Ok here's the text version... I'm going to cover a bit more than just the "how to get the router running" since you need that as well. I'll cover the policy work I think you want too... I can always make a video if you find it helpful.
Installing the Private Edge Router
I have a raspberry pi-like device called an inovato (check them out if you haven't ) which I'm going to install the router on. It's just like a pi without the pin-outs. Here's how I installed the router:
- used the helper functions to get
ziti
on my path (do it manually if you prefer)source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; getZiti yes
- in nfconsole.io, navigate to "Edge Routers"
- click the plus in the upper right
- give the router a name (I used
home-router
), give it an attribute of "home-network" (or some attribute you want), choose "Customer Hosted", and click the button to create it.
- You'll be taken to a new screen saying the router has been created.
- expand "Advanced Downloads" and download the jwt. We'll make the config below
- Transfer the jwt to your private router.
- You seem like you'll be familar with bash, so I won't explain these parts too much...
- set some environment variables.
- ROUTER_NAME is whatever you want the files to be called on the machine
- ZITI_HOME is important if you follow these instructions later on and it represents where you want the files to be put
- CONTROLLER_ADDRESS should be correct. I pulled it from your other discourse post logs for you
- ROUTER_LOCAL_ADDRESS is the name that the other devices can address your private edge router at. Notice I'm using "inovato", you MUST change that unless you have an 'inovato' too
export ROUTER_NAME="private-router" export ZITI_HOME="$HOME/ziti-files/${ROUTER_NAME}" export CONTROLLER_ADDRESS="1cbcdfd4-c7ac-4be9-8f2e-1075845c774c.production.netfoundry.io" export ROUTER_LOCAL_ADDRESS="inovato"
- make the new folder:
mkdir -p $ZITI_HOME
- Emit the config file using a HEREDOC into the folder you just made by literally just copying/pasting this block or do it yourself manually, it should be pretty straightforward to see where the variables are.
cat > ${ZITI_HOME}/${ROUTER_NAME}.yaml <<HERE v: 3 identity: cert: "$ZITI_HOME/client.cert" server_cert: "$ZITI_HOME/server.cert" key: "$ZITI_HOME/server.key" ca: "$ZITI_HOME/cas.cert" ctrl: endpoint: tls:${CONTROLLER_ADDRESS}:80 link: dialers: - binding: transport listeners: - binding: edge address: tls:0.0.0.0:3022 options: advertise: ${ROUTER_LOCAL_ADDRESS}:3022 connectTimeoutMs: 1000 getSessionTimeout: 60 - binding: tunnel options: mode: host #tproxy|host edge: csr: country: US province: NC locality: Charlotte organization: NetFoundry organizationalUnit: Ziti sans: dns: - ${ROUTER_LOCAL_ADDRESS} - localhost ip: - "127.0.0.1" forwarder: latencyProbeInterval: 10 xgressDialQueueLength: 1000 xgressDialWorkerCount: 128 linkDialQueueLength: 1000 linkDialWorkerCount: 32 HERE
- enroll your router by running (replace the path to the jwt you transferred):
ziti router enroll ${ZITI_HOME}/${ROUTER_NAME}.yaml -j /replace/this/with/the/actual.jwt
- run the edge router manually to make sure it starts
ziti router run ${ZITI_HOME}/${ROUTER_NAME}.yaml
Policy Work:
- Go to the nfconsole and login
- Go to your "phone" or other "roaming" type devices, ones you want to be able to connect to the public router and mark those identities as "roaming" and "home" (or whatever attributes you like, I used roaming). The identity shown here is my laptop and I use it from home as well as from "the office" so I want it to be "roaming" so that it can use the public router when I'm not on the local network:
- Go to "Edge Routers" -> "Edge Router Policies". Make sure you only have one policy. I had two mapping "#auto-edge-routers" to "#all" endpoints, I expect you'll only have one, so I had to remove one, but it's important you only have one at this point. Then I changed the policy. Instead of mapping "#all" endpoints being able to access the routers with the "#auto-edge-routers" attribute, it made it so that only "roaming" endpoints can use those routers since the public edge router should already have this attribute:
- Define a new Edge Router Policy and give all your "home" identities access to your "#home-network" edge routers (there's only one) as shown:
You can see once I create this policy, my inovato identity (i also have a ziti-edge-tunnel running on the inovato), my windows machine, and my macmini will all be able to communicate to the local edge router now.
Wrap up
I know that looks like a lot of text and a lot of steps, but I wrote it all out to try to make it clear and explain what it's doing along the way. If you have problems connecting, look at the logs. If you see something like this NO_EDGE_ROUTERS_AVAILABLE
:
Mar 19 15:04:05 inovato ziti-edge-tunnel[361191]: (361191)[ 8574.089] WARN ziti-sdk:connect.c:454 connect_get_net_session_cb() conn[0.0/Binding] failed to get 'Bind' session for service[inovato.ssh]: NO_EDGE_ROUTERS_AVAILABLE(No edge routers are assigned and online to handle the requested connection)
It probably means you have not associated your identities and edge routers properly, something is probably missing an attribute.