How to override/set openziti endpoint in zrok?

Support General Questions
1

Hello.

I'm getting the following error while connected to a Cisco Secure Client VPN:

[ERROR]: error creating topTunnel backend (error listening: failed to listen: no apisession, authentication attempt failed: Post "https://ziti.share.0101.party:1280/edge/client/v1/authenticate?method=cert": context deadline exceeded (Client.Timeout exceeded while awaiting headers))

This issue only occurs with my self hosted instance. I was able to open tunnels and use them with free tier api.zrok.io endpoint.

I have noticed that VPN is blocking connections to https://ziti.share.0101.party:1280 but not to https://ziti.share.0101.party. I'm assuming both are one and the same.

or, can this URL be customized before building docker containers? is there a way to avoid https://domain:PORT/xyz syntax in my setup configuration.

Thanks.

2

It sounds like the VPN may block destination ports other than 443. While connect to the VPN, are you able to open a connection with OpenZiti controller's 1280/tcp?

Even if you get an error, you can still confirm the port is "open" while connected to the VPN by visiting the controller's URL in a web browser: https://ziti.share.0101.party:1280

You should see a certificate error if it's working correctly (zrok brokers cert trust through OpenZiti, not through the OS or browser's CA trust store).

3

curl gets timed out while connected to VPN. got SSL error as expected without VPN.

I'm quite curious to konw why official api.zrok.io works fine though :thinking:

4

I suspect it's because the VPN is blocking outgoing ports other than 443. You can verify your zrok environment is using port 443/tcp for the official zrok.io instance by parsing the OpenZiti controller URL from the environment's configuration file.

jq .ztAPI ~/.zrok/identities/environment.json

You're self-hosting zrok in Docker and using Caddy to manage zrok's certs, right?

5

The VPN probably allows 80/tcp too. Will you confirm with cURL while your VPN is turned on?

curl -sSf http://api.zrok.io:80

...gets this output if 80/tcp works on the VPN.

<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>
6

yes.

yes, it's working.

image
image724×130 1.75 KB

7

Great! That's two: 80,443. If we have three TCP ports, then only a small change to the zrok Docker recipe is needed.

See if 22, 53, 1723, 3306, 3389, 8000, 8080, 8088, 8443, 8888, etc. are open while the VPN is ON.

EDIT: more candidates 25, 110, 139, 143, 194, 445, 5900

UPDATE: I'm drafting a solution in this pull request: stop Caddy binding 80/tcp so it can be used as an edge listener by qrkourier · Pull Request #792 · openziti/zrok · GitHub that you may reference to switch your required Ziti ports over to common ports allowed by your VPN

1 Like
8

Here's an overview of zrok's network flows in the Docker /w Caddy example.

image
image1082×1365 99.6 KB

video tour: https://youtu.be/U6d5qa3qOGo

EDIT: an attempt at highlighting the internet firewall exceptions and wildcard DNS requirement:

image
image1139×924 85.5 KB

1 Like