Great question. I am in the process of creating some public documentation for the OpenZiti project vs [insert tech]. OpenZiti is more akin to Wireguard (i.e., open source), CloudZiti is more comparable to Tailscale (hosted SaaS)
Here are some shorted bullets vs Wireguard (with references to Tailscale).
- Rather than connecting machines, Ziti cares about connecting "services" with zero trust networking concepts. This can be surmised as Wireguard being 'default-open' whereas ZT is 'default-closed'. Wireguard is normally combined with a firewall to deliver ACLs and network segmentation controls.
- Whereas WireGuard securely encapsulates IP packets over UDP and uses hole punching, OpenZiti uses TCP and a mesh overlay (with the outbound only at source and destination). This is how Tailscale implements Wireguard to ensure it works easily in all situations. All of this is open-source and native to OpenZiti, not in Wireguard.
- Due to OpenZiti's uses of identity in the endpoints and fabric for routing, you also get private DNS, unique naming and outbound connections. No need to use floating or static IPs, easily handle overlapping, and have no need for port forwarding or NAT issues.
- While with OpenZiti you can start with "network-based zero trust" (installing a router in private IP space) and progress to "host-based zero trust" (using an agent/tunneller); it also has a suite of SDKs to embed in apps themselves for "application-based zero trust".
P.S., OpenZiti uses the Windows TUN (WinTun) that the Wireguard project made as (at least) part of our Windows tunneler. Thanks, Wireguard!
We keep working on actual benchmarking but it's somewhat tricky to get reliable numbers... We're working on it now. Sometimes it's 'favorable' sometimes it's not. That's kind of a non-committal answer from me, but that's the best I've got for you at this time.
I'd expect wireguard to often be faster due to its protocol/implementation. I've seen people complain about wireguard if you don't set the MTU. Maybe you'll try them both out and blog about it??? :) (that'd be pretty cool regardless of the outcome tbh).
What I usually tell people, is that I use OpenZiti/zrok all the time. As a human, I don't even notice it. Sorry we don't have better details at this time but hopefully that a reasonable answer
I am a dev on the OpenZiti project. I personally think Tailscale is more similar to OpenZiti. It's making wireguard administration really easy.
zrok is very clearly based heavily on inspiration from the amazing tool called ngrok. If you haven't checked them out you should. They are widely loved for lots of good reasons. Other product/projects in this category is Tailscale's funnels or Cloudflare tunnels.
Key differences to ngrok are it being fully open source and fully self hostable. zrok allows you to do public/anonymous type sharing too but also has this private sharing feature that you might find neat. Basically it'll hide your app behind two "localhost" type proxies all transparently (to most people).
I just looked up ngrok right now and it looks really cool, but I wonder what people actually use it for? Are people actually running production software this way, or is it just for sharing e.g. demos with coworkers? If the latter, it seems to me like a narrow use case that can already be served by automated devops stuff.
Again this is new to me, so I'm probably missing some obvious use cases. Do you use it for anything in particular?
- showing a POC running locally / quick demo/ short terms project
- debug incoming webhook or the like.
Let’s say you have a service where you can register a URL, and that the service will post a http request to you when a event occurs.
I use ngrok, piped to a local handler. It’s convenient
Easily sharing local resources is a common need as a dev, for sure. If I'm making changes to a web form, updating online doc, etc. it's dreadfully convenient to just share that resource for some short amount of time...
I've used similar tech when collaborating with a fella recently, he stood up a vault server and I hit his private API over an ngrok share because that was the tool he had used, liked and was familiar with.
It's just super handy to do that sort of thing when/as you need to
This is the thing. I used it for debugging stripe and AWS SNS webhooks a bunch last year.
However, ngrok totally lost its soul in the past few years. It looks like the pricing was lowered again recently, but for a while there they had no “personal” or ~indie priced plan.
Meanwhile they did a feature takeaway from annual subscribers, and a less than good transition of those plans to their new system and pricing tiers.
If you go to ngrok.com right now there is a big header banner that reads: “ Announcing 50M round for API-first ingress-as-a-service. ”
This service used to be run by maybe one or two people. I could not be less interested in a developer tool that treats VC funding as something I should be excited about. The product was good the way it was.
I’m glad whoever was involved seems to have found an exit of some kind—-but all that is to say zrok looks great. I won’t renew my ngrok sub, and will go through the trouble of updating the saved dev testing URLs at stripe and AWS.
yes, zrok is open source and tailscale is not. zrok has a private share mode in which you share the resource without any internet exposure (not even temporary) - nice for security and cases where you need 2 or more private enviros (rfc 1918 space) to talk w/o opening any ports.
if your question was centered on the compare between wireguard and openziti. both are open source network overlay solutions and both have large scale saas options (e.g. cloudziti from netfoundry; tailscale for wireguard).
4 key differences between openziti vs wireguard are (1) app vs. device; (2) p2p tunnel vs full mesh; (3) management model; (4) security model. it mainly comes down to what your use case needs and doesn't need.
(1) app vs. device
the atom of wireguard is a device. the atom of openziti is an app. devs embed openziti directly into the process space of an app or api as code (using openziti sdks) such that installing your app spins up a zero trust overlay for your app w/o distributing agents. alternatively you can use openziti agents for mobile, desktop, cloud edge, etc. in that model, the agents are still app-specific, e.g. only services you specify go on the overlay; rest are ignored.
(2) vpn vs. sdn like mesh
wireguard gives you p2p tunnels like most vpns. openziti gives you control of a full mesh, latency optimized network - like a programmable sdn. if you want x connections from a given machine (e.g. an api to cloud1, a different service to cloud2, some other app to cloud3) then openziti is designed to make that simple for you. if you want a single device level tunnel for all data, then wg may be for you.
(3) management model
with wg, you manage certs, p2p tunnels, restrictions/ACLs (tailscale etc help you with much of this but then you are buying a closed source product). openziti builds all this into the foss for you. you even control the full mesh fabric (programmable ziti routers) listed above. so wg may be simpler if you have a limited # of endpoints, routes and restrictions to manage.
(4) security and compliance model
openziti provides mTLS, X.509 based identities, private DNS, e2e encryption all the way to the process space of the app (see item #1 above), default least privileged access, mfa, posture checks, etc. that is overkill for some uses - it does carry some complexity with it - wireguard may be a better choice for those cases.
