Building simple network from scratch - Help

Hello,

just starting out with OpenZiti. I spent last days reading and watching videos about it, now I would like to build a simple test lab.

Here's my simple set-up:

• 1 VM with CentOS 7 where I would put my Controller. This will have only once network interface and it will be a public one.
• 1 VM with CentOS 7 where I would put one Router. This will have two network interface. One Public (to communicate with the Controller) and One Private (for the internal network where are the supposed clients)
• 1 VM with Lubuntu in the same private subnet of the internal interfcate of the Router above.

So for now, just 3 VMs, just to see if I can set up everything and if all works.

I somewhat managed to get the Controller up and running. I can't be 100% if it is configured correctly, but it is running showing no errors, it is listening on correct ports, and the other VM can login into it. So I think for now all good.

My current problem it is that I cannot make the router works.
I cannot get past the "enroll" part. I always get the same error:

[ 2.289] FATAL ziti/ziti/router.enrollGw: enrollment failure: (enrollment failed received HTTP status [400 Bad Request]: {"error":{"cause":{"code":"UNHANDLED","message":"invalid server CSR"},"code":"COULD_NOT_PROCESS_CSR","message":"The supplied csr could not be processed","requestId":"w34cHCfkC"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}} )

I have tried generating and modifing the .yaml file multiple times, but no luck. So maybe I am startring to think there may be something wrong with the various certificates between the Router and the Controller.

I have seen that if having all the corrects commands, the setup doesnt take a huge amount time. If someone would be willing to help, I would also consider starting again from scratch.

Certainly one of my biggest problem is it the creation of the Certificates, at least by this time. Now I have created them with OpenSSL, maybe should I have used they built in Ziti commands?

If anyone would be so kind to taking his time, writing the all the commands needed for the setup of both Controller and Router would be awesome. And yes, I have read and followed the guide on the official site for Controller and Router deployments, but I think they lack something, like how to generate certificate/key. and where to use them

Thanks in advance for any help.

Hello @Pentagon2442, welcome to the community and to OpenZiti!

That is a very interesting issue you have there! I would not expect a 400 to come back from the enrollment.

Can you detail the exact steps you've followed so that I can try to reproduce what you're seeing? I have very recently done exactly this setup, but used docker instead of CentOS 7 VMs. Maybe that thread would help you? Accessing remotely (Docker) - #6 by TheLumberjack

It's certainly easier if you let the quicsktart generate the PKI for you. It's a very delicate thing and exceptionally easy to get wrong. We recently added this to try to explain what a quickstart does and how the PKI is structured etc Quickstart Walkthrough | OpenZiti. Maybe that will help too.

I'll be happy to help you get your setup rocking. Take a look at those links first, show me the exact sets of commands you've run and I'm sure we'll get you rocking in no time.

I also went through what the docker compose quickstart did a while back. You can see that thread here: What does the quickstart do that I need to do myself? which is similar to your question.

It has a linked video that uses the docker compose setup, but maybe it's relevant and helpful:

I made this repo back then openziti-compose/from-scratch.sh at main · dovholuknf/openziti-compose · GitHub I expect it's still valid but I've not done this for a few months, but I think it'll be fine. So have a look at that repo and that forum thread

Thank you very much for the quick response.

Can you detail the exact steps you've followed so that I can try to reproduce what you're seeing?

Absolutely.

1. Generated a key
   openssl genrsa -out router01.key 2048

2. Created a Certificate Signing Request
   openssl req -new -key router01.key -out router01.csr

3. Generate a Self-Signed Certificate
   openssl x509 -req -days 365 -in router01.csr -signkey router01.key -out router01.cert

4. Created a config file and modified it to my need
   ziti create config router edge --routerName router01 output router01.yaml --tunnelerMode none --private

5. Login to Controller
   ziti edge login 85.10.10.100:1280 -u admin -p admin

6. Create the .jwt
   ziti edge create edge-router router01 --jwt-output-file router01.jwt

7. Enroll the Router
   ziti router enroll router01_config.yaml --jwt router01.jwt

And here it is the end of my journey with the error I have posted.

