoT, with applications ranging from military radios to Bitcoin hardware wallets, and is trusted by over 5,000 business customers including Volvo, Thales, and Keysight.[1][2]History
Founding
The ZeroTier project originated in 2011 as a personal coding project by Adam Ierymenko, driven by frustrations with slow and manual networking processes during work on a U.S. government initiative.[2][3] Ierymenko, an experienced software developer, sought to address these limitations by developing a more efficient alternative for seamless device connectivity.[2] The initial motivation was to create an effortless software-defined networking (SDN) solution enabling direct peer-to-peer connections between devices, avoiding the configuration complexities and overhead of traditional virtual private networks (VPNs).[2][4] This approach emphasized simplicity, privacy, and decentralization to simplify global networking for users from individuals to enterprises.[2] Over the next two years, Ierymenko developed it in spare time, leading to the project's first open-source release in 2013, humorously noted as launched with help from his newborn daughter pressing enter.[2] As an open-source project from its debut, ZeroTier attracted interest from the technology community for its innovative virtual networking.[2] The project was based in Irvine, California.[5] ZeroTier, Inc. was incorporated on March 3, 2015.[6] It received its first seed funding of $492,000 on March 19, 2015.[7] Angel investment followed in 2019.[2]Development Milestones
ZeroTier One, the core client software, achieved its first open-source release in 2013, establishing it as a portable application for creating and connecting to virtual networks across platforms.[2] In the mid-2010s, ZeroTier introduced Central, a web-based controller interface to streamline network management, allowing remote configuration, monitoring, and device authorization without manual scripting. The company raised a $2 million seed round on February 17, 2021, co-led by Anorak Ventures and Bonfire Ventures, to support expansion.[8][9] During the COVID-19 pandemic, ZeroTier experienced a 20% monthly usage surge.[2] The 1.2.x series of updates, rolled out between 2017 and 2018, included enhancements to the protocol such as improved path selection for better NAT traversal behind firewalls and support for multicast traffic via replicators for efficient group communications.[10] In July 2024, ZeroTier secured $13.5 million in Series A funding led by Battery Ventures, with participation from Bonfire Ventures and others, and transitioned to a usage-based pricing model with the ZeroTier Essential package, scaling costs by active device count and replacing fixed-tier subscriptions.[11][9] Also in 2024, Andrew Gault became CEO, with Ierymenko transitioning to CTO.[2] As of 2025, ZeroTier continued advancements in IoT integration and edge computing support.[12]Overview
Purpose and Functionality
ZeroTier is a virtual network platform designed to enable devices worldwide to communicate as if they were connected to the same local area network (LAN), overcoming barriers such as physical distance and firewalls. By leveraging software-defined networking principles, it creates secure, encrypted connections that mimic traditional Ethernet environments, allowing seamless integration of endpoints like computers, servers, mobile devices, and embedded systems. This approach supports global private networks at any scale, with end-to-end encryption ensuring data privacy without requiring hardware changes or complex configurations.[13] At its core, ZeroTier functions as a smart, programmable Ethernet switch deployed over the internet, forming flat overlay networks that facilitate direct device-to-device interactions. These virtual switches support applications including remote access to resources, Internet of Things (IoT) device management, multiplayer gaming, and peer-to-peer file sharing, by providing low-latency, multicast-capable connectivity akin to a physical LAN. The platform accommodates unlimited network sizes through 64-bit network identifiers and enables bridging between physical interfaces (such as wired LANs or WiFi) and virtual ones, allowing hybrid environments where local and remote segments operate as a unified whole.[14][13] In contrast to traditional virtual private networks (VPNs), ZeroTier eliminates dependency on central servers for data routing, instead prioritizing peer-to-peer overlay networks that minimize latency and avoid single points of failure or cloud-based bottlenecks. This design emphasizes zero-trust principles with cryptographic device identities for authentication, enabling scalable, self-hosted deployments without the operational overhead of conventional VPN infrastructures.[13]Key Advantages
