Loading…
ZeroTier
Global software-defined networking
Security & PrivacyFreeOpen Source
ZeroTier — Official Website
Quick Take: ZeroTier
4.6
ZeroTier One remains the gold standard for users who need true Layer 2 Ethernet emulation over the internet. Its ability to handle multicast, legacy protocols, and complex bridging scenarios puts it in a league of its own compared to Layer 3 competitors. However, the reduction of the free tier to 10 devices and the slightly steeper learning curve compared to Tailscale prevent it from being the universal default. For network engineers, gamers, and power users, it is indispensable; for casual users just wanting to access a file server, it might be overkill.
Best For
- •LAN Gamers (Minecraft/Starcraft)
- •Network Engineers & DevOps
- •Complex Home Lab Setups
Install with Homebrew
brew install --cask zerotier-oneWhat is ZeroTier One?
ZeroTier One is a sophisticated software-defined networking (SDN) application that creates secure, manageable virtual Ethernet networks over the public internet. Unlike traditional VPNs that tunnel traffic through a central gateway (Layer 3), ZeroTier functions as a global, encrypted virtual Ethernet switch (Layer 2). This unique architecture allows devices—regardless of their physical location—to communicate as if they were plugged into the same local switch, enabling capabilities like multicast, broadcast, and bridging that are often impossible with standard VPNs. Founded by Adam Ierymenko in 2011 (ZeroTier, Inc. formed in 2015), the software has evolved into a staple for network engineers, gamers, and DevOps professionals. In 2026, ZeroTier One remains a critical tool in the Mac ecosystem for users needing robust peer-to-peer mesh connectivity without the headache of port forwarding. The macOS client (currently v1.16.x series) runs as a menu bar app, seamlessly handling the virtual network interface creation while bypassing the need for legacy kernel extensions on modern macOS versions like Sequoia.
Deep Dive: ZeroTier One Architecture and Ecosystem
ZeroTier One fundamentally reimagines networking by decoupling the network interface from the physical wire, using a global addressing scheme that overlays the public internet.
History & Background
Founded by Adam Ierymenko, ZeroTier emerged around 2011 with a vision to 'decentralize the internet's edge.' It incorporated as ZeroTier, Inc. in 2015. The project gained traction for its ability to traverse NATs effortlessly using a technique called 'hole punching.' Over the years, it pivoted from a purely open-source project to a sustainable SaaS model, notably reducing its free tier in 2024 to focus on enterprise sustainability while maintaining its core open-source engine (libzt).
How It Works
ZeroTier operates on two distinct levels: VL1 (Virtual Layer 1) and VL2 (Virtual Layer 2). VL1 is the peer-to-peer underlay that handles encryption, packet signing, and path negotiation using the ZeroTier protocol (built on UDP). VL2 is the virtual Ethernet switch that users interact with. It uses distinct 10-digit Node IDs and 16-digit Network IDs. Security is enforced via Curve25519 (Diffie-Hellman) for key exchange and Salsa20/Poly1305 for packet encryption/authentication, similar to the NaCl crypto library.
Ecosystem & Integrations
The ecosystem has expanded beyond just desktop clients. ZeroTier is embedded in router firmware like Mikrotik (RouterOS) and Teltonika, allowing hardware-level bridging. Developers use the `libzt` SDK to embed ZeroTier directly into apps, allowing multiplayer gaming without hosting servers. The Terraform provider allows DevOps engineers to programmatically manage networks and flow rules, integrating network infrastructure directly into CI/CD pipelines.
Future Development
Heading into late 2026, the roadmap focuses on 'Zero Trust' refinements. The team is enhancing the Flow Rules engine to support deep packet inspection (DPI) hooks and better integration with identity providers (IdP) for real-time authentication checks. Performance optimization for 10Gbps+ links and native Apple Silicon efficiency improvements (reducing battery drain on MacBooks) remain high-priority active development tracks.
Key Features
Layer 2 Ethernet Virtualization
ZeroTier's defining feature is its ability to emulate a physical Ethernet switch. Once joined to a network (via a 16-character Network ID), your Mac receives a virtual interface (e.g., `zt0`) with a private IP. Because it operates at Layer 2, it supports protocols that rely on local discovery, such as Bonjour, mDNS, and LAN game broadcasts. For example, you can host a Minecraft LAN server on your Mac in New York and have a friend in London join it immediately as if they were in the same room, with no router config required.
Flow Rules Engine
Managed via the central controller (my.zerotier.com), the Flow Rules engine is a stateless packet filtering firewall. It allows administrators to define granular security policies using a syntax similar to assembly or specific rule sets. You can block specific Ethernet frames, restrict traffic to certain TCP/UDP ports, or prevent specific nodes from communicating entirely. For instance, you could write a rule to `drop` all traffic to port 22 (SSH) except from your specific admin MacBook's Node ID, enforcing strict access control at the network edge.
