Can a host.v1 forward traffic to another server on the same lan?

Support
1

Hi, I'm loving OpenZiti and in the process of setting up Zero trust for all my networking needs. I have a gitea instance running on Server A. The Controller and Router are running on Server B. Both Servers A & B are on the same LAN.

On Server A where gitea is running. I have a ziti-edge-tunnel systemd service with a bind policy. Then on my laptop (which is still in the same LAN) I have a windows tunneler running with a dial policy.

The service along with the necessary host & intercept configs are defined as well as the proper policies.

I was able to confirm this by running: ziti edge policy-advisor services --quiet "giteaSvc"

Here is the output:

OKAY : zen (1) -> giteaSvc (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : qipione_webSvcServer (1) -> giteaSvc (1) Common Routers: (1/1) Dial: N Bind: Y

I have a feeling that the issue might be in here:

intercept_config
intercept_config717×754 33.6 KB

                             Or here:

host_config
host_config706×844 41.6 KB

My question is: Can a host config forward traffic to another server on the same LAN without having another ziti-router on that server?

Also if the gitea server is not configured to handle any SSL certificates. It's just regular HTTP not HTTPS. Will that be a problem with how the intercept config is specified? ie https://gitea.ziti/

It seems to intercept just fine: but I'm getting this error:

gitea_error
gitea_error902×517 8.87 KB

Your help is greatly appreciated!!

2

Awesome!

Absolutely. This is exceptionally common. This is referred to as "zero trust network access" as you end up "trusting" your network and traversing the underlay network. You do not need a router, nor a tunneler of any kind as long as the machine running a tunneler (a router/ziti-edge-tunnel/ziti desktop edge etc) can reach the target service via the underlay network.

I think this is your entire problem and confusion. Although OpenZiti is end to end encypted, and uses mTLS amongst all the OpenZiti overlay components, if your target service is HTTP (not HTTPS), your browser will need to use http as well.

So if you just use http://gitea.ziti, I expect you'll be fine. Here's a couple of images to maybe help get you straight.

image
image1400×567 46.6 KB

image
image993×506 24.6 KB

1 Like
3

YES!!!! GOTTA LOVE THOSE IMAGES :slight_smile:

OpenZiti FTW

4

It doesn't even have to be on the same vlan :slight_smile:
any network resource that the host have access to in theory can be configured

1 Like