ZeroTier offers significant ease of setup through its zero-touch deployment model, where users simply generate a 16-digit Network ID via the web-based controller and share it with devices to join the virtual network without manual configuration or port forwarding. This approach leverages automatic NAT traversal and peer-to-peer connection establishment, enabling rapid onboarding in minutes even for non-expert users.[15][16] The platform's cross-platform compatibility extends to a wide array of devices and operating systems, including desktops running Windows, macOS, and Linux; mobile devices on iOS and Android; servers; virtual machines; and embedded systems such as routers, NAS devices, and IoT hardware on FreeBSD or OpenWRT. This broad support ensures seamless integration across heterogeneous environments without requiring specialized hardware or custom adaptations.[17][18] ZeroTier enhances network resilience via its peer-to-peer model, which includes automatic failover to alternative paths during connection disruptions and multipath routing, making it suitable for low-latency real-time applications like video streaming or remote control. By optimizing direct device-to-device links and using relay servers only as needed, it maintains consistent performance even in unstable or firewalled networks.[19][20] In terms of cost-effectiveness, ZeroTier provides a free Basic plan supporting up to 10 devices total across networks (or 25 for legacy accounts created before July 2024) for personal or small-scale use, with scalable paid tiers for enterprises that avoid the need for dedicated VPN hardware, reducing infrastructure costs while accommodating growth from dozens to thousands of devices. This model supports infinite scalability without proportional hardware investments, appealing to organizations seeking efficient resource allocation.[21][11] Common use cases for ZeroTier include homelabs for secure device interconnection without exposing ports to the public internet; remote work setups enabling employees to access corporate resources as if on a local LAN; secure IoT meshes that connect sensors and edge devices across distributed locations; and decentralized applications requiring reliable, private overlay networks for data sharing among peers. These applications benefit from ZeroTier's role as a software-defined global Ethernet switch, simplifying connectivity in scenarios where traditional networking falls short.[1][22]Technical Architecture
Protocol Overview
ZeroTier functions as a distributed network hypervisor that virtualizes Ethernet services across both local and wide-area networks, leveraging a cryptographically secure global peer-to-peer (P2P) network to enable seamless device connectivity without traditional VPN configurations.[14] This architecture combines a layer 1 transport protocol (VL1) for secure P2P communication with a layer 2 Ethernet emulation (VL2), similar to VXLAN, ensuring end-to-end encryption using Curve25519 for key exchange, Ed25519 for signatures, 256-bit Salsa20 stream cipher and Poly1305 authentication.[14] The system supports the creation of virtual LANs (VLANs) through 64-bit network identifiers, allowing multiple isolated networks to coexist on the same infrastructure.[14] At its core, the ZeroTier wire protocol encapsulates standard Ethernet frames within UDP packets for transmission over IP networks, facilitating the transport of layer 2 traffic across disparate physical links.[14] This encapsulation preserves the original Ethernet headers, including MAC addresses, enabling applications to operate as if connected to a single local broadcast domain. VLAN support is integrated via the network ID, which tags frames to segregate traffic across virtual segments, preventing interference between different logical networks.[14] All communications are encrypted end-to-end, with optional relaying through relays when direct P2P paths are unavailable due to firewalls or NAT traversal challenges.[14] The network topology employs a leaf-root model, where a small set of root servers—typically four globally distributed, stable nodes operated by ZeroTier, Inc.—manage node identities and authentication, while leaf nodes (end-user devices) and peer nodes handle the bulk of routing and data forwarding.[14] Each node is assigned a unique 40-bit ZeroTier address derived from its cryptographic identity, ensuring secure verification without relying on IP addresses. Roots validate memberships and distribute topology information, but they do not participate in routine data paths to minimize latency; instead, peers establish direct connections for efficient routing.[14] To emulate broadcast behaviors in this virtual environment, ZeroTier handles multicast, ARP, and NDP through optimized mechanisms that avoid flooding the entire network. Multicast traffic uses a publish/subscribe model with dedicated groups, converting broadcasts (such as Ethernet destination ff:ff:ff:ff:ff:ff) into targeted multicasts for better scalability. ARP requests are transformed into unicast or narrow-multicast operations, akin to IPv6 NDP, ensuring reliable resolution across wide-area links without excessive overhead. Similarly, NDP is emulated in IPv6 configurations (e.g., RFC 4193 or 6PLANE modes), where local nodes intercept and proxy queries to reduce multicast dependency and improve performance.[14]Peer-to-Peer Model