It's certainly easier if you let the quicsktart generate the PKI for you. It's a very delicate thing and exceptionally easy to get wrong.

Absolutely, I know, hence way I think I have probably made a mistake in the Certificates. But I was thinking about writing my Master Thesis about ZTA, and doing a small part about your software as a demonstration, so I would like to really understand well everything and not auto generate stuff, if possible.

Edit: Just as a note, all of this, it is done in Virtual Box. Every Machine it is a VM and all IP are confined within Virtual Box, I am utilizing the Internal Network adapter option, so all VMs can talk to each other but not outside. All Private and Public IP are confined. I will use Public IP just for similate a real network but connections are not really going out. There is no DNS nor DHCP, all manual to keep things simple, at least for now.

Step 3 is where you're starting to go a bit wrong. The router enrollment process doesn't require you to generate a key or CSR/cert. The router will do all that during the enrollment phase. When you create the router configuration file, the 'identity' section that specifies the key/certs -- all of those files will be written when the enrollment succeeds.

What happens is a CSR is generated by the router and sent to the controller for signing. What I am guessing is happening is your controller's signing certificate is incorrect...

If this was me, and I was you trying to learn, I'd start with a setup that I know works. I'd use ziti edge quickstart --home /tmp/somepath to generate a full PKI that I know works and then inspect the output of that PKI. The steps it performs are pretty clearly documented in this go file: ziti/ziti/cmd/edge/quickstart.go at release-next · openziti/ziti · GitHub Hopefully you'll find the go easy enough to follow...

Once you have an environment that you know works, you can inspect the PKI.

I haven't ever actually used openssl to generate all these certificates myself, so I can't tell you exactly which options are set where.

VM's in virtualbox will work perfectly fine as long as you get all the config files setup properly, there's no worries there...

Thanks for the hint.

If I understood it correctly, that quickstart will create both Edge-Router and a Controller on the same machine, is that correct?

There really isn't a sort-of quickstart for deploying an Edge-Router and a Controller individually on two different machines? The only way it is the all manual approach I was following?

Thanks for pointing it out, will surely take a look at it.

Exactly. All-in-one process really... All the quickstarts were originally meant for showing people how to setup a reasonable overlay network in short-order. The idea being that they're useful to see how the pieces go together to learn from. Just so happens, they were also useful to setup a basic network for longer than that learning period so people continue to use them to get setup. I can understand why, it's fine for nearly everyone until they actually care about how the network was setup. Most never really do which is probably a compliment to the quickstarts...

Certainly. The host it anywhere (Host OpenZiti Anywhere | OpenZiti) quickstart does almost exactly what you need. Just pick up the resulting files after installing the router and move them elsewhere.

The docker, no compose example (and the discourse post I linked originally) does EXACTLY this (only it uses docker).

TBH - I can just make a quick video/set of steps illustrating this process.... I'll just do that. Gimme a few and I'll go do it all, but it'll all use the ziti cli (not openssl) just because it'll be quicker for me. I'll go do that right now... Sit tight, it shouldn't take too long...

Here you go.... You "should" be able to just copy and paste these one after another and have it work presuming you set the exports correctly for you. I made this quickly but did test it so hopefully I got all the right settings in in place...

Start Controller and Router using Host it anywhere quickstart commands

export ZITI_PWD=your_password_here

export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_PORT=8442

source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"; expressInstall

createControllerSystemdFile
createRouterSystemdFile "${ZITI_ROUTER_NAME}"

sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
sudo cp "${ZITI_HOME}/${ZITI_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
sudo systemctl daemon-reload
sudo systemctl enable --now ziti-controller
sudo systemctl enable --now ziti-router

sudo systemctl -q status ziti-controller --lines=0 --no-pager
sudo systemctl -q status ziti-router --lines=0 --no-pager

