Handling 100+ groups? (+1 master)

[PizzaProgram]

I'd like to ask the community:

• Can Tinc-VPN handle somehow multiple separated groups? (for small businesses / pizzerias 🍕 , to see only their own group members in their subnet)
• Plus 1 "master-group" for my own devices to see ALL of the clients?
• Does it have a GUI to manage/filter: clients / IPs / networks / users ?

No PCs should ever allowed to go to the internet through the VPN, but only see the other PCs + phones in the same group. (Clients are: [200+ Win7 32bit clients = POS PCs] + [30+ Win10/11] + some MurenaOS / Android / iPhones + some iOS laptops)

10.11.1.0/24 BestPizzaShop-Town1
10.11.2.0/24 PepperoniPizzaShop-Town2
...
10.11.252.0/16 MASTER group << to rule them all ;-)

(PS: I'm an experienced sysadmin + programmer, tried SoftEtherVPN + OpenVPN + WireGuard + HeadScale + many other before.) So far I've liked ZeroTier -> self-hosted the most, but the connection with it is unstable. )

Thanks in forward for any help / experience! 😺

[gsliepen]

The safest approach is to run a separate VPN for each group. You can have a master node being part of multiple VPNs, the drawback is that it needs to run multiple tinc daemons in that case, one for each VPN it is part of.

There is no official GUI for tinc, but the tinc 1.1 branch has a CLI that allows you to list the nodes and addresses they are assigned.