Tailscale raises $100M

Tailscale has a fantastic product, I’ve been extremely happy from day one. If you’re waiting for a weekend to have a few hours to try out Tailscale, don’t, it takes 15 minutes to get every device you own up and running and talking. This is the lowest friction personal VPN to ever exist, and once you see how easy it is for your own devices, you’ll wish you had it at work.

The biggest risk that this company has is that Cloudflare (in all reality) should just buy them or reimplement it. It’s the type of product cloudflare would make, that’s for sure. Being based on open source wireguard, and being just a STUN/TURN server at its core… I’m sure that Tailscale will be the first but maybe not the best.

I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

Web3 happens when people can host stuff on their phones, and Tailscale is something that lets you host things on your phone.

Cloudflare already has a competing product https://www.cloudflare.com/en-in/lp/ppc/cloudflare-for-teams...

I’m pretty ignorant on this topic, but what are the benefits of having a personal VPN?

It’s not really a competing product until they relaunch it with a heavy consumer focus and with some of the properties that Tailscale has, ie: avoiding going through the cloudflare CDN. But more to my point, cloudflare is definitely in a position to outcompete Tailscale, it’s just a couple tweaks and a marketing shift.

I am able to route traffic on my mobile device through my home network via the use of their "exit node" option. It allows one of my home devices to act as an exit node for my entire personal tailscale network.

This serves multiple benefits: the main one being that I receive pi-hole filtered ad-free traffic on my mobile device via a Wireguard VPN with my home IP 24/7/365

Like a hybrid NNCP-GO and nebula sdn. Neat!

I use it so I can connect to my work machine (dynamic IP on office wifi) from my laptop (dynamic IP, home Wifi).

It's also great to be able to just ssh into your laptop at home when you're at work and you forgot to push whatever you were working on last night.

It's not necessary, but Tailscale makes a lot of things just easier.

I have a server at home with file syncing, personal media, and home automation. I want to be able to access it remotely, but I’d rather some of those things not be publicly accessible for security. I could always do HTTP auth with an nginx reverse proxy, but it’s not a very smooth workflow and it relies on me being able to configure my server/services correctly.

Instead I can bind my services to Tailscales network interface and access it anywhere that I’m connected to my Tailscale network. It’s like authentication for free.

As a side note I know this is an anti pattern since one intruder can access all of my services, but that’s not a vector I’m really concerned about since I’m not exactly a high value target.

> a direct ring of trust with friends

The vision you outlined is great, except it doesn't work. The trust assumptions are too high, and even a great product like Tailscale seems to rely completely on centralized identity providers (you have to choose Google, Microsoft, or Github on sign-in).

Ultimately, if you want to maintain full control of your online identity and network, you'll probably need some of the decentralized (but economically aware) resources you seem to have issues with — or at the very least a means of transitioning authentication to private key methods with DIDs.

You can access your home network and any machines on it without exposing anything to the public internet. It's much safer to connect to my home network over a VPN than to expose all of the services to the public internet and hope they're all secure.

I don't think Tailscale will focus on the consumer market, I'd be very surprised at least if they did. I think they built a developer-friendly product to get mindshare and early adoptors, but eventually the real market for such such products is in the B2B space, i.e. implementing the "BeyondCorp" model of zero-trust networking. There's also a market for building cloud mesh services but I'm not sure if Tailscale is well positioned for that as there are good open-source solutions available for that already.

I can do that without Tailscale though by just using the WireGuard app. What is Tailscale adding to this?

NAT breaking, I can have a wireguard network with Tailscale where every device only has an RFC1918 address and a default route.

It costs them so little to provide their free consumer service (iirc: they fall-back to providing transit, but it’s very rare and only occurs when UDP is completely blocked) that it benefits them to keep their focus on consumers because if everyone is using Tailscale, the business customers are inevitable.

Ahhh that is slick

Some of my friends used it to play older lan games

Well put, there is no moat. Corporate customers really don’t want yet another network infra if they have Cloudflare + ZTN offerings.

Cloudflare, please make a box I can buy and stick it in the closet with a WAN connection. Routers suck, it’s time to reinvent them. Also please don’t make them look like goddamn spaceships.

What's this box going to do?