Managed Routes & Split Tunneling
ZeroTier allows you to push static routes to all connected clients automatically. This is configured in the web console's "Managed Routes" section. A common use case is "Split Tunneling," where only traffic destined for the private ZeroTier subnet (e.g., `10.147.20.0/24`) goes through the virtual interface, while your normal internet browsing uses your local ISP connection. Conversely, you can configure a "Full Tunnel" (0.0.0.0/0) to route all internet traffic through a specific exit node for privacy.
Multi-Path & Bonding
The ZeroTier protocol is transport-agnostic and can utilize multiple physical links simultaneously. If your Mac is connected via both Ethernet and Wi-Fi, ZeroTier can bond these connections for redundancy or load balancing (depending on configuration mode). In the `local.conf` file, users can fine-tune path selection policies, setting specific physical interfaces as "primary" or "backup," ensuring that your secure connection survives even if one physical link drops or becomes unstable.
Network Centralization (Controller)
While the data plane is peer-to-peer, network management is centralized. Users manage their networks via the ZeroTier Central web interface. Here, you authorize new members (preventing unauthorized access even if someone knows your Network ID), assign stable IP addresses, and view member status (online/offline/physical IP). For Mac users, the desktop client simply acts as the agent; all complexity is abstracted away to this cloud dashboard, making it easy to manage 50+ devices without touching each one individually.
Who Should Use ZeroTier?
1The Remote Video Editor
Sarah is a freelance video editor using a MacBook Pro M4 who needs to access a 100TB NAS storage server located in her studio across town. Traditional VPNs are too slow and struggle with the SMB protocol's chattiness. She installs ZeroTier One on both her Mac and the studio's Synology NAS. Because ZeroTier provides Layer 2 connectivity, the NAS appears in her Finder sidebar via Bonjour discovery, just as if she were at the studio. The peer-to-peer connection maximizes her throughput by finding the most direct path, bypassing central VPN gateways, allowing her to render proxies directly from the remote drive.
2The Retro Gamer
Mike wants to play old-school LAN games (like Starcraft or Halo) with friends scattered across the country. These games rely on UDP broadcast packets to find 'local' lobbies, which standard VPNs (Layer 3) block or fail to route. Mike creates a ZeroTier network and shares the Network ID with his friends. Once they all join and authorize their nodes, ZeroTier's virtual Ethernet switch forwards the broadcast packets globally. The game client sees the other players as 'local,' bypassing the need for complex server hosting or port forwarding on his home router.
3The Hybrid Cloud DevOps
Elena manages a fleet of AWS EC2 instances and on-premise bare-metal servers. She needs a secure way to SSH into any of them from her Mac without exposing port 22 to the public internet. She installs ZeroTier on all servers and her laptop, creating a flat management network (172.24.0.0/16). Using Flow Rules, she locks down the network so that only her Node ID can initiate SSH connections. She no longer needs to manage bastion hosts or whitelist dynamic home IPs in AWS Security Groups; the overlay network creates a secure, private backplane accessible anywhere.
How to Install ZeroTier One on Mac
Getting ZeroTier running on macOS is straightforward, but users on macOS Sequoia (15.x) and later should be aware of new privacy permissions required for local network discovery.
1
Install Homebrew
If you haven't already, open Terminal and run: /bin/bash -c '$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)'
2
Install ZeroTier One
Run the following command in Terminal to install the cask: brew install --cask zerotier-one
3
Launch & Authorize
Open ZeroTier One from your Applications folder. A menu bar icon (Ž) will appear. **Crucial:** Go to System Settings > Privacy & Security > Local Network and toggle 'ZeroTier One' to ON to ensure connectivity.
Pro Tips
- • Join a network by clicking the menu bar icon and selecting 'Join Network...'
- • Your 10-digit 'Node ID' is found at the top of the menu bar dropdown.
- • If the CLI fails with 401 errors, ensure the background service is running via 'sudo launchctl load' commands.
Configuration Tips
Configuring Flow Rules for Security
Don't leave your network wide open. In the ZeroTier Central controller, use the Flow Rules section to drop all non-essential traffic. A simple `drop not ethertype ipv4;` rule can eliminate unnecessary IPv6 or ARP noise if not needed, or `accept dport 80; drop;` to lock down a web server node entirely.
Managed Routes for LAN Access
To access your home printers or routers remotely without installing ZeroTier on them, set up a 'Bridge' node. On the controller, add a Managed Route like `192.168.1.0/24 via [Bridge_Node_IP]`. This pushes a route to all clients, sending traffic for your home LAN through the bridge node seamlessly.
Optimizing MTU Settings
While ZeroTier defaults to an MTU of 2800, some restrictive ISP networks fragment large UDP packets, causing performance drops. If you experience lag, try lowering the MTU to 1280 in the specific network settings on your Mac (via `ifconfig` or the specific ZeroTier interface settings) to ensure packets fit through strict paths.
Alternatives to ZeroTier
While ZeroTier dominates Layer 2 virtualization, competitors like Tailscale have gained massive traction for their ease of use in Layer 3 scenarios.
