Port 9993: ZeroTier — The Internet as One Network

Port 9993 is the primary communication channel for ZeroTier, a peer-to-peer virtual networking system that makes devices scattered across the Internet behave as if they're on the same local network. Every ZeroTier client on every platform—Windows, macOS, Linux, iOS, Android—uses UDP port 9993 for controller contact, peer discovery, and establishing direct encrypted connections.¹²

What ZeroTier Does

ZeroTier is a distributed network hypervisor built on top of a cryptographically secure global peer-to-peer network. It provides software-defined networking (SD-WAN) capabilities that traditionally required expensive enterprise hardware.³

When two devices running ZeroTier want to communicate, they use sophisticated techniques—STUN, UDP hole punching, similar to WebRTC's ICE protocol—to establish direct peer-to-peer connections through NAT. Port 9993 is where this happens. Your laptop in a coffee shop can talk directly to your server in a data center as if they were plugged into the same Ethernet switch.⁴

The protocol operates in two layers: VL1, a cryptographically addressed peer-to-peer network, and VL2, an Ethernet emulation layer similar to VXLAN. All traffic is encrypted end-to-end with 256-bit encryption.⁵

The Origin Story

In 2011, Adam Ierymenko was working inside a U.S. government project and became frustrated by how slow and manual networking was. He wanted it to be effortless to connect devices directly while supporting privacy and decentralization. So he started building what would become ZeroTier.⁶

Ierymenko had been programming since the 1980s, starting on a Commodore VIC-20. He released ZeroTier publicly in 2013 as an open-source project. The tagline on the GitHub repository captures the ambition: "A Smart Ethernet Switch for Earth."⁷

The pandemic accelerated adoption—usage grew up to 20% per month. During that time, Ierymenko also battled cancer. The company raised funding from Anorak Ventures, Bonfire Ventures, and Battery Ventures. In 2024, Andrew Gault stepped in as CEO, freeing Ierymenko to focus on building next-generation products as CTO.⁶

How It Works

ZeroTier uses a controller-agent architecture. Devices run a local software agent. Network membership and configuration are managed by a controller—the brain of the virtual network that decides who can join, what addresses they get, and what rules they follow.³

The only port the client needs is UDP 9993 outbound. If your computer has a local firewall, you allow traffic to and from UDP 9993. That's it. ZeroTier handles the rest—route discovery assisted by a global network of root servers, NAT traversal, encryption, peer-to-peer connections whenever possible.²⁸

When direct peer-to-peer connections aren't possible, ZeroTier can relay traffic through intermediate nodes. But the goal is always direct: your packets should flow from you to the destination without unnecessary hops.

Why This Matters

Traditional VPNs route all your traffic through a central server. Hardware SD-WAN solutions cost thousands of dollars. ZeroTier treats the entire Internet as one giant Ethernet switch and makes it free and open source.

Port 9993 is where that happens. Every encrypted tunnel. Every peer discovery. Every time a device behind NAT successfully punches through and establishes a direct connection to another device halfway around the world.

Ierymenko wanted networking to be effortless. Port 9993 is the proof that it can be.

Security Considerations

ZeroTier employs a zero-trust networking model with strong 256-bit end-to-end encryption. Traffic on port 9993 is encrypted by design.⁵

If you're running ZeroTier, ensure your firewall allows UDP 9993. The official installation packages on Windows configure this automatically. On other systems, you may need to manually allow outgoing source port 9993 and incoming related return traffic.⁸

Because ZeroTier creates virtual network interfaces and can route traffic between networks, proper network configuration is essential. Don't join untrusted networks. Don't expose services you don't intend to share.

Related Ports

• Port 443 (TCP): Used by ZeroTier Central REST API for network management (optional, not required by the agent)²
• Port 1194 (UDP): OpenVPN's default port, another VPN solution ZeroTier often replaces
• Port 51820 (UDP): WireGuard's default port, a modern VPN protocol with similar peer-to-peer capabilities