> I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

Might want to check out Yggdrasil. It lets you can create a real mesh routed, E2E encrypted network. You can keep your network private, or connect it to the greater network and route others. There's no ring-of-trust (I can't imagine that as a viable solution at scale). But the config file has an AllowedPublicKeys section if you want to specify who can route through your node.

https://github.com/yggdrasil-network/yggdrasil-go

I feel like people are so concerned about infinite scaling that nobody ever tries to scale to 5 anymore.

I have a big collection of movies, and I’d like my mom-technical blue collar friends to be able to watch them. I trust them, and I have trusted communication channels with them. We exchange keys somehow.

With the sort of routing I’m describing, they could watch my movies and I wouldn’t have to have a public IP address. And I wouldn’t mind if their friends (that aren’t my friends) watch my movies, either, by forwarding through my friends. What’s the catch? This could work for that. How could I do this today?

I don’t have any ideological or moral problem with blockchains, I just think they suck at solving problems where the requirements for trust are low or met elsewhere.

edit: mom-technical was a typo of non-technical but I’m leaving it because it’s more accurate.

I was thinking a router that’s connected to Cloudflare network. Every device that connects to it is automatically on Cloudflare tunnels or Tailscale like VPN. And generally do the routing stuff better than ubiquity products (can manage your home router through their control panel from anywhere).

Remote devices would need a client installed on it to access the VPN, of course.

> And I wouldn’t mind if their friends (that aren’t my friends) watch my movies, either, by forwarding through my friends.

This is the part that doesn't scale. Hell, this is extremely risky even at a small scale. You don't know who your friends' friends are, you will have friends that abuse this, and you will end up with a much larger network than you anticipated.

How many of your friends and family are "friends" with bots on Facebook?

> It's also great to be able to just ssh into your laptop at home when you're at work and you forgot to push whatever you were working on last night.

What's the difference between using Tailscale for this and just opening the port on your router?

I self host headscale as my control node of my tailscale vpn so no sign ins required, I just give keys out to anyone I want in my vpn.

My problem is the client doesn't support multiple servers, so I can't have a work vpn and a home vpn, not even with an easy toggle - you have to run tailscale with different conf options for both. Changing namespaces also isn't easy, so having friends and family segregated even on one server is also a pain point.

not having to generate, manage, and distribute wireguard secrets and configurations was good enough reason for me to switch.

Tailscale also provides a "magic DNS" service which lets you resolve your Tailscale device names without setting up unbound etc, and which can relay other requests through to your pi-hole or unbound or whatever, which can then listen only on the tailscale IP address, so no need to run an open resolver or deal with source IP filtering.

e: also, you can share devices between tailscale users without generating, managing, distributing wireguard secrets. You send your pal/partner/kid a link and they can access your fileserver or raspberry pi webserver or pihole server for themselves wherever they are.

> For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.

What are DIDs: Device IDs?

Someone answered above - it works even if you have no router you can configure, using NAT busting. I do what you suggest though, just setting up wireguard directly on my OPNSense router. I don't want to get any private company involved in my VPN setup.

Easier. And you don't open the port to a public network.

They already (sort of) do [0] as they have a "Personal Pro" plan that's not too obvious - personally, I hope they expand to make it more cloud-native via a la carte pricing for those users as I'd pay an extra $x/month for an additional subnet router or three. And, IMO, it's a smart approach - those who are the targeted "Prosumer" might leverage this for their homelab and carry it over with them into the enterprise. I say that it's a smart approach because in my time at a vendor that was slinging security middle boxes - we used to give away our small form factor product to those homelab'ers for free. They'd take them home and see how much the solution could provide, they got comfortable with the UI, and they learned it for their own use cases. And then the path into an enterprise conversation held much less friction.

[0] https://tailscale.com/pricing/

Decentralized Identifiers: https://www.w3.org/TR/did-core/

Thanks, I thought I knew all the major mesh VPN options (tinc, nebula, tailscale, zero tier, hamachi) and yet I never heard of yggdrasil.

This is the kind of comment I love HN for!

Thanks the main objection I have with tailscale is that you can't self-host (and you need external identity providers). I had no idea there was a self host option. I'll investigate. I assume it's an unsupported community option?

