need to delete because of security
Thank you for the diagram! It really does help. Is there a requiement that User2 access the Device1 via the same fully qualified name or via the same ip address? I assume it'd be fine to have two different access modes, as long as it worked?
For example with OpenZiti you could install the tunnelers and change all the IP ranges they use from 100.64.0.0/10 to 192.168.x.y/24 (or whatever IP block you want to assign that will not clash with OpenVPN) and then let OpenZiti manage that address range (you don't have to do this if you can configure OpenVPN away from 100.64.0.0/10 and leave that for OpenZiti).... Add an intercept for "Device1" and then that user would have both OpenVPN and OpenZiti installed. That's one way and the long-term way that would work 'best' imo and is "ZTHA" (host access not ZTNA, network access).
The other way you can do it is by allowing the edge router to do the OpenZiti intercepting and routing but surface the IP range from the router to the rest of the nework and do ZTNA. This might be a good "first step" for you. This then turns the OpenZiti router into a gateway but ANY user on the same network would be able to access that device (since it's just working as a gateway) which is not quite as secure of a setup. (see this page/video for more on this Use a Router as a Local Gateway | OpenZiti)
Hopefully that helps and makes sense. Let me know if you have more questions. If I think of anything else I'll follow back up too
1 Like
we need to delete we need to delete
in general, I don't ever describe OpenZiti in this way. OpenZiti is generally, an IP-level solution (layer 4) vs an application layer solution. For example, when you ask: "How can we decrypt openziti packages to network layer packages or vice versa". My answer is always "you don't and you can't". The OpenZiti clients (we call them tunnelers) are responsible for turning classic, IP-based, underlay traffic to OpenZiti traffic and vice-versa (at the destination) but with OpenZiti's SDKs you can effectively be in the application layer directly, and effectively never leave the overlay network back to classic, IP-based underlay (unless you need to of course). So "you" -- don't and can't do that. But you CAN intercept packets before they arrive at the OpenZiti tunneler if you want. That is 'before' the OpenZiti leg, and is subject to classic IP-based techniques.
OpenZiti enables end to end encryption by default so maybe that's where some confusion enters the equation? that makes it sound like OpenZiti operates at the application layer but it really can't unless you're embedding an SDK directly into your solution. If you're doing that, then I'd agree it's operating in the application layer. If not, I always describe it as working at layer 4 exclusively.
that help or just make more confusion? 
1 Like