Help creating my first router

1

Hi there, me again, begging for more help.

So, I am trying to install my first router. It’s a private router, here is what I have done so far, following these docs. I have a working install at zitidev.mydomain.com and I can talk to the controller and see the ZAC. I am using Debian12, the same as I have for all my other testing.

I downloaded the ziti executable with wget https://github.com/openziti/ziti/releases/download/v0.30.0/ziti-linux-amd64-0.30.0.tar.gz then untar it with tar -xzvf ziti<tab>. I then moved it to the /usr/bin/ folder so I don’t have to keep ./ing it.

Next I downloaded the auto-enroll script with wget https://github.com/netfoundry/ziti_router_auto_enroll/releases/latest/download/ziti_router_auto_enroll.tar.gz && tar xf ziti_router_auto_enroll.tar.gz

Then I tried to install the router with this command:

sudo ./ziti_router_auto_enroll -f -n \
--controller zitidev.mydomain.com \
--controllerFabricPort 8440 \
--controllerMgmtPort 8441 \
--adminUser root \
--adminPassword It'sASuperSecret \
--disableHealthChecks \
--disableMetrics \
--autoTunnelListener \
--routerName bobrouter

This is my output.

Failed to stop ziti-router.service: Unit ziti-router.service not loaded.
ERROR-Unable to authenticate with controller: 401 {"error":{"code":"INVALID_AUTH","message":"The authentication request failed","requestId":"C1TtBV2Rh"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}


$ systemctl status ziti-router
Unit ziti-router.service could not be found.
2

Hi @jptechnical,

The error you’re receiving shows that the username/password are being rejected from the controller

ERROR-Unable to authenticate with controller: 401 {"error":{"code":"INVALID_AUTH","message":"The authentication request failed","requestId":"C1TtBV2Rh"},"meta":{"apiEnrollmentVersion":"0.0.1","apiVersion":"0.0.1"}}

That command assumes you want to create the edge-router on the controller while you’re auto enrolling a VM & only supports the updb method of ziti authentication. If you’re using other types of authentication you can still use the ziti_router_auto_enroll following this guide: Create new router | OpenZiti to pre-create the edge-router in the ziti controller & then use the script to auto download/configure/enroll a VM.

I’ll go spin up a Debian12 machine & see if I can get this to complete myself, meanwhile, I hope the above helps.

Edward

3

Interesting, then is the syntax for connecting incorrect? Because I can login to the controller with these creds.

jp@zitidevrouter:~$ ziti edge login
Using controller url: https://zitidev.mydomain.com:8441/edge/management/v1 from identity 'default' in config file: /home/jp/.config/ziti/ziti-cli.json
Using username: root from identity 'default' in config file: /home/jp/.config/ziti/ziti-cli.json
Enter password: <SAME AS BEFORE>
Token: f81a...5eb7
Saving identity 'default' to /home/jp/.config/ziti/ziti-cli.json

I was able to create the router using that doc, however.

ziti edge create edge-router bobrouter -o bobrouter.jwt

sudo ./ziti_router_auto_enroll -f -n \
--controller zitidev.mydomain.com \
--controllerFabricPort 8440 \
--controllerMgmtPort 8441 \
--disableMetrics \
$(cat bobrouter.jwt)
4

Should my router show up as an identity? Or did I do a step out of order or miss a step?

jp@zitidevrouter:~$ ziti edge list edge-routers
╭────────────┬─────────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME                    │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼─────────────────────────┼────────┼───────────────┼──────┼────────────┤
│ pCMpIV2Rhw │ zitidev.jptech.services │ true   │ true          │    0 │ public     │
│ vgLNyd2shw │ bobrouter               │ true   │ true          │    0 │            │
╰────────────┴─────────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-2 of 2
jp@zitidevrouter:~$ ziti edge list identities
╭────────────┬─────────────────────────┬────────┬───────────────────┬─────────────╮
│ ID         │ NAME                    │ TYPE   │ ATTRIBUTES        │ AUTH-POLICY │
├────────────┼─────────────────────────┼────────┼───────────────────┼─────────────┤
│ 99fiK02s2w │ admin.zitidev           │ Device │ ssh.bind,ssh.dial │ Default     │
│ Zbf3u0hRhw │ zitidevwin.zitidev      │ Device │ ssh.bind,ssh.dial │ Default     │
│ c-c9v4Keq  │ Default Admin           │ User   │                   │ Default     │
│ oTf3u0hshw │ zitidevh2.zitidev       │ Device │ ssh.bind,ssh.dial │ Default     │
│ pCMpIV2Rhw │ zitidev.jptech.services │ Router │                   │ Default     │
│ xUfiK02s2w │ zitidevh1.zitidev       │ Device │ ssh.bind,ssh.dial │ Default     │
╰────────────┴─────────────────────────┴────────┴───────────────────┴─────────────╯
results: 1-6 of 6
5

I can answer this question. When you have a router enabled for tunneling mode it will have an identity of type Router like zitidev.jptech.services │ Router.