Setup, Configure, Enroll, Run Router 1:

router_name=r1
export ZITI_HOME=~/discourse/2098
mkdir -p $ZITI_HOME
cd $ZITI_HOME

export CTRL_IP="3.134.108.218"
export ZITI_CTRL_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_PORT=8410
export ZITI_ROUTER_LISTENER_BIND_PORT=8411

ziti create config router edge --routerName ${router_name} output ${router_name}.yml --tunnelerMode none > $HOME/discourse/2098/${router_name}.yml

ziti router enroll ${router_name}.yml --jwt ${router_name}.jwt

ziti router run ${router_name}.yml

Setup, Configure, Enroll, Run Router 2:

router_name=r2
export ZITI_HOME=~/discourse/2098
mkdir -p $ZITI_HOME
cd $ZITI_HOME

export CTRL_IP="3.134.108.218"
export ZITI_CTRL_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_PORT=8410
export ZITI_ROUTER_LISTENER_BIND_PORT=8411

ziti create config router edge --routerName ${router_name} output ${router_name}.yml --tunnelerMode none > $HOME/discourse/2098/${router_name}.yml

ziti router enroll ${router_name}.yml --jwt ${router_name}.jwt

ziti router run ${router_name}.yml

And a video walkthrough:

@TheLumberjack Wow. Than you really much!

I can't express myself on how I was surprising opening the post and seeing the time you took for helping me. You are a really nice guy, thank you very much for your time!

Unfortunately, here it is already late. During this week I'll try again from scratch, on a complete fresh VM the whole process again.

I'll definitely let you know how it went.

I found some time to test it. Here's my results.

For now, I just set up R1, as configuration are identical.

Controller

The exact commands I have done were the follows:

curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti


export ZITI_PWD=admin

export EXTERNAL_IP="85.10.10.100"
export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_PORT=8442

source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"; expressInstall

createControllerSystemdFile
createRouterSystemdFile "${ZITI_ROUTER_NAME}"

sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
sudo cp "${ZITI_HOME}/${ZITI_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
sudo systemctl daemon-reload
sudo systemctl enable --now ziti-controller
sudo systemctl enable --now ziti-router

sudo systemctl -q status ziti-controller --lines=0 --no-pager
sudo systemctl -q status ziti-router --lines=0 --no-pager

It seems works fine, except a couple of stuff I have noted. My final output for the status of Controller and Router is:

[controller@cpe-85-10-10-100 ~]$ sudo systemctl -q status ziti-controller --lines=0 --no-pager
sudo systemctl -q status ziti-router --lines=0 --no-pager
● ziti-controller.service - Ziti-Controller
     Loaded: loaded (/etc/systemd/system/ziti-controller.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Tue 2024-02-20 11:37:42 CET; 46ms ago
    Process: 3232 ExecStart=/home/controller/.ziti/quickstart/cpe-85-10-10-100.dynamic.amis.net/ziti-bin/ziti-v0.32.2/ziti controller run /home/controller/.ziti/quickstart/cpe-85-10-10-100.dynamic.amis.net/cpe-85-10-10-100.dynamic.amis.net.yaml (code=exited, status=203/EXEC)
   Main PID: 3232 (code=exited, status=203/EXEC)
        CPU: 817us
● ziti-router.service - Ziti-Router for cpe-85-10-10-100.dynamic.amis.net-edge-router
     Loaded: loaded (/etc/systemd/system/ziti-router.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Tue 2024-02-20 11:37:42 CET; 61ms ago
    Process: 3233 ExecStart=/home/controller/.ziti/quickstart/cpe-85-10-10-100.dynamic.amis.net/ziti-bin/ziti-v0.32.2/ziti router run /home/controller/.ziti/quickstart/cpe-85-10-10-100.dynamic.amis.net/cpe-85-10-10-100.dynamic.amis.net-edge-router.yaml (code=exited, status=203/EXEC)
   Main PID: 3233 (code=exited, status=203/EXEC)
        CPU: 653us

Processes seems to never be active, but always pending in activating. Moreover, there is an exit code with status 203. I have done this installation a couple of times resetting my VM but same outcome.

