I’ve got a few questions while playing around with OpenZiti as part of my university thesis. I’m testing ZTNA concepts and trying to understand how deep I can go with control and visibility.
Tunneler client IP
When a tunneler connects, it gets an IP in the 100.64.0.0/10 range. Is that IP range fixed or is there a way to assign static/custom IPs to tunneler clients? If not, where can I see the IP that my client is actually using after it connects?
Logging for security experiments
I’m running some basic security tests like port scanning, brute force the Ziti Admin Console, and also trying things like tampering with JWT client configs. Just wondering — where should I be looking for logs or reactions to these kinds of attacks?
Is it the ziti-controller, the ziti-router, or both? Any specific log settings I should enable?
Hi @cado0, welcome to the community and to OpenZiti!
All the tunnelers have the means to change the TUN IP. Look through the UI or command line options and you should find it. If there's one in particular you are looking to know how to change and can't find it after looking, let us know.
It will depend. If you're attacking the controller API either with ZAC, the ziti CLI or other, then you'll look in the controller logs. If you're looking for vectors at the client side, then you'll look primarily in the tunnelers logs i would expect. You can enable verbose logging if you like, sure.
One thing i would recommend is for you to test an application embedded example as well. Tunnelers are amazing. They bridge ip and overlay, that's their job but the really amazing bits and truly future looking stuff in our opinion is application embedded zero trust. If you haven't wrapped your head around that you should try it! That's where OpenZiti shines exceptionally bright. With ZTAA, there's no ports on the underlay at all related to the target app itself. Really cool stuff... Ok I'm biased..
I'm using Linux for the client tunneler, what’s the command change the TUN IP address?
Also, thanks for the suggestion about trying application embedded ZTNA. That sounds really interesting! I’ve been working mostly with tunnelers so far, but I’ll definitely look into embedded apps too.
use ziti-edge-tunnel help ${command} to see the options. In this case you want the --dns-ip-range option on run:
-d|--dns-ip-range <ip range> specify CIDR block in which service DNS names are assigned in N.N.N.N/n format (default 100.64.0.1/10)
There are a few example programs in the C/Go SDK you can look into, the ziti CLI also has a couple built into it you could try if interested as well
Example help output
$ ziti-edge-tunnel help run
ziti-edge-tunnel run: run Ziti tunnel (required superuser access)
usage: ziti-edge-tunnel run -i <id.file> [-r N] [-v N] [-d|--dns-ip-range N.N.N.N/N] [-D|--diverter <interface list>] [-f|--diverter-fw <interface list>] [-u|--dns-upstream N.N.N.N]
-i|--identity <identity> run with provided identity file (required)
-I|--identity-dir <dir> load identities from provided directory
-x|--proxy type://[username[:password]@]hostname_or_ip:port proxy to use when connecting to OpenZiti controller and edge routers. 'http' is currently the only supported type.
-v|--verbose N set log level, higher level -- more verbose (default 3)
-r|--refresh N set service polling interval in seconds (default 10)
-d|--dns-ip-range <ip range> specify CIDR block in which service DNS names are assigned in N.N.N.N/n format (default 100.64.0.1/10)
-D|--diverter <interface list> set diverter mode to true on <interface list>
-f|--diverter-fw <interface list> set diverter to true in firewall mode on <interface list>)
-u|--dns-upstream <ip addr> resolver listening on 53/udp for DNS queries that do not match a Ziti service
