I don’t know anything about Netbird, but I’ll link you to my ZeroTier pitch the last time I noticed someone talking about Tailscale: https://lemmy.world/comment/1058287.

If you send these files over SSH, you’re good as that’s encrypted by ZeroTier and then encrypted again inside the SSH connection (and SSH does have perfect forward security).

See their cryptography section of their docs for more info.

You can read more here about what they’re working on:

• https://www.zerotier.com/blog/research-notes-on-2-x-cryptography/
• https://www.zerotier.com/blog/research-notes-aes-gmac-ctr-siv/

It’s been to long since I’ve read that to give anything more than a condensed “they’re improving their crypto significantly with ZeroTier 2” (not to mention memory safety via Rust).

I think it’s pretty secure and it will be getting better soon. In reality, I think it’s much more secure than what most people will end up with otherwise.

ZeroTier is open source, long running without incident, and the traffic is encrypted between peers.

The threat model is basically two fold though, in theory someone who has control of the ZeroTier roots (if you’re not using your own controller, if you’re using your own, then s/their roots/your roots/) could add routes to your devices, and add/remove devices that are part of your confirmation.

The encryption also doesn’t currently have perfect forward security, so if there’s a compromise in one of your connections, in theory some past state of that connection could be decrypted. In practice, I’m not sure this matters as traffic at a higher level for most sensitive things uses its own encryption and perfect forward security (but hey maybe you have some software that doesn’t).

The other thing I will note about that last point is that they’re working on a rust rewrite that will have updated crypto, including perfect forward security.

FOSS just means the software is open source. As I said, you can self host ZeroTier and not involve their servers (if you’re not doing things commercially, you pay for the license but still run your own controllers, or you use an older version which has been automatically relicensed by the change date to Apache 2.0).

That said, the traffic is peer-to-peer, in the majority of use cases there servers are acting as a bit more than syncthing’s servers (acting to facilitate the connection between two devices that want to talk together). See the other comment for some more thoughts here.

I’ll pitch ZeroTier instead, it’s the same concept, but it’s more FOSS friendly, older, doesn’t have the non-networking “feature bloat” of Tailscale, and can handle some really niche cases like Ethernet bridging (should you ever care).

Just:

1. Go to their website, create an account, and create a network
2. Add ZeroTier to the devices you need to connect
3. Enter your network ID on those devices
4. Approve the devices in the web control panel

If you want to go full self hosting, you can do that too but you will need something with a static IP to control everything (https://docs.zerotier.com/self-hosting/network-controllers/?utm_source=ztp) this would replace the web panel parts.

You can also do a LAN routing based solution pretty easily using something like a Raspberry Pi (or really any Linux computer).

I prefer ZeroTier, I’m not sure why Tailscale has taken off so much in recent years (perhaps just the cleaner UI and better marketing).

I’ve tried to switch in the past, but tripped over the differences in Podman vs Docker networking. IIRC Docker is better for creating an isolated network.

I have noticed that Docker doesn’t do the best job at graceful shutdowns (say for automatic installation of updates). I suspect Podman with systemd integration could do much much beter.