I am building a small lab model. Currently I have created router-public and router-private with console (https://192.168.160.50:1280/zac/). I want to deploy controller(192.168.160.50:1280) VMnet8, router-public(machines in the external network will connect to this router with ip belonging to cart VMnet8), router-privave(servers and clients in the network will connect to this router with card VMnet 2 192.168.220.0) and all deployed on the same ubuntu machine (controller and router).
But the problem is I can verify the routers but can't make them online
Hi @HooangF4t, welcome to the community and to OpenZiti (and zrok/BrowZer)!
If you can start the routers, but they can't come online, there is likely a problem with your configuration files.
Recently I added a couple of commands to the ziti CLI to try to help with situations like this.
Try running ziti ops verify-traffic and ensure you can successfully pass traffic. If you cannot, then use ziti ops verify-network and point it at your config files to try to learn what is wrong and why.
For example, I removed my router's edge port, and this failure is shown when running ziti ops verify-traffic:
A successful run will look like this, indicating you have successfully tested the overlay by sending traffic:
1 Like
Honestly I still don't understand how to get the router online. I will describe in detail the process I created and verified it:
First I will create and get the token to start the verification
ziti edge create edge-router router-public -o /opt/openziti/etc/router-public.jwt
ziti edge create edge-router router-private -o /opt/openziti/etc/router-private.jwt
Then I used the bootstrap.bash command on the website Router Deployment | OpenZiti recommended:
root@ubuntu-virtual-machine:/opt/openziti/etc/router# sudo /opt/openziti/etc/router/bootstrap.bash
Router enrollment token as string or path [required]: /opt/openziti/etc/router/router-private.jwt
INFO: bootstrap completed successfully and will not run again. Adjust /var/lib/private/ziti-router/config.yml to suit.
Then I have to delete the old memory if I want to bootstrap.bash again for the next router.
oot@ubuntu-virtual-machine:/opt/openziti/etc/router# sudo rm -rf /var/lib/private/ziti-router/
root@ubuntu-virtual-machine:/opt/openziti/etc/router#
root@ubuntu-virtual-machine:/opt/openziti/etc/router# sudo /opt/openziti/etc/router/bootstrap.bash
Router enrollment token as string or path [required]: /opt/openziti/etc/router/router-public.jwt
INFO: bootstrap completed successfully and will not run again. Adjust /var/lib/private/ziti-router/config.yml to suit.
Ok now I have 2 routers verified but not online and I don't know how to run it, of course I tried the basic commands that the video and also referred to the gpt chat but still failed, it suggested me to run the json file or yml file of router-private,router-public but of course it didn't work.
I also tried running your suggested command to see if the traffic was transmitted successfully but of course it didn't work because both of my routers were just registered and not running yet. 
In order for a router to come online, it will need to be able to communicate to the controller. What is the address of the controller? Do the router logs show anything? I would expect them to have some kind of communication problem.
How are you creating the router configuration files? (I see your using the deployment router and bootstrap. Bash) Inside the configuration files you need to specify the location of the controllers control plane.
ctrl:
endpoint: tls:127.0.0.1:6262
If you ssh to a router, can you use openssl to connect to that address?
It might be easier if you show me exactly the commands you ran. Perhaps your not setting the proper variables when running bootstrap.bash?
1 Like
Thank you for your support, I am very sorry for the unclear questions. Maybe I misunderstood the principle and configuration, let me confirm it again!
First we will go to the console or create a jwt file or token for the new router with the command.
For example:
root@ubuntu-virtual-machine:/opt/openziti/etc# ziti edge create edge-router router-public -o /opt/openziti/etc/router-public.jwt
New edge router router-public created with id: 9RmfrN.HpR
Enrollment expires at 2024-12-16T06:52:35.114Z
Then we will run bootstrap.bash to register (verifiled) the newly created router with the controller and at the same time create the configuration files of that router (sudo /opt/openziti/etc/router/bootstrap.bash then paste the path of the jwt file or token of the newly created router)
root@ubuntu-virtual-machine:/opt/openziti/etc# sudo /opt/openziti/etc/router/bootstrap.bash
Router enrollment token as string or path [required]: /opt/openziti/etc/router-public.jwt
INFO: bootstrap completed successfully and will not run again. Adjust /var/lib/private/ziti-router/config.yml to suit.
At this point, the newly created router has a green light
Next, we will move all the configuration files of the currently registered router-public in this ziti-router directory to a new directory named router-public so that we can create a new router in the ziti-router directory using the bootstrap.bash command and similarly, when creating and registering a new router, router-private will move all the configuration files of that new router to a directory such as router-private
Then start the 2 routers that have been moved to their own directory to make the status online, right?
The command I found for running the router file to switch to Online status is:
root@ubuntu-virtual-machine:/opt/openziti/etc# ziti router run /opt/openziti/etc/router/router-public/router-public.yml (here I renamed the router configuration file from config.yml to router-public.yml)
I expect this is where you are going wrong. Inside the router's config file is a path that points to the key/cert/ca bundle for the router. When you run bootstrat.bash you are likely getting full paths referenced inside that config file. When you move the files, it doesn't sound like you are also editing the paths inside the config file. Could you check to see if the router-public config file and make sure the identity block at the top is correct? I suspect it's not.
1 Like