Getting started with OpenZiti, ZAC and ziti-sdk-py

Currently I am exploring openziti. I have install ziti fabric network and ZAC also. But I have some queries.

  1. As per document two edge router should be needed . One for client and another for server . But where I have to install it and what should be the connections
  2. I have installed zit-sdk-py where ziti network has been installed. Should it be in client side ? How it will connect to ziti network?
  3. How I will protect my server using openziti. I am confused about connections.
    Currently I am exploring openziti. I have install ziti fabric network and ZAC also. But I have some queries.

As per document two edge router should be needed . One for client and another for server . But where I have to install it and what should be the connections
I have installed zit-sdk-py where ziti network has been installed. Should it be in client side ? How it will connect to ziti network?
How I will protect my server using openziti. I am confused about connections.

hi @mira23456. Welcome to the community and to OpenZiti! I hope you don't mind but I moved your post to a new topic.

  1. The minimum viable network for OpenZiti is one controller and one router. What document are you referring to that indicates you need two? Please provide the link so we'll have the necessary context to help.
  2. OpenZiti allows you to operate the SDKs on both sides. So it's up to you if it's the server side or the client side or both. It connects to the OpenZiti overlay using a strong identity, as do all OpenZiti SDK clients. You simply need at least one edge router each identtiy can connect to.
  3. How are you confused? Can you provide more detail?

Perhaps it's worth reviewing the appetizer demo page here OpenZiti - open source zero trust networking! | OpenZiti. It walks you through five basic steps for how a connection from a client to a server are formed. See if that fills any gaps. Also our documentation is pretty good, have you found What is OpenZiti? | OpenZiti and explored that doc?

Cheers!

In "Ziti Edge Router as Gateway" part, * Created two target VMs to host routers. The VMs should be running on Ubuntu 22.04.

  • Created one windows client already. Suggested windows version Windows 10 or Windows 11. Windows servers should work fine as well.
  • Created one ubuntu server already. Or any linux server capable of accepting ssh and http connection.

These are the points. It means we need on non ziti windows client and one ubuntu server. Each edge router should be in either side(client and server). I have installed ziti-sdk, where i installed ziti network. I have to connect ziti-sdk to each edge router.
I think you are clear now. My query is that connection between sdk and edge route. Only one sdk is needed or two for connection ?

Hi Mira,

if you want to use SDK in your testing, there is document for that under Public Cloud Deployment | OpenZiti

If you look at the service section, there are SDK examples.

The document you are looking at (it also has a youtube video), is example for connecting from site to site. It is for user has non-ziti client running (could be linux machine, mac, windows, or even ipad etc) to connect to another non-ziti machine.

The local-router is used for client to connect to server (which is hosed behind remote-router).

James

@TheLumberjack Can you look into that matter?

sudo ./ziti_router_auto_enroll -f -n --controller 61.2.172.13 --controllerFabricPort 6262 --controllerMgmtPort 1280 --adminUser admin --adminPassword rani0987 --disableHealthChecks --autoTunnelListener --routerName local-router
[sudo] password for deepna:
Failed to stop ziti-router.service: Unit ziti-router.service not loaded.
Removing previous binaries
ERROR-Unable to connect to controller: Connection Error

You'll need to provide more information that you want or need help with. I'm unfamiliar with the ziti_router_auto_enroll functionality, if that's what you want help with.

Judging by the error: "Unable to connect to controller: Connection Error" I'd say the controller is:

  • not online
  • not exposing the correct port
  • there's no connectivity between the router and the controller
  • has PKI misconfigured

The most comprehensive test in this situation is to simply use openssl to verify the controller is online and listening. You would use: openssl s_client -connect your.controller.here:the_port_here | openssl x509 -text < /dev/null. Speficially you'll want to inspect the SANS section that looks like this:

            X509v3 Subject Alternative Name:
                DNS:ec2-13-58-222-94.us-east-2.compute.amazonaws.com, DNS:ip-172-31-11-231, DNS:localhost, IP Address:127.0.0.1

You want to make sure you see the correct entries come back from your controller. If you can get that far, great. We'll probably need someone else to help troubleshoot the problem with the ziti_router_auto_enroll.