ZeroTier employs a peer-to-peer (P2P) model to enable direct communication between devices, forming a virtual Layer 2 network that emulates Ethernet connectivity across disparate locations. At its core, the model relies on a two-layer architecture: Virtual Layer 1 (VL1) for secure P2P transport and Virtual Layer 2 (VL2) for Ethernet emulation. Devices, known as nodes, establish connections through cryptographic authentication and endpoint discovery, prioritizing direct links to minimize latency and bandwidth usage. This approach allows nodes to behave as if connected to the same local area network (LAN), supporting seamless multicast, ARP, and NDP operations without traditional infrastructure dependencies.[14] Peer discovery and connection establishment begin with nodes contacting root servers—four global servers operated by ZeroTier, Inc., referred to as the "planet"—or user-defined supplementary servers called "moons" for enhanced reliability. These servers provide rendezvous messages containing connectivity hints, such as IP addresses and ports, enabling nodes to locate potential peers within the same virtual network. Once discovered, nodes attempt direct P2P links using UDP hole punching to traverse NATs and stateful firewalls; this transport-triggered process initiates when upstream packets prompt bilateral connection attempts between peers. If hole punching succeeds, traffic flows directly, optimizing for low latency. In cases of failure due to symmetric NATs or restrictive firewalls, the system falls back to relay mechanisms, where intermediate TCP relays (hosted by ZeroTier or self-deployed) forward traffic, ensuring connectivity albeit at reduced performance.[14][23][24] Routing in the P2P model is dynamic, with VL1 employing a tree topology that collapses based on observed traffic patterns to select optimal paths, reducing reliance on central coordinators. Flow control is managed through the rules engine in VL2, which enforces stateless policies for traffic shaping and quality of service (QoS); for instance, rules can match IP Type of Service (TOS) fields to prioritize packets (MATCH_IP_TOS) or redirect flows (ACTION_REDIRECT) for intermediary processing, while capabilities distribute signed rule sets peer-to-peer to enable selective traffic allowance. This decentralized enforcement ensures efficient resource allocation without per-packet central intervention.[14][25]
The model's scalability supports networks with thousands of peers through minimal central coordination, leveraging decentralized credential propagation and configurable multicast limits to handle large-scale deployments like IoT ecosystems. For example, organizations such as Metropolis have connected thousands of devices across regions using ZeroTier's P2P fabric, achieving high performance with software-defined management via a central dashboard. This design maintains efficiency as network size grows, avoiding bottlenecks common in hub-and-spoke architectures.[14][22]
Core Components
Client
The ZeroTier One client serves as the primary software agent for endpoint devices, enabling secure virtual network connectivity by creating a virtual Ethernet interface that functions like a physical network port. This interface, often referred to as a "tap" device, appears as utun on macOS systems and tap on Windows, allowing applications to communicate over ZeroTier networks as if connected via a local Ethernet switch.[26][27] ZeroTier One operates as a system service or daemon, requiring administrative privileges to manage network interfaces and handle peer-to-peer connections. It facilitates joining networks by using 16-digit hexadecimal network IDs, which clients authorize through a central controller before establishing encrypted tunnels. The software maintains a lightweight footprint, typically consuming minimal CPU and memory resources, making it suitable for resource-constrained environments such as virtual machines, containers like Docker, and embedded systems including IoT devices.[26][27] Local configuration for the ZeroTier One client is managed through a JSON-formatted file named local.conf, located in the application's working directory (e.g., /var/lib/zerotier-one on Linux). Key options include specifying interface binding to particular IP addresses via the "bind" array to restrict listening on non-default interfaces, and enabling low bandwidth mode to reduce protocol overhead on metered connections by decreasing HELLO packet frequencies and other ambient traffic. Additionally, clients can orbit user-defined moons—sets of custom root servers—using the zerotier-cli orbit command, which appends these roots to the node's server pool for improved discovery and resilience without replacing default planetary roots.[26][28][29]Controller
