Create private router on linux machine

Ok here's the text version... I'm going to cover a bit more than just the "how to get the router running" since you need that as well. I'll cover the policy work I think you want too... I can always make a video if you find it helpful.

Installing the Private Edge Router

I have a raspberry pi-like device called an inovato (check them out if you haven't ) which I'm going to install the router on. It's just like a pi without the pin-outs. Here's how I installed the router:

1. used the helper functions to get ziti on my path (do it manually if you prefer)

   source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; getZiti yes
   

2. in nfconsole.io, navigate to "Edge Routers"
3. click the plus in the upper right
4. give the router a name (I used home-router), give it an attribute of "home-network" (or some attribute you want), choose "Customer Hosted", and click the button to create it.
   
   

   image768×729 41.1 KB
5. You'll be taken to a new screen saying the router has been created.
6. expand "Advanced Downloads" and download the jwt. We'll make the config below
7. Transfer the jwt to your private router.
8. You seem like you'll be familar with bash, so I won't explain these parts too much...
9. set some environment variables.
   • ROUTER_NAME is whatever you want the files to be called on the machine
   • ZITI_HOME is important if you follow these instructions later on and it represents where you want the files to be put
   • CONTROLLER_ADDRESS should be correct. I pulled it from your other discourse post logs for you
   • ROUTER_LOCAL_ADDRESS is the name that the other devices can address your private edge router at. Notice I'm using "inovato", you MUST change that unless you have an 'inovato' too

   export ROUTER_NAME="private-router"
   export ZITI_HOME="$HOME/ziti-files/${ROUTER_NAME}"
   export CONTROLLER_ADDRESS="1cbcdfd4-c7ac-4be9-8f2e-1075845c774c.production.netfoundry.io"
   export ROUTER_LOCAL_ADDRESS="inovato"
   

10. make the new folder:

    mkdir -p $ZITI_HOME
    

11. Emit the config file using a HEREDOC into the folder you just made by literally just copying/pasting this block or do it yourself manually, it should be pretty straightforward to see where the variables are.

    cat > ${ZITI_HOME}/${ROUTER_NAME}.yaml <<HERE
    v: 3
    identity:
      cert:                 "$ZITI_HOME/client.cert"
      server_cert:          "$ZITI_HOME/server.cert"
      key:                  "$ZITI_HOME/server.key"
      ca:                   "$ZITI_HOME/cas.cert"
    ctrl:
      endpoint:             tls:${CONTROLLER_ADDRESS}:80
    link:
      dialers:
        - binding: transport
    listeners:
      - binding: edge
        address: tls:0.0.0.0:3022
        options:
          advertise: ${ROUTER_LOCAL_ADDRESS}:3022
          connectTimeoutMs: 1000
          getSessionTimeout: 60
      - binding: tunnel
        options:
          mode: host #tproxy|host
    edge:
      csr:
        country: US
        province: NC
        locality: Charlotte
        organization: NetFoundry
        organizationalUnit: Ziti
        sans:
          dns:
            - ${ROUTER_LOCAL_ADDRESS}
            - localhost
          ip:
            - "127.0.0.1"
    forwarder:
      latencyProbeInterval: 10
      xgressDialQueueLength: 1000
      xgressDialWorkerCount: 128
      linkDialQueueLength: 1000
      linkDialWorkerCount: 32
    HERE
    

12. enroll your router by running (replace the path to the jwt you transferred):

    ziti router enroll ${ZITI_HOME}/${ROUTER_NAME}.yaml -j /replace/this/with/the/actual.jwt
    

13. run the edge router manually to make sure it starts

    ziti router run ${ZITI_HOME}/${ROUTER_NAME}.yaml
    

Policy Work:

1. Go to the nfconsole and login
2. Go to your "phone" or other "roaming" type devices, ones you want to be able to connect to the public router and mark those identities as "roaming" and "home" (or whatever attributes you like, I used roaming). The identity shown here is my laptop and I use it from home as well as from "the office" so I want it to be "roaming" so that it can use the public router when I'm not on the local network:
   
   

   image776×335 18.1 KB
3. Go to "Edge Routers" -> "Edge Router Policies". Make sure you only have one policy. I had two mapping "#auto-edge-routers" to "#all" endpoints, I expect you'll only have one, so I had to remove one, but it's important you only have one at this point. Then I changed the policy. Instead of mapping "#all" endpoints being able to access the routers with the "#auto-edge-routers" attribute, it made it so that only "roaming" endpoints can use those routers since the public edge router should already have this attribute:
   
   

   image973×572 38.8 KB
4. Define a new Edge Router Policy and give all your "home" identities access to your "#home-network" edge routers (there's only one) as shown:
   
   

   image969×572 40.8 KB

You can see once I create this policy, my inovato identity (i also have a ziti-edge-tunnel running on the inovato), my windows machine, and my macmini will all be able to communicate to the local edge router now.

Wrap up

I know that looks like a lot of text and a lot of steps, but I wrote it all out to try to make it clear and explain what it's doing along the way. If you have problems connecting, look at the logs. If you see something like this NO_EDGE_ROUTERS_AVAILABLE:

Mar 19 15:04:05 inovato ziti-edge-tunnel[361191]: (361191)[ 8574.089] WARN ziti-sdk:connect.c:454 connect_get_net_session_cb() conn[0.0/Binding] failed to get 'Bind' session for service[inovato.ssh]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)

It probably means you have not associated your identities and edge routers properly, something is probably missing an attribute.