T
Tailscale
Tailscale (based on WireGuard) is generally easier to set up thanks to automatic key management and SSO integration (Google/Microsoft login). However, it operates at Layer 3 (IP only), meaning it doesn't support multicast or broadcast traffic natively like ZeroTier does.
T
Twingate
Twingate focuses strictly on 'Zero Trust' access to specific services rather than connecting devices in a mesh. It does not provide a virtual network interface, making it more secure for corporate remote access but less flexible for power users or gamers.
N
Nebula
Created by Slack, Nebula is an open-source, fully self-hosted mesh overlay. It offers incredible performance and security but lacks a user-friendly hosted controller like ZeroTier, requiring significant manual configuration via YAML files.
Pricing
Freemium / Subscription
As of 2026, ZeroTier offers a **Basic** free plan that supports up to **10 authorized devices** (reduced from 25 in 2024) and 1 admin seat. This is sufficient for personal home labs or small gaming groups. The **Essential** plan starts at ~$5/month plus $2/device/month, adding features like SSO (Single Sign-On) and audit logs. Enterprise plans are available for large-scale deployments. They also offer community support for free users, while paid plans receive priority ticketing.
Pros
- ✓True Layer 2 Ethernet emulation (multicast works)
- ✓Peer-to-peer mesh architecture minimizes latency
- ✓Works through strict NATs/Firewalls effortlessly
- ✓Highly granular Flow Rules engine
- ✓Cross-platform (macOS, iOS, Windows, Linux, BSD)
Cons
- ✗Free tier limit reduced to 10 devices
- ✗Controller UI separate from desktop app
- ✗Higher learning curve than Tailscale
- ✗iOS limitations due to Apple Network Extension API
Community & Support
ZeroTier boasts a highly technical and active community. The official forum (discuss.zerotier.com) is the primary hub where developers and power users troubleshoot routing logic and scripting. The GitHub repository is active with issue tracking, though response times from official staff can be slower for free users. There is a robust subreddit (r/zerotier) where users share specific Flow Rule configurations and self-hosting tips (specifically for 'Moon' setups). Documentation is comprehensive but leans towards technical users, assuming some knowledge of networking concepts.
Video Tutorials
Getting Started with ZeroTier
ZeroTier Official77.8K views
More Tutorials
How to Setup and Use ZeroTier - What is it and how does it work?
Learn How-To • 42.2K views
Work Remotely Using ZEROTIER & Remote Desktop / Securely connect with zero config !
IT Networks & Security • 5.5K views
"ZeroTier Remote Desktop Setup – Easy & Secure!"
Wire Network • 8.7K views
Frequently Asked Questions about ZeroTier
Yes. ZeroTier encrypts all traffic between nodes using end-to-end encryption (Salsa20/Poly1305). Even if you are on an unsecured café Wi-Fi, the traffic flowing through your ZeroTier interface is unreadable to anyone sniffing the local network. It effectively acts as a secure tunnel, similar to a standard VPN, but only for traffic destined for your ZeroTier network peers (unless you configure full tunnel routing).
Our Verdict
4.6/5
ZeroTier One remains the gold standard for users who need true Layer 2 Ethernet emulation over the internet. Its ability to handle multicast, legacy protocols, and complex bridging scenarios puts it in a league of its own compared to Layer 3 competitors. However, the reduction of the free tier to 10 devices and the slightly steeper learning curve compared to Tailscale prevent it from being the universal default. For network engineers, gamers, and power users, it is indispensable; for casual users just wanting to access a file server, it might be overkill.
Best for:LAN Gamers (Minecraft/Starcraft)Network Engineers & DevOpsComplex Home Lab Setups
About the Author
Related Technologies & Concepts
ZeroTier OneTailscaleAdam IerymenkoLayer 2 SDNVirtual EthernetFlow Rules
ZeroTier One (Primary subject), Tailscale (Key Competitor), Adam Ierymenko (Founder/Creator), Layer 2 SDN (Core Technology), Virtual Ethernet (Operational Mode), Flow Rules (Security Mechanism)
Related Topics
Sources & References
Fact-CheckedLast verified: Feb 15, 2026
Key Verified Facts
- ZeroTier Basic free plan limits networks to 10 devices as of 2026.[cite-2, cite-5]
- ZeroTier creates a Layer 2 virtual Ethernet network allowing multicast.[cite-1]
- macOS Sequoia requires 'Local Network' permission for ZeroTier to function.[cite-3]
- ZeroTier protocol uses Salsa20 and Poly1305 for encryption.[cite-1]
- 1ZeroTier Official Manual
Accessed Feb 15, 2026
- 2ZeroTier Pricing Page
Accessed Feb 15, 2026
- 3macOS Sequoia Compatibility - ZeroTier Discuss
Accessed Feb 15, 2026
- 4Homebrew Formula: zerotier-one
Accessed Feb 15, 2026
- 5ZeroTier Blog: Pricing Updates
Accessed Feb 15, 2026
Research queries: ZeroTier One Mac 2026 features pricing review