Does OpenZiti support DTLS?

ehsanj · March 2, 2024, 10:46pm

Does OpenZiti support DTLS? If you could point me to relevant documentation, that would be very helpful.

TheLumberjack · March 3, 2024, 1:33am

I don't believe we claim to support DTLS per-se, however, OpenZiti allows you to tunnel UDP or TCP connections and implements end to end encryption for both TCP and UDP between the source and destination identities.

If you establish your own DTLS connection OVER OpenZiti, I would expect it to work properly but this is the application protocol, not OpenZiti... If that makes sense? It'd be similar to how OpenZiti allows TLS over OpenZiti I would think, and that works perfectly.

So if your question is, can OpenZiti secure UDP datagrams, I would respond with "yes" between the source and destination identity. Is that DTLS, no I don't believe so, it's done with libsodium.

That make sense and answer the question sufficently?

ehsanj · March 8, 2024, 4:06pm

Thanks for your reply! I understand Ziti doesn't have built-in support for DTLS but does have the ingredients to build that support on.

With that in mind, I have a follow up question: when UDP transport is selected, does Ziti deliver the payloads end-to-end as UDP; or, is UDP only at the entry and exit points and the payload is delivered as TCP within the mesh?

plorenz · March 8, 2024, 4:34pm

Current SDK <-> router and router <-> router traffic is TCP-based. One of our goals is to allow for UDP-based transports (likely using DTLS) for those connections. Some initial work has been done, but there's more to do before it will be a good replacement.

Cheers,
Paul

ehsanj · March 8, 2024, 5:07pm

Sounds good, thank you!

Rantanplan · February 25, 2026, 4:39pm

This is a copy of my two questions regarding ziti/zrok.

Does Ziti 1.6.x support binding to a specific IPv6 address or an interface?
Does Ziti 1.6.x router support DTLS ?

plorenz · February 25, 2026, 6:25pm

re: IPv6 - ipv6 Transport Address Parsing · Issue #31 · openziti/transport · GitHub
re: DTLS - It will probably work, but at least for the we scenarios tested, we didn't see any performance gains. You're welcome to try it and feel free to share any interesting results from your tests.

Paul

Rantanplan · February 25, 2026, 6:49pm

Of course, if TCP works properly, there is no performance gain. However, when TCP packets are fragmented and fragments are heavily dropped, the TCP window will shrink dramatically (sometimes to around 500 bytes). In such conditions, DPI throttles TCP connections, making TLS effectively unusable.

Regrettably, TCP performance is strongly dependent on network conditions. In degraded environments, UDP-based transport may perform better.

Rantanplan · March 1, 2026, 9:18am

Is it possible to specify a network interface in order to capture IPv6 & IPv4 packets on that particular interface?

plorenz · March 4, 2026, 3:25am

In what context? Using a tunneler? One of the configurable listeners or dialers on the controller or router?

Topic		Replies	Views
UDP packet overlay proxying Ziti Overlay	2	301	October 4, 2022
How does SSL work in OpenZiti network? Building/Development	8	282	June 21, 2024
Plans to use a similiar NAT Traversal functionality like Tailscale Ziti Overlay	7	130	February 2, 2026
Listen on UDP port with no DNS resolve?	7	67	March 21, 2025
Help: UDP Tunneling Support via ziti-edge-tunnel?	1	58	April 21, 2025

Does OpenZiti support DTLS?

Related topics