The ZeroTier controller serves as the central authority for managing virtual networks, functioning as the access control and configuration hub that admits members, issues identity certificates, and enforces network policies through defined configurations. It authorizes devices to join networks by validating their requests and distributing necessary credentials, ensuring only approved nodes participate in the virtual topology. Network policies, including traffic flow rules and IP address assignments, are defined at the controller level and propagated to clients for local enforcement, enabling granular control over connectivity and behavior within the network.[30] ZeroTier offers two primary hosting options for controllers: a cloud-based service called Central, accessible via my.zerotier.com, and self-hosted deployments using open-source software. The Central service provides a managed, hosted environment where users can create and administer networks without infrastructure overhead, supporting scalability for organizations with multiple virtual networks. In contrast, self-hosting allows deployment on local servers or containers, such as Docker, leveraging the ZeroTierOne service's API for full control, though it requires manual setup and maintenance of the controller instance. Both options tie policies to the controller's unique ZeroTier identity, using its first 10 hexadecimal digits as the network identifier prefix.[30][31][32] Key features of the controller include a web-based user interface in the Central hosted option for intuitive member management, where administrators can authorize, deauthorize, or monitor devices in real-time, assign static or dynamic IP addresses from defined pools, and configure flow rules to filter traffic based on criteria like ports, protocols, or member tags. As of November 2025, the Central update introduced Relationship-Based Access Control (ReBAC), enabling more advanced hierarchical and policy-based access management.[33] Flow rules, written in a domain-specific language, allow policies such as accepting TCP traffic on specific ports (e.g.,accept ipprotocol tcp and dport 22;) or restricting access by department tags (e.g., accept dport 139 or dport 445 and tdiff department 0;), enabling micro-segmentation and security without centralized routing. Self-hosted controllers achieve similar functionality through API endpoints, supporting up to 2^24 networks with JSON-based storage for configurations and Prometheus metrics for monitoring aspects like network count.[25][32]
The controller integrates with automation tools via its RESTful API, which supports programmatic creation, modification, and deletion of networks and members, facilitating integration with orchestration platforms like Kubernetes or Nomad for high-availability setups. Authentication occurs through an authtoken, and the API allows management of multiple networks simultaneously from a single controller instance, making it suitable for complex environments requiring scripted policy updates or bulk operations. Clients join controller-managed networks by orbiting the controller's node ID and requesting authorization, after which policies and certificates are issued.[32][34]
Root Servers
In ZeroTier, root servers known as "moons" serve as user-deployed, private alternatives or supplements to the public "planet" roots operated by ZeroTier, Inc., enabling organizations to achieve data sovereignty by hosting their own infrastructure for network identity and discovery without relying on centralized services.[23][14] These moons allow for custom network topologies, where users can define their own root set to control peer authentication and routing hints, thereby isolating traffic from the global ZeroTier ecosystem. By orbiting moons, nodes prioritize these private roots for operations, enhancing privacy and compliance in regulated environments. Deployment of moons involves running them as standard ZeroTier nodes on servers with stable, publicly reachable IP addresses, with a recommendation of at least two for redundancy to mitigate single points of failure.[23] These nodes must maintain persistent uptime and low-latency connectivity, often hosted on affordable cloud providers such as DigitalOcean, Vultr, or Linode, while avoiding placement on the same physical hardware.[23] Once operational, the zerotier-idtool utility is used to initialize a moon world by generating a JSON definition file that includes the root nodes' endpoints, followed by signing it into a.moon file for distribution.[23]
Configuration centers on generating and distributing orbit files—the signed .moon files—that instruct client nodes to join the private root set, bypassing the need to interact with ZeroTier's central infrastructure.[23] Clients can orbit these moons by placing the file in their /var/lib/zerotier-one/moons.d/ directory and restarting the service, or via the zerotier-cli orbit <worldID> <moonAddress> command, with mobile or embedded devices often using base64-encoded URLs for automated joining.[23] This setup ensures nodes authenticate against the custom roots for peer discovery, forming a self-contained hierarchy.[14]
Moons are particularly suited for use cases requiring enterprise isolation, such as segregating sensitive corporate networks from public services; offline-capable setups in air-gapped environments, like military or industrial sites; and high-security deployments where full control over root operations prevents external data exfiltration risks.[23][14] For production-scale implementations, consultation with ZeroTier support is advised to optimize moon placement and scaling.[23]
Deployment and Usage
Installation Packages