For me: direct routing between endpoints, thus reducing the lag and spec restrictions you get from routing through a single VPN server.

Other things are seamless transition to local networks, and you can even have local network encryption.

What other benefits are there? I use a PiHole to block ads on my phone already, but I do it via a PiHole installed on an EC2 instance that I also use as an IRC bouncer and other things.

I don't think that is an anti-pattern. One well secured point of access is better than various http access points with varying levels of security and maintenance levels, all requiring frequent manual update to stay secure.

It means you can self host all kinds of things and never worry about opening a port on your router.

Like a million times more secure.

> Web3 happens when people can host stuff on their phones

This has essentially been the guiding principle of my side projects for the last two years. Folks shouldn't need to understand DNS, TLS, HTTPS, IP addresses, ports, NAT, CGNAT, etc in order to own their data. Self-hosting a small server for you and your friends shouldn't be any more difficult or less secure than installing an app on your phone.

For more background on just how much Tailscale is doing for you with respect to NAT:

https://tailscale.com/blog/how-nat-traversal-works/

As long as you don't need to share any of your services with non-Tailscale users. Otherwise you'll need to set up some sort of public server.

Definitely stealing mom-technical. Though I do disagree somewhat with the conflation with blue-collar. I would almost argue white-collar folks are less likely to understand computers.

I remember Astaro did this with their Astaro Security Gateway UTM solution. Provide a full featured software appliance for home users and hope the admins are so caught up that they don't want to change to another vendor at work. Astaro got acquired by Sophos in 2011 but I just checked, they still offer the Sophos UTM Gateway in a Home edition.

https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-h...

> The biggest risk that this company has is that Cloudflare (in all reality) should just buy them or reimplement it. It’s the type of product cloudflare would make, that’s for sure.

The same thing is being said on HN about all kind of network software, but tell me one software that Cloudflare is really known for except its cdn ? None.

HN is really a strong echo chamber and some people believe Cloudflare and Stripe are going to be the leader in all software areas. (Even though Cloudflare is not the leading CDN and Stripe is not the leading payment processor). They are both amazing companies but they won't fix all problems of the world. I would even argue that they won't even solve more than their current core domains

op is talking about headscale [0] "An open source, self-hosted implementation of the Tailscale control server"

[0] https://github.com/juanfont/headscale

We must be in different circles, because WAF (web application firewall) is what I would say they're most known for. But I agree Cloudflare isn't well known (at least yet) fort many of the other things they offer. Been a lot of buzz around workers but I haven't tried it myself yet.

Doesn’t putting Tailscale in the middle mean you are now hoping they are secure? I supposed that’s probably better than connecting to the VPN on your home gateway router that your ISP has access to.

I think they've said they don't actually enforce the usage limits, so you can add an additional subnet router and they largely don't care (because they haven't put the engineering into enforcing the limits, because it doesn't actually use up appreciably more resources for them when you exceed those limits). I think they do enforce the user limits though.

Ah, the exit node thing is really cool, always handy to have a residential IP to route through too :)

You're not wrong but they do seem to want to keep focusing on consumers (not just developers), teams, and enterprises all at the same time but market [0] the product differently.

> If we're going to fix the Internet, there's no point only fixing it for big companies who can pay a lot. That misses the point of the whole adventure. The Internet is for everyone. We have to fix it for everyone, or why bother? We knew we had to design a business model and a technical architecture that removes any incentive to abuse your privacy. Providing an ever-expanding free tier is how we help as many people as possible.

> ...

> Tailscale's go-to-market strategy is what we call bottom-up growth, or product-led growth (PLG). An earlier name for this is "GTM 3.0", which is explained beautifully in a presentation by Adam Gross... To summarize: in GTM 3.0, you give away an unlimited free tier for individual use (Not a trial, a free tier; this is what makes it different from GTM 2.0). Then, for collaboration in small teams, you charge a bit. Then, for big company control and auditability, you charge even more. At each level, the value proposition is different, so that users use your tech differently and benefit differently from it. And at each level, the buyer is different, so the messaging is different.

From tailscale.com/blog: How our free plan stays free, https://archive.is/R7jqw

[0] https://en.wikipedia.org/wiki/Marketing_mix

I think your last point is what many of us are hoping Web3 really is

But you can also try to get them to be Tailscale users and effortlessly share the devices with access control features they built. I share my home servers and game servers with family/friends easily while still keeping everything off the public internet.

