How do I create a service that connects to a Subnet via a router instead of just a single host?

82

well there certainly is no replacement for trying it oneself… I’ve setup a new little lab for me and I feel like I’m hitting a bug. I’ll keep plugging away at this and get back to you in a bit

83

Hi @Danieleb, I did indeed hit a bug with the Ziti Desktop Edge for Windows. We had to fix that before I could finish helping you here. We did that though, look for the ZDEW 2.1.9 release that will come out soon or (ziti-edge-tunnel v0.20.9 if using that).

I recorded a video this morning demonstrating it working. You can find that here:

Here's what I created in my lab:

image
image1697×592 53.6 KB

Here's the commands/steps I ran with a bit of exposition around each step

made admin1 and admin2

ziti edge create identity user admin1 -o admin1.jwt
ziti edge create identity user admin2 -o admin2.jwt

make the one config/service-policy needed per site:

ziti edge create config remoteaccess-host.v1 host.v1 '{"forwardProtocol": true, "allowedProtocols": ["udp","tcp"], "forwardAddress": true, "allowedAddresses": ["172.31.0.0/16"], "forwardPort": true, "allowedPortRanges": [{"low":1, "high":65535}], "listenOptions": {"bindUsingEdgeIdentity":true}}'

allow routers to bind this any service with the admin.accessable.services attribute

ziti edge create service-policy admin.access.bind Bind
--service-roles "#admin.accessable.services"
--identity-roles "#zero-trust-bastion"

Commands for Admin1

user=admin1
ziti edge create config "${user}"'.config.intercept.v1'
intercept.v1 '{"dialOptions": {"identity":"site1"}, "protocols":["tcp"],"addresses":["172.31.0.0/16"], "portRanges":[{"low":1, "high":65535}]}'

ziti edge create service "remote.access.${user}"
--configs "${user}.config.intercept.v1","remoteaccess-host.v1"
-a "${user}.accessable.services","admin.accessable.services"

ziti edge create service-policy "${user}.access.dial" Dial
--service-roles "@remote.access.${user}"
--identity-roles "@${user}"

Commands for Admin2

user=admin2
ziti edge create config "${user}"'.config.intercept.v1'
intercept.v1 '{"dialOptions": {"identity":"site1"}, "protocols":["tcp"],"addresses":["172.31.0.0/16"], "portRanges":[{"low":1, "high":65535}]}'

ziti edge create service "remote.access.${user}"
--configs "${user}.config.intercept.v1","remoteaccess-host.v1"
-a "${user}.accessable.services","admin.accessable.services"

ziti edge create service-policy "${user}.access.dial" Dial
--service-roles "@remote.access.${user}"
--identity-roles "@${user}"

contents of change-site.sh

ziti edge update config $1.config.intercept.v1 -d '{"dialOptions": {"identity":"'$2'"}, "protocols":["tcp"],"addresses":["172.31.0.0/16"], "portRanges":[{"low":1, "high":65535}]}'

example site change by admin

./change-site.sh admin1 site1
./change-site.sh admin2 site2
./change-site.sh admin1 site2
./change-site.sh admin2 site1

Hopefully you'll have success this time - don't forget to get the latest tunneler/zdew though, should be released later today.

84

The commands and the lab setup can be found on this gist:

https://gist.githubusercontent.com/dovholuknf/f72a20f02ebf33c08949f83c42d35eb3/raw/9b2c3a8998a44bf14c5986adfd53699f859a94e1/gistfile1.txt

85

Thanks so much for the hard work Clint, will give it a go today :grinning:

86

It's been a while since this thread was active, but I thought I'd mention a feature that we just added that lets you translate an intercepted IP to a different subnet at the hosting tunneler. I think this could help with cases where a client needs to connect to devices on multiple sites that use the same subnet.

The new forwardAddressTranslations field in host.v1 is an array of translations that transform the intercepted IP to a different subnet. They look like this:

{ "from": "192.168.0.0", "to": "172.16.0.0", "prefixLength": 16 }

You'll need to define a separate intercept.v1 configuration (and service) for each site that you want to reach. This might still be a nonstarter if you have a large number of sites. The upside is that you'll only need a single client identity. Eventually when we work on ziti-tunnel-sdk-c#540 we could consider adding a $dst_subnet variable that could be used in dialOptions.identity so a single service/intercept.v1 configuration would work for multiple sites. But for now your intercept.v1 configurations might look like this:

site 1

{
   "addresses": [ "192.168.1.0/24" ],
   "portRanges": [ { "low": 22, "high": 22 } ],
   "protocols": [ "tcp" ]
}

site 2

{
   "addresses": [ "192.168.2.0/24" ],
   "portRanges": [ { "low": 22, "high": 22 } ],
   "protocols": [ "tcp" ]
}

site 3

{
   "addresses": [ "192.168.3.0/24" ],
   "portRanges": [ { "low": 22, "high": 22 } ],
   "protocols": [ "tcp" ]
}

And the corresponding host.v1 (that can be used for all sites/services) would look something like this:

{
  "forwardAddress": true,
  "forwardAddressTranslations": [
     { "from": "192.168.2.0", "to": "192.168.1.0", "prefixLength": 24 },
     { "from": "192.168.3.0", "to": "192.168.1.0", "prefixLength": 24} 
  ],
  "allowedAddresses": [ "192.168.0.0/16" ],
  "port": 22,
  "protocol": "tcp"
}
1 Like