ZeroTier provides official installation packages for a wide range of platforms, ensuring broad compatibility across desktop, mobile, and embedded systems.[18][35] For Linux distributions, ZeroTier offers DEB packages for Debian-based systems such as Ubuntu and Raspberry Pi OS, and RPM packages for Red Hat-based systems including CentOS, Fedora, and RHEL.[18][36] These can be installed via package managers like apt or yum/dnf after adding the official repository. A command-line installation method is also available using a curl script that automates the repository addition and package installation:curl -s https://install.zerotier.com | [sudo](/page/Sudo) [bash](/page/Bash).[36][37] Official binaries are digitally signed to verify authenticity and integrity during installation.[18]
On Windows, ZeroTier is distributed as MSI or EXE GUI installers, which support straightforward setup through a graphical interface and include signed executables for security.[18] For macOS, a DMG package provides a GUI installer compatible with versions 10.13 and later.[18] Mobile platforms are supported via dedicated apps: iOS users can download from the Apple App Store, while Android users access it through the Google Play Store, both functioning as VPN applications.[18][35]
Containerized environments are accommodated with an official Docker image available on Docker Hub (zerotier/zerotier), allowing ZeroTier to run within containers by granting necessary privileges for virtual network interfaces.[38] For embedded Linux systems like Raspberry Pi, installation follows the standard Linux DEB method or source compilation for ARM architectures.[18][36] Router firmware such as OpenWRT includes ZeroTier as an official package in its repositories, enabling integration on compatible devices.[39][40]
Version management in ZeroTier emphasizes manual upgrades alongside automated options where supported. On Linux, auto-updates can be configured through package managers like apt or yum after initial installation from the official repository.[36] For other platforms, updates typically involve downloading and running the latest installer package, with the client version verifiable via the command zerotier-cli -v.[18][41] While network controllers handle configuration propagation, client software upgrades remain primarily manual or package-manager driven to avoid disruptions.[42]
Network Configuration
To create a ZeroTier network, administrators log into the ZeroTier Central web interface at my.zerotier.com (redesigned as of November 2025),[43] navigate to the Networks tab, and click "Create a Network" to generate a unique 16-digit hexadecimal Network ID, such asd5e04297a16fa690.[15] This ID serves as the identifier for the virtual network, and the interface allows renaming the network and configuring basic settings like the IP subnet (defaulting to a /23 range, e.g., 10.147.17.0/23).[15] Once created, devices can join using this ID, but membership requires explicit authorization: in the Network Members panel, the controller checks the "Auth?" box for each pending node, which activates the connection and enables automatic assignment of managed IP addresses from the defined subnet (e.g., 10.147.17.1 to authorized devices).[15] Managed IPs are dynamically allocated via DHCP-like mechanisms within ZeroTier, ensuring conflict-free addressing across the virtual LAN without relying on external DHCP servers.[44]
On the client side, after installing the ZeroTier software, users join a network by running the command zerotier-cli join <NETWORK_ID> in a terminal (requiring administrator privileges on most systems, e.g., via sudo on Linux or macOS).[45] This command sends a join request to the controller associated with the Network ID, after which the device's node appears in the pending members list for authorization.[15] To verify status, administrators and users can use zerotier-cli listnetworks to list joined networks and their online/offline state, or zerotier-cli info to check the node's overall connectivity and version.[45] Once authorized, the virtual interface (e.g., ztxxxxxx on Linux) activates automatically, appearing as an Ethernet-like device with the assigned managed IP; if needed, it can be manually enabled with ip link set <interface> up on Linux systems.[15]
For advanced configurations, ZeroTier supports bridging the virtual interface to physical network interface cards (NICs) to extend the virtual LAN to legacy devices. On Linux, this involves creating a kernel bridge with tools like brctl (e.g., brctl addbr br0; brctl addif br0 ztxxxxxx; brctl addif br0 eth0; ip link set br0 up) or NetworkManager (nmcli con add type bridge ifname br0; nmcli con add type bridge-slave ifname ztxxxxxx master br0; nmcli con add type ethernet ifname eth0 master br0; nmcli con up bridge-br0), allowing traffic to flow seamlessly between ZeroTier peers and wired/physical segments.[46] The Maximum Transmission Unit (MTU) for the virtual interface defaults to 2800 bytes but can be customized in the network controller's Advanced settings (range: 1280–10000 bytes) to match physical network constraints and avoid fragmentation.[47] Integration with software-defined networking (SDN) tools like OpenWISP enables automated provisioning of ZeroTier tunnels on OpenWrt-based devices, where templates define network IDs, authorization rules, and IP assignments pushed via the OpenWISP controller API.[48]