@emoscardini is there a flag that needs to be passed to enable tunneling mode? is that --autoTunnelListener?

6

Hi @jptechnical

Out of curiosity did you wrap the user/pass in a single or double quotes?

I spun up a Debian12 VM in AWS & was able to enroll successfully with the same command:

sudo ./ziti_router_auto_enroll -f -n \
--controller 193.122.136.108 \
--controllerFabricPort 80 \
--controllerMgmtPort 443 \
--adminUser "*********" \
--adminPassword "********" \
--disableHealthChecks \
--disableMetrics \
--autoTunnelListener \
--routerName local-router

Failed to stop ziti-router.service: Unit ziti-router.service not loaded.
Writing jwt file: local-router_enrollment.jwt
Version not specified, going to check with controller
Found version 0.29.0
Downloading file: https://github.com/openziti/ziti/releases/download/v0.29.0/ziti-linux-amd64-0.29.0.tar.gz
Downloading: 100%|████████████████████████████████████████████████████████████████| 42.8M/42.8M [00:00<00:00, 44.6MiB/s]
Successfully downloaded file
Starting binary install
Installing service unit file
Creating config file
Starting Router Enrollment
Successfully enrolled Ziti
Unable to handle DNS setup on this distro, please ensure the local host is the first resolver
Service ziti-router.service start successful.
Created symlink /etc/systemd/system/multi-user.target.wants/ziti-router.service → /etc/systemd/system/ziti-router.service.
Service ziti-router.service enable successful.

FYI, the failed to stop ziti-router.service at the beginning is caused by the fact that -f/--force is being passed in & the script is assuming ziti-router is already installed on the VM & someone is attempting to enroll against another Controller.

Yes, but since you created the router manually, you'll need to alter the create command to enable the tunnel feature on the edge-router by appending -t or --tunneler-enabled

You can update the current edge-router & enable the tunneler with the command:
ziti edge update edge-router bobrouter -t

Yes, the option --autoTunnelListener will attempt to automatically add the tunnel configuration to the local VM being enrolled & is needed for a tunnel enabled edge-router.

This is the first time I've run this script on Debian12 & although it worked as expected, the ziti-router failed to run properly since the script didn't setup the resolver correctly(something we can fix). In order to setup the resolver on the Debian12 I was working with, I placed a file called "01-ziti.conf" in the directory /usr/lib/systemd/resolved.conf.d/ with the content:

#Ziti Added file
[Resolve]
DNS={local IP address}

Replacing the {local IP address} with the correct value:
Then restarted systemd-resolved: sudo systemctl restart systemd-resolved.service

Since you have already enrolled the edge-router, you can either.

Update the resolver like shown above, then manually alter the router config file /opt/openziti/ziti-router/config.yml & add in a tunnel config under the listeners: Something like this:

  - binding: tunnel
    options:
      mode: tproxy
      resolver: udp://{local IP address}:53
      lanIf: ens5
      dnsSvcIpRange: 100.64.0.0/10

Where the {local IP address} address matches the value you placed in the resolved configuration.

Or

You can delete the current router & create/enroll again. This time using the create flag -t & the enrollment option --autoTunnelListener & still you'll need to adjust the resolved config like shown above.

Hope that helps.

Edward

7

There are two docs that I was referencing, but they are so similar in appearance and definition I can’t tell which does what. I get that one uses a router and the other a tunnel… but why would you choose either option? The video format is hard for me to follow (it might be my OCD, I can’t track all the windows or what is going on based just on the subnets). For instance, are two subnets required for this howto? Could it be simplified with just one? Then in another installment add an additional subnet?

Specifically these two docs:

IMO, having a sequence of videos or docs that build on each other would be more beneficial, at least that is my learning style and how I consume new tech… more hypothesis driven and iterative. I am building my own series of steps to build infrastructure, learning a new component each time.