Moreover, even if minor, I have noticed that in your video, your output also has:

vendor preset: enabled

while mine it has it disabled.

This (I supposed) give me the problem that the ports are not up an Listening:

[controller@cpe-85-10-10-100 ~]$ ss -tuln
Netid         State          Recv-Q         Send-Q                 Local Address:Port                  Peer Address:Port        Process        
udp           UNCONN         0              0                            0.0.0.0:47248                      0.0.0.0:*                          
udp           UNCONN         0              0                            0.0.0.0:5353                       0.0.0.0:*                          
udp           UNCONN         0              0                          127.0.0.1:323                        0.0.0.0:*                          
udp           UNCONN         0              0                               [::]:5353                          [::]:*                          
udp           UNCONN         0              0                               [::]:49388                         [::]:*                          
udp           UNCONN         0              0                              [::1]:323                           [::]:*                          
tcp           LISTEN         0              4096                       127.0.0.1:631                        0.0.0.0:*                          
tcp           LISTEN         0              128                          0.0.0.0:22                         0.0.0.0:*                          
tcp           LISTEN         0              4096                           [::1]:631                           [::]:*                          
tcp           LISTEN         0              128                             [::]:22                            [::]:*    

After doing some random stuff like checking permission, firewall, and whatnot, I managed to get the ports listening, but both Controller and Router are still in activating. I don't know if this may be a problem or it if can become.

Router R1

Here things were much more straightforward. No major issue. Commands were taken and no error seems to happen.

I am able to link it with the controller and get it up and running. Here's the output (from the Controller):

[controller@cpe-85-10-10-100 ~]$ ziti edge list edge-routers
╭────────────┬───────────────────────────────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME                                          │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼───────────────────────────────────────────────┼────────┼───────────────┼──────┼────────────┤
│ J-M-BOWdf  │ cpe-85-10-10-100.dynamic.amis.net-edge-router │ true   │ true          │    0 │ public     │
│ nWsWrtzALG │ r1                                            │ true   │ true          │    0 │            │
╰────────────┴───────────────────────────────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-2 of 2

But when I try to show fabric links, it won't show:

[controller@cpe-85-10-10-100 ~]$ ziti fabric list links
╭────┬────────┬──────────┬─────────────┬─────────────┬─────────────┬───────┬────────┬───────────╮
│ ID │ DIALER │ ACCEPTOR │ STATIC COST │ SRC LATENCY │ DST LATENCY │ STATE │ STATUS │ FULL COST │
├────┼────────┼──────────┼─────────────┼─────────────┼─────────────┼───────┼────────┼───────────┤
╰────┴────────┴──────────┴─────────────┴─────────────┴─────────────┴───────┴────────┴───────────╯
results: none

Now I am a bit clueless of the why, but looking at R1 output while running, I found a couple of Errors, I don't know if they mey be related:

[ 275.012]   ERROR ziti/router/link.(*linkRegistryImpl).evaluateLinkState.func1: {key=[default->tls:J-M-BOWdf->default] linkId=[70fFLZ8QjVrbNkpiUq0JSj] iteration=[9] error=[error dialing outgoing link [l/70fFLZ8QjVrbNkpiUq0JSj@9]: error dialing payload channel for [l/70fFLZ8QjVrbNkpiUq0JSj]: dial tcp 85.10.10.100:10080: connect: no route to host]} error dialing link
[ 275.012]    INFO ziti/router/link.(*linkState).updateStatus: {linkId=[70fFLZ8QjVrbNkpiUq0JSj] iteration=[9] newState=[dialFailed] key=[default->tls:J-M-BOWdf->default] oldState=[dialing]} status updated
^C[ 378.680]    INFO ziti/ziti/router.waitForShutdown: shutting down ziti-router
[ 378.680]   ERROR agent.(*handler).listen: {error=[accept unix /tmp/gops-agent.2622.sock: use of closed network connection]} error accepting gops connection, closing gops listener
[ 378.680]   ERROR agent.(*handler).listen.func1: {error=[close unix /tmp/gops-agent.2622.sock: use of closed network connection]} error closing gops listener
[ 378.681]   ERROR channel/v2.(*reconnectingImpl).Rx [u{reconnecting}->i{2MJy}]: {error=[use of closed network connection]} error closing peer after rx error
[ 378.681]   ERROR channel/v2.(*reconnectingImpl).Rx [u{reconnecting}->i{2MJy}]: {error=[read tcp 85.10.10.50:49896->85.10.10.100:8440: use of closed network connection]} rx error. closed peer and starting reconnection process