Common troubleshooting issues include firewall blocks preventing peer discovery and direct connections, as ZeroTier relies on UDP port 9993 for initial handshakes; users should ensure this port is open inbound/outbound on host firewalls (e.g., ufw allow 9993/udp on Ubuntu) and NAT routers, or configure port forwarding if behind strict corporate firewalls.[49] Another frequent problem arises with private root servers (moons), where clients fail to orbit due to missing configuration files; to resolve, generate a signed orbit file using zerotier-idtool genmoon on the moon server, then apply it on clients by placing the .moon file in the moons.d directory (e.g., /var/lib/zerotier-one/moons.d/) and restarting the service, or via zerotier-cli orbit <MOON_ID> <WORLD_ID>.[23] If connectivity persists as relayed rather than direct, verify peer endpoints with zerotier-cli peers and test with ping across managed IPs after confirming authorization.[49]
Security Features
Encryption Mechanisms
ZeroTier employs end-to-end encryption for all data transmission to ensure confidentiality and integrity, utilizing Curve25519 for key exchange between peers. This elliptic curve Diffie-Hellman variant enables secure establishment of shared symmetric keys without exposing long-term private keys.[14][50] The symmetric encryption of payloads occurs via AES-GMAC-SIV, a nonce-misuse-resistant authenticated encryption mode introduced in version 1.6.0 and used in subsequent releases. This scheme combines AES-256 in counter (CTR) mode for encryption with GMAC for authentication, providing both confidentiality and tamper detection in a single operation; it replaces the prior Salsa20/Poly1305 construction for improved performance and security bounds, with misuse probability below 2^{-32} under NIST guidelines. All traffic, including direct peer-to-peer links and relayed paths through supernodes, is encrypted by default with no plaintext exposure to intermediaries. As of version 1.16, initial "Hello" packets in the handshake process are also encrypted to protect metadata.[51][50][52][53] Node identities are secured through certificate-based authentication using Ed25519 digital signatures, where each device's 40-bit ZeroTier address derives from its public key, and messages are signed to verify authenticity during connection setup. This prevents unauthorized nodes from joining or impersonating peers.[14]Access Control and Rules
ZeroTier implements access control through a distributed rules engine that enforces network policies on traffic flows. The rules engine uses a declarative syntax resembling JSON, configured via the network controller, to permit or deny packets based on criteria such as source or destination IP addresses, ports, protocols, and member tags. These rules are applied statelessly by each peer, evaluating packets against an ordered list of match conditions and actions without maintaining connection state, which requires symmetric rules for bidirectional communication. For instance, a rule might allow TCP traffic on port 22 for SSH access while dropping all other protocols, ensuring granular control over network behavior.[25] Member authorization is managed centrally through the controller, where administrators manually approve or deny join requests for private networks, visible in the members panel of ZeroTier Central. Public networks automatically authorize joining members without manual intervention, though rules still apply for traffic control. Controllers can assign specific capabilities to authorized members, such as the bridge capability, which enables a node to forward traffic between the virtual ZeroTier network and a physical Ethernet segment, facilitating Layer 2 connectivity to legacy devices. This process involves selecting the member and enabling options like "Allow Bridging" in the controller interface.[15][14][46] The tag system provides dynamic, role-based authorization by assigning 32-bit numeric tags to members via the controller, allowing rules to reference these for conditional access without expanding the main ruleset. Tags function as key-value pairs, supporting bitwise operations like equality or difference in match conditions (e.g.,MATCH_TAG_SENDER or MATCH_TAGS_DIFFERENCE), enabling micro-segmentation such as restricting file-sharing ports to members with a specific "department" tag. This approach supports scalable policy enforcement, where tags propagate via signed credentials and integrate with the rules engine for identity-driven controls.[25]
Auditing in ZeroTier focuses on visibility into management actions and network events while prioritizing privacy through minimal data retention. Controllers log API requests and member joins in audit logs accessible via ZeroTier Central, recording administrative changes like authorizations without capturing user personal information. Client devices generate local logs for events including rule violations (e.g., dropped packets) and flow attempts, configurable for verbosity, but ZeroTier's infrastructure collects only essential metadata such as member IP addresses and anonymized usage statistics, with no routine inspection of peer-to-peer traffic to preserve end-to-end privacy.[54][55]