"Being based on open source wireguard, and being just a STUN/TURN server at its core... I'm sure that Tailscale will be the first but maybe not the best."

I like this assessment. "[J]ust a STUN/TURN server at its core." It gives me hope maybe more people are starting to learn how to look at peer-to-peer not as something that is unreasonably complex and off-limits to ordinary users. LAN-like connectivity is not just for offices and gamers.

Of course, following a STUN/TURN standard is just one approach to a rendezvous server. It isn't the first or last approach to have worked.

By "rendezvous server" I mean a program that accepts connections and saves each client's address and open port number and makes this data available to other connecting clients, thereby allowing one client to connect directly to another client without involving the rendezvous server. The server needs only to tell clients about IP addresses and port numbers, nothing more.^1 Thus it can be a relatively small, relatively simple program.^2

I hope that going forward there will be even more choice in small, open source rendezvous servers, not created for commercial purposes, that ordinary users can run on globally reachable IP addresses. Most users must "lease" these addresses from others. Because not every user has a globally reachable IP address available, the use of "hosting" and now what people today call "cloud" services has been necessary.

Enormous amounts of traffic are passing through these third party "cloud" providers. They are, to use a popular term, "gatekeepers". Business customers, including ones who already control globally reachable IPv4 address space, let alone individual customers without such resources, are effectively beholden to them if they want to be on the internet. Not only that, the services are generally expensive.

However no data needs to be sent to or received from a rendezvous server other than address and port information. If customers are charged based on ingress/egress, it could be affordable for users to run these small programs on a "cloud server" due to the smaller amount of data transfer. With less data being sent to these third party providers, the privacy concerns would arguably be reduced as well (cf. eliminated).

The ability to connect devices directly over a network, including the internet, should not be monopolised like so many other aspects of the computers and the internet today. It should be available for everyone. The only cost should be paying for the globally reachable IP address and a tiny amount of traffic required for running a rendezvous server.

1. The advantage here is that the program can be easier and quicker to compile and users may be more inclined to read the source code and, optionally, make edits and recompile. Non-commercial, not a complex program like a web browser that is prohibitively slow to compile that almost no one compiles for themselves, nor one that few people have both the aptitude and inclination to read, edit and improve its source code.

2. Yes, there can be exceptions. For example, in some cases two clients using the same ISP might not be able to reach other directly. But these cases are the exceptions, not the rule.

Here's one more: https://fastd.readthedocs.io/en/v22/index.html

I meant that for larger organizations where security is a concern you'd want both -- your network should be secured and the individual applications should be as well. Again it's contextual advice and really doesn't matter for my internal site where there's not too much at stake.

I bring up cloudflare because the technologies involved with Tailscale are really cloudflare core competencies. Cloudflare runs 1.1.1.1/WARP which is a massive dns server and wireguard VPN, respectively. They already have Cloudflare Access. It’s a natural fit. It’s pretty easy to imagine that cloudflare is better positioned to steal customers from Tailscale than Cisco, F5, or Fortinet.

Cloudflare needs to solve two problems: they need to introduce a free tier of Access that doesn’t use the CDN and creates direct connections between endpoints (to basically remove all operating costs), and they need to make the onboarding process for hobbyists easier instead of having a “contact sales” link on their homepage for these products. That’s doable.

It’s pretty similar as far as how it works for you.

It may be cheaper to VPN to home vs a cloud server, and you may avoid issues where sites block AWS. You can also securely forward other ports. Sometimes I print or access other services in my house that aren’t internet safe.

But now your friends and family are locked into a proprietary system, subject to whatever the future incentives of Tailscale end up being. How many people can you connect on the free plan?

I have the PiHole VPN configured so that only DNS lookups go through it. All other traffic is not tunneled. It means I don't get billed for several gigabytes of traffic from AWS and my traffic doesn't come from an AWS IP, but I still get all the ad-blocking benefits of a PiHole.

At home on my desktop, I just use uBlock Origin in my browser.

CDN and Reverse Proxy are Cloudflare's bread and butter really, WAF came later. The issue is that those technologies are rather invisible to most users when they are working correctly.