The only thing I can think of, it is that R1 cannot reach Controller, but they are able to ping:

[router01@cpe-85-10-10-50 ziti-router01]$ ping 85.10.10.100
PING 85.10.10.100 (85.10.10.100) 56(84) bytes of data.
64 bytes from 85.10.10.100: icmp_seq=1 ttl=64 time=0.470 ms
64 bytes from 85.10.10.100: icmp_seq=2 ttl=64 time=0.325 ms
64 bytes from 85.10.10.100: icmp_seq=3 ttl=64 time=0.332 ms
64 bytes from 85.10.10.100: icmp_seq=4 ttl=64 time=0.337 ms
^C
--- 85.10.10.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3080ms
rtt min/avg/max/mdev = 0.325/0.366/0.470/0.060 ms

Let me know if you have nay ideas.

Thanks ahead.

Ah I was forgetting it. And these the commands gave on R1:

curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti

router_name=r1
export ZITI_HOME=~/ziti-router01/
mkdir -p $ZITI_HOME
cd $ZITI_HOME

export CTRL_IP="85.10.10.100"
export ZITI_CTRL_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${CTRL_IP}"
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441

export EXTERNAL_IP="85.10.10.50"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_PORT=8410
export ZITI_ROUTER_LISTENER_BIND_PORT=8411

ziti create config router edge --routerName ${router_name} output ${router_name}.yml --tunnelerMode none > $HOME/ziti-router01/${router_name}.yml

# Need to create the .jwt on the controller

ziti router enroll ${router_name}.yml --jwt ${router_name}.jwt

ziti router run ${router_name}.yml

This is the problem. Looking at the first error, it's referencing port 10080. Port 10080 is the default port we use for the control plane. Based on how you started the controller, using export ZITI_CTRL_ADVERTISED_PORT=8440 i would expect to see your controller listening on ports 8441 and 8440. Based on how you created the R1 config, I would expect it to show port 8440 in the config, not 10080.

Inspect your R1 config file and look for 10080. I think maybe you didn't have the proper environment variable set when the config was created or something else like that went wrong. The create config commands use numerous environment variables to emit the configs. you can enumerate them by running ziti create config environment if you want, but i think your R1 config was just created incorrectly.

It'd be worthwhile to check your "ctrl" and "link" and "listeners" sections. Assuming I got your IPs correct, they should look like this:

ctrl:
  endpoint:             tls:85.10.10.100:8440

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:8411
      advertise:        tls:85.10.10.50:8411
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8410
    options:
      advertise: 85.10.10.50:8410
      connectTimeoutMs: 5000
      getSessionTimeout: 60

Here's another video... I don't feel like installing virtualbox so I'm going to use docker... Here's a github gist that contains all the commands I ended up running so you can replicate with docker if you wish and you can watch me go through the steps here:

Github Gist here: Discourse 2098 · GitHub

Hopefully this will get you going. Have fun.

Thank you very much for all the information.

I'll look into it and I will be back.

Hey, I am back with good news this time.

Small update

I have tried several times, but the controller always gave strange error, even with express install. I have tried installing it on both CentOS 9 and Lubuntu with no luck. I decided to also give Ubuntu a shot and there the express install of the controller worked fine. I can't say if there are problems with other OS or not, but at least now it work.

