I’m just looking for a sanity check and wisdom regarding a slightly different setup for an SSH (and some other minor service) host.
I have a working ziti network, and it’s great. So now there’s one thing I want to add, with a catch. It’s a laptop that hosts some stuff (notably sshd), but it’s not always on the same network as everything else, and it (being a laptop) doesn’t necessarily have much uptime.
So I was thinking maybe giving the laptop a router that lets it bind something like ssh-laptop.ziti, pointing to localhost:22, so that in theory, anyone else with the right access can ssh into it via the same ziti address, whether it is in a random hotel or on a site out of country.
Is this something that is possible?
I assume it needs a bit more than the plain ziti-edge-tunnel, so perhaps I need to put a full router on the laptop, or is there a more streamlined or specific tool that’s more appropriate for the task?
Does the laptop need to have ports open? eg, will it work even if it’s on a hotel network, where I can’t control that?
This probably means that it’s also hard to give the router a DNS name that points somewhere that will remain consistent, so is this a non-starter?
I agree with @frm, you would just need a tunneler running on that laptop. You then allow that tunneler to 'bind' whatever services you wish: ssh, rdp, whatever. I do this all the time with my laptop when I travel to work, my family's house etc.
As @frm says, you just need to make sure the controller and a router are available from whatever network you're connecting from.
I suppose the only caveat would be if you are using an IP address as your targeted service. For example, if you are using the IP address from your home network, something like 192.168.1.100 and you are using that IP as the intercept address of your service and if you are forwardind that address (it's a lot of IF's here but it's the only caveat I can think of), when you move to a separate network you'll no longer be in that 192.168.x.x address space and that ssh connection will fail. Hopefully you're familiar enough with OpenZiti to know that using an IP is not necessary. If you instead use a hostname to ssh to or use a link local address 127.0.0.1 instead this won't be a problem. So it's possible I suppose that you could run into some small challenges but it should be pretty easy to overcome that particular challenge.
I was under the mistaken impression that the actual endpoints (eg, sshd) would need to be accessible from the router itself for this to function, but it seems like that’s actually controlled mostly by the identity attached to the tunneler, and the existing ziti-edge-tunnel (that the laptop was already using to access other stuff) seems to be fine for it!
It’ll get put into a live test in a few weeks, but it seems to be functioning as intended in my initial try. Thank you for the advice, I was going down a much more complicated direction, haha.