Is forwarding a single port that difficult in most circumstances? I do realize there are some instances where that is hard like CGNAT, but if I have easy access to wireguard in my network already what does tailscale buy me?

I was running Wireguard exactly as you describe, but I'm now using Tailscale because convenience.

fwiw, those on the Enterprise plan can bring their own IdP :) https://tailscale.com/kb/1119/sso-saml-oidc/

Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.

Headscale [1] allows one to implement a self-hosted, open source alternative to the Tailscale control server.

[1] https://github.com/juanfont/headscale

Almost all of tailscale is opensourced at this point besides the GUI.

Does headscale do all the same NAT traversal that Tailscale is capable of?

Also been a happy user since their very early days.

I do have some nits though:

- It's kind of finicky on Android, especially with exit nodes enabled. Sometimes I lose connectivity completely after connecting to an exit node, until I flip my WiFi on and off, then everything starts working.

- Not being able to auto-update the desktop clients, or at least update remotely, is a bit of a pain, and potentially a security risk?

I do the same, for multiple domains I own. Definitely not difficult.

Isn’t it only possible to host things on your phone if you can have a listener that binds to a socket/port? I don’t think mobile apis allow for this. Am I wrong?

Very cool. Microsoft doing newish work on this, too! https://www.microsoft.com/en-us/security/business/identity-a...

For me, its so I can use Moonlight to stream games from my gaming desktop PC to my iPhone using a Backbone One controller.

Handheld Elden Ring is amazing :)

Though my use-case is extremely simple, and so I just use bare WireGuard

> I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

This is basically just `git pull` on steroids.

>>I’ve been dreaming lately of a tor-like network that’s based loosely on the idea of tailnets. Rather than blockchain bullshit, you’d have a direct ring of trust with friends, and then you could set up access policies to forward packets for people you don’t trust, but who know someone you do trust.

The network will coalesce around using a handful of hub nodes for the packet forwarding, and a malicious party need only to coopt that central cluster of nodes to unmask all web users.

The "blockchain bullshit" enables trusted decentralized interaction at scale.

I have a model and my own router; I don't use (or even have) one provided by my ISP. I'm not entirely sure how Tailscale works TBH, so yes I'm betting on them being secure.

Tailscale comes with a few other benefits that don't come on other VPN's. I have my home server setup as an 'exit node' which allows me to route my traffic through it when I'm travelling. Super handy sometimes like when I'm travelling and my bank decides not to let me log in.

It would only unmask those connecting directly to the central cluster nodes, everyone behind them would be fine.

I'm suggesting every one would connect directly to the central cluster.

oh wow that is cool. I have never heard or thought about putting a pi-hole in the cloud.

I'd love to try headscale, but a bit of research shows that the tailscale macOS client requires a CLI param to connect to a custom server, registry keys for Windows, Android client requires custom compile, and there's no iOS client at all.

Unfortunately if I need to bring anyone into my mesh network who is non technical, this is now a non starter.

Here is another (sort of), OpenZiti - https://openziti.github.io/. OpenZiti provides a mesh overlay network built on zero trust priinciples with outbound only connections so that we do not need inbound ports or link listeners. Similar to TS, you can host anything anywhere and has options to deploy on any popular host OS or as a virtual appliance.

What makes it realluy unique though is that it can actually be embedded inside the application via a suite of SDKs. Yes, private, zero trust connectivity inside an application! That provides the highest security and convenience as it can be completely transparent to the user!

Disclaimer, I work for the company who built and maintains OpenZiti so I am opinionated.

So then, whats is the difference to run OpenConnect and then connecting to it via activating CiscoVPN on the phone/mobile device?

I used that while I was in China as this allowed me to have my own personal VPN.

CloudFlare has a world best DNS system, and if you are still using another DNS provider - I wholeheartedly recommend to switch ASAP.

You don't need to dream about it. You can absolutely do this today with OpenZiti. You just need to be able to set it up which is - imo (I am a dev on the project and wrote the quickstarts) just as easy to get up and running as anything. I do it in "under a minute" but I work on the project so my timing is not fair... :)

You can find information about it over at https://openziti.github.io/ you don't even need to trust the software itself. You can add a 3rd party certificate to the server and mint your own private keys/certs and deliver them to your friends and have 100% control over where and how and whom you trust. You control access down to individual services, not CIDR blocks, not IP addresses. You can embed the sdks into any of your own apps if you're into that sort of thing. :) you could setup a relay server in some cloud provider for the 'untrusted' traffic (hmmmm you make me wonder if we could integrate with tor somehow now too...)