Current situation

So now I am in the situation desired from the beginning (kind-of):

• Controller+Router: Installed on a Ubuntu
• Routers R1 and R2: Installed on CentOS7

Now everything it is linked together as they should. So I have tried moving on with my test lab. I have added:

• A Lubuntu VM, simulating what it will be a client
• Another Lubuntu VM, simulating what it will be a server

Here's a simple diagram that show my current setup:

Next Goal

My next goal it is now to test OpenZiti in some way, to see if things routes properly and the possibilities that it gives. Looking at the official documentation, I found an example of a simple HTTP Tunneler and I decided to try implementing that.

Here it is for reference.

Problem

I was following the 10 steps provided in the link above and everything was going right, until I reaches step 7. At step 7, if I understood it correctly, I have to run the command:

ziti edge list identities

On the router, in this case, I think on R2 to find this 'identity'. But when I do it, it gives me the following error:

error: no identity 'default' found in cli config /home/router01/.config/ziti/ziti-cli.json

From here I start to understand why and reading more carefully I see that as prerequisite need to install an OpenZiti tunneler on both machines. So I follow the guide, that seems simple, and I:

• Installed Linux Tunneler on the Client:

curl -sSLf https://get.openziti.io/tun/scripts/install-ubuntu.bash | bash

• Enabled and started the service:

sudo systemctl enable --now ziti-edge-tunnel.service

• Created an Identity on the Controller for the Client:

ziti edge create identity user http-client -a 'http-clients' -o http-client.jwt

• Imported that '.jwt' to the Client and run the command:

sudo ziti-edge-tunnel add --jwt http-client.jwt --identity http-client

But I got the following error:

received response <{"Success":false, "Error":"enrollment failed", "Code":500}>

Possible solutions

And at this point I am kind of stucked again unfortunately.

1. One thing that comes to my mind, is that when setting up the routers, I have done this command:

ziti create config router edge --routerName ${router_name} output ${router_name}.yml --tunnelerMode none > $HOME/ziti-router01/${router_name}.yml

And I see that "--tunnelerMode none", can it be the cause of my problems?

2. Something else that came to my mind is that Routers R1 and R2 have two network interfaces and they can ping with both Controller IP and the respective local ones. The Client is just able to ping the local port of R1, cannot ping the Controller, can it be another possible problem?

If I forgot something import in order to understand what's going on tell me and I will provide all the necessary. Thanks in advance.

Hrmmm. That not-too-helpful error just means you didn't login... I'll file an issue to make that more explicit/obvious. just login with ziti edge login $CTRL_IP -u $USER -p $PASSWORD -y (add -y optionally if you don't want the prompt)...

It's hard to know exactly why it failed. Did the controller output any log? did you do all these steps in very close succession? Did you modify the PKI at all? Possible issues to me are that the jwt expired, the jwt contains an invalid address and you sent the request to the wrong port or the wrong server, or that the PKI somehow changed. Those are the likely causes of problems here, I'd guess.

This command is definitely wrong. First, you should use --output. Your command is missing the two minus signs. Then, assuming you use --output you should stop redirecting the output. Refer to the gist I provided for an example: Discourse 2098 · GitHub

I don't think it is, considering the gist I provided used --tunneler-mode none, and as you see in the video, things seemed to work fine for me.

This is most definitely 'a problem' but it's hard to know if it's "the" problem. Clients and routers both need to be able to communicate to the controller. That's non-negotiable.

Maybe start simpler?

I think it might be worthwhile for you to start simpler? I would encourage you to get it working first with JUST two tunneler clients and JUST the controller and router running on the same host. Getting familiar with identities and how this most basic setup works, is a really good start. Once you have something you know works, THEN you can branch out and add another router, then add the other router, then remove routes from "zone 1" to "zone 2" and the like. I think it'd be easier to do that...

Hope that helps.