I’m just starting with OpenZiti, hosted with NetFoundry. I’m on satellite internet, so it’s clear that traffic between endpoints that are both on my local network is routing out over the internet. Is there a way to have nodes connect directly when possible? I know that other services like ZeroTier do that, but I’m not sure it’s a valid comparison.
At this time OpenZiti does not support “directly” connecting, no. All connections transit through a router, but, routers can be scoped to private networks. Here’s a diagram that shows the basic idea:
When on the public internet, you still have the ability to access your private resources through the public router, and over the internet but when you’re on your LAN, you can run a router on that network and steer traffic through that router because the private router can “link” to the public one and the overlay mesh network knows how to route traffic from start to end. Hopefully, that is clear and makes sense.
You can also control which routers any given identity is allowed to connect to. You’d do this using an “edge router policy”. By default, all identities can use all public routers, but you don’t need to set it up that way. That’s just what “most people” will use, so it’s setup as the default. You’ve got a bit of a special case here though. You probably want to have a private router and setup your “private” resources to only use that private router. Your phones would/should be able to use both routers so when you’re out and about, you still have access.
Since OpenZiti is an overlay network, the devices will all contact the controller in order to authorize a network session. Unless you self-host the controller, right now, that’ll always be over the internet.
Hope that helps and is clear, if not let us know and we’ll clarify further.
That accomplishes what I want. Time for some more reading. Thanks