How to customize TUN IP range for Windows Ziti Edge Client Desktop?

1

Hello,

I'm evaulating running OpenZiti on our corporate network.

I ran into problem when running openziti tunneler, the default TUN IP range 100.64.0.0/10 conflicts with corporate prviate subnet IP address.

  • On Linux, i can customize the IP range use command line flag --dns-ip-rang
  • On Ziti Desktop Edge on Windows, I couldn't figout out how to customize this IP range.
    I Tried to update via UI, but after clicks on save, it automatically fall back to default CANAT IP range 100.64
    1. Open the Ziti Desktop Edge client.
    2. Go to Main Menu > Advanced Settings > Tunnel Configuration.
    3. Click Edit Values.

Please advise how i can customize the TUN IP range on the Windows Edge Client. I'm using verion App.2.9.5.0

2

When you click save, a blurb pops. it will tell you the tunneler needs to restart. Go back to the main menu and press the big circular green button to stop, then press again to start the service back up and the range will be applied.

That should be all you need to do in order to change the range.

Alternatively you can stop the ziti service with the services widget or with net stop|start zitifrom command line

3

@TheLumberjack

Thanks a lot for your prompt reply, and it works.

Follow up on this, two more questions,

  1. is it possible to to customize it during edge client installation time?
    define the IP range as parameter during installation, or define a config file during installation?
  2. Does edge client requires windows admin permission to run. because you know in a corporate environment, a user usually won't have the admin permission?
4

Not at this time. It's been on the list of things to support someday (some sort of 'answer file' idea) but it's work that just has never been prioritized yet. You can make your own post install script though, it's easy enough to edit the file and restart the service though to apply the change without the UI. Modify the config file found in the system profile:

grep TunIpv4 C:\windows\system32\config\systemprofile\AppData\Roaming\NetFoundry\config.json
        "TunIpv4":"100.150.0.0",
        "TunIpv4Mask":15,

NOTE

This location --will-- change someday to use the PROGRAMDATA folder instead of APPDATA but that's another change that's not planned at this time but will happen eventually.

Yes - and no. The client creates a TUN device which requires elevated priviliges. Therefore when the installer runs two new services will be added to the services list:

Status   Name               DisplayName
------   ----               -----------
Running  ziti               Ziti Desktop Edge Service
Running  ziti-monitor       Ziti Desktop Monitor Service

Both of these services run as "SYSTEM". However -- to USE the app, admin rights are not required but "authenticated user" is. The ziti-monitor service is used to stop/start the ziti service from non-admin users but a user must be authenticated to perform those tasks.

hth

5

@TheLumberjack

Thanks for your detailed information. This is definitely very helpful!