I want to run frontdoor with a private share. How can I get the share\access token so the other machine can connect using private? I need this from the device\CLI, the web portal won't help in this case.
Hey @chaos, It sounds like both machines are trusted and you're using the same zrok account for running the share and the access.
Option 1: If both zrok environments were enabled with the same zrok account, you can parse the overview from the CLI to find share tokens by environment ID (ZID in this example).
This lists all share tokens owned by the zrok environment on the local machine. You could look up share tokens owned by another environment's ZID from the same zrok account too.
ZID=$(jq --raw-output .ziti_identity ~/.zrok/environment.json);
zrok overview \
| jq --raw-output --arg ZID $ZID '.environments[]|select(.environment.zId == $ZID)|.shares[].token'
Option 2: use a memorable private share toke with the closed permission mode. That way, only your account can access the private share even if someone else guesses the private share token.
I'll use proxy target http://127.0.0.1:3000 as an example.
Here's how it works with just CLI commands. On the sharing machine, reserve and run the private share.
zrok reserve private --unique-name "myprivateshare" --closed 3000
zrok share private "myprivateshare"
Heres' how it works with frontdoor. On the sharing machine's frontdoor service, configure the share environment and run the zrok-share Linux service or Docker container.
ZROK_BACKEND_MODE="proxy"
ZROK_TARGET="http://127.0.0.1:3000"
ZROK_UNIQUE_NAME="myprivateshare"
ZROK_FRONTEND_MODE="reserved-private"
ZROK_PERMISSION_MODE="closed"
On the accessing machine, run the access frontend with the same zrok account.
zrok access private "myprivateshare"
Perfect! zrok overview was exactly what I was looking for, with the reserved option as a bonus!
1 Like
@qrkourier I'm having trouble getting this working. This is my environment file on the machine which should start the vpn:
Showing I uncommented AmbientCapabilities:
But I keep getting this error when the zrok-share service starts on boot:
The portal shows a reserved-private entry:
1 Like
That tells me the zrok wrapper script successfully reserved the VPN unique share token you requested, but its permission sanity checker failed.
Double-check the service unit has the CAP_NET_ADMIN capability uncommented after you ran systemctl edit zrok-share.service, edited the buffer, and then saved and closed the editor:
systemctl cat zrok-share.service
This is how the script sanity checks:
systemctl cat zrok-share.service | grep -E '^AmbientCapabilities=.*CAP_NET_ADMIN'
Maybe there's an extra space at the beginning of the line before Ambient...?
@qrkourier This is my output using your commands. Looks fine to me?
Hey! Thanks for the detailed info. Now we know for sure you correctly edited the systemd service unit's drop-in to grant NET_ADMIN, and the zrok share works correctly when run-as root.
The remaining challenge is to get the systemd service working the same way.
Do you have the latest zrok-share and zrok packages installed?
Let's do a systemctl daemon-reload just to clear any unit loading issues.
Please confirm this is still the error from systemd:
Failed to get LoadState: Transport endpoint is not connected
Please temporarily enable execution traces in /opt/openziti/bin/zrok-share.bash by adding a line : set -o xtrace, near set -o pipefail. With traces enabled, the next run of the service will include the commands with their shell expansions.