Seems like it'd do most/much of the things you want it to. I'd be happy to help you out. We have a discourse you can post questions to.

I think so, it’s not something I’m too familiar with, but I found apps for both iOS and Android that let you host a web server that can be accessed from another computer on your LAN.

Hey! Netmaker author here. I think it’d be a cool option for this use case. We have some users already doing blockchain stuff. Benefits are it’s self hosted, so you don’t need to depend on a SaaS, no mandatory 3rd party auth, and a lot faster because of kernel WireGuard.

All the solutions I mentioned are outbound only (for the clients), though they do all have a central point which is open for inbound connections so they can find each other. Or in some cases their own cloud serves this purpose. They call them lighthouses, Moons, etc but the principle is the same.

The embedding inside an app sounds like a really cool discerning feature though. I'll have a look!

Do those apps need to be in the foreground? It kind of defeats the purpose if so

It made more sense to me for using a PiHole on my phone. I didn't want to expose a VPN port on my home network, and didn't want to deal with trying to tunnel VPN through SSH.

And the EC2 instance I installed it on was already being used for other toy projects, so it's not like it cost me anything. The additional egress bandwidth is likely fractions of a penny.

I guess it's like anything else. You can trust someone a little to manage your crypto keys or you can do it yourself whether its PKI or a Bitcoin wallet. You have to know and do more to trust less. For me, it's a really great value if software makes DiY crypto convenient enough to do crypto stuff safely enough that I don't have to trust or pay a 3rd party and don't end up wrecked because I got in over my head. Like bowling bumpers, but for cryptography.

You said you can embed this in an application? What does that mean? Is this a C library that is embeddable?

Yes, outbound only is great for client side and for me table stakes. OpenZiti allows you to make the server side outbound only too. Do you care about Log4Shell or Spring4Shell when your server is dark to the internet? Java Magazine recently did a piece on it as the OpenZiti team 'zitified Springboot' - https://blogs.oracle.com/javamagazine/post/java-zero-trust-o.... We also recently zitified Prometheus - https://openziti.github.io/articles/zitification/prometheus/...... private, outbound-only connectivity natively part of the code.

You can literally embed private, outbound-only connectivity into your application code using one of the many SDKs - C, Java, Go etc etc... here is a good overview https://ziti.dev/. As you can embed inside you app, you can now build 'zitifications' which is apps which have native, private connectivity embedded both client or server side.

Here are a couple of cool artciles on some we have already done: - Springboot framework: https://blogs.oracle.com/javamagazine/post/java-zero-trust-o... - Prometheus: https://openziti.github.io/articles/zitification/prometheus/...

Yea, but my friends and family would rather have a service that just works, has apps, etc instead of an open one. Tailscale is a good actor ~for now~ and ~for now~ thats good enough for us. Not everyday in every situation can I be an activist. I have a list of alternatives incl FOSS ones should I need, but I'll cross that bridge only if I need to, since this JustWorks.

You can connect one person on a free plan, but each person can have their own free plan that you share devices between.

Oh that's interesting. But how do the server and clients manage to find one another then? Indeed an outbound-only server is a discerning feature and a huge security advantage.

I should really read up on it. I know... I will soon!

Yes: https://github.com/openziti/ziti-sdk-c/

OpenZiti has an architecture of 'Edge' and 'fabric'. The Edge is at source and destinatation and outbound connects into the fabric. The fabric is SDN, edge connects and authenticates/authorises to controller based on embedded identity, then based on policy and rules, outbound connects to the data plane using smart routing over the mesh. The fabric only 'listens' for endpoints which have embedded, correct identity based on a process called 'bootstrapping trust' (there is a 5 part blog on this).

Clint and Ken did a really good ZitiTV on Friday which covered many of the cool superpowers of OpenZiti - https://www.youtube.com/watch?v=4wOGvZqN6Co&ab_channel=OpenZ...