LAB for beginners to understand the operations to build a Zero Trust network with OpenZiti

I am a newbie and am trying to build a small lab to be able to survey the protection ability of openziti against man-in-the-middle attacks (Of course, just to see how the ziti network is encrypted when devices communicate and access each other's services. Here, I use a win 10 virtual machine from the external network through a public router to be able to access the web of another virtual machine in the network that is building a web with a basic login interface with Xampp). I wrote a docx file but don't know how to post it here, so I'll probably post it in HTML format.

Index

  1. Deployment model
  2. Deploy Controller and router on Ubuntu server
  3. Ziti Admin Panel
  4. Login and use ZAC
  5. Add private router with OpenZiti quickstart network – Learning

Deployment model

Overview

Built with VMware workstation virtualization environment. All machines in the model are virtual machines!

  1. Web Server (Internal) and Windows 10 (Internal):
  • Connect via VMnet 2 Host-Only Network. These machines can communicate with each other but cannot connect directly to the host's physical network or the Internet.
  1. Windows 10 (Outside) and Kali Linux:
  • Connect to VMnet 8 (NAT Network). They can access the Internet through Ubuntu (Controller-Router) but cannot communicate directly with the physical network of the server.
  1. Ubuntu (Controller-Router):
  • Ubuntu acts as Ziti Controller and Ziti Router, with 2 network cards:
    • VMnet 2: Connect to Web Server (Internal) and Windows 10 (Internal).
    • VMnet 8: Provides NAT for virtual machines like Windows 10 (External) and Kali Linux, allowing them to communicate with the Internet.

  1. Model idea:
  • Build a controller and 2 edge routers (public and private) to allow machines using VMnet8 network cards through the Ziti network to access the web inside the internal network. All users will use the Ziti edge client to access the network (Ziti Desktop Edge). Use Kali to perform MITM attacks to eavesdrop (traffic and data are encrypted).

Deploy Controller and router on Ubuntu server

VMnet 8


VMnet 2

To make Ubuntu act as a router and provide NAT services to machines in the Bridged Network (with Internet connection), you need to enable IP forwarding and configure iptables:

  1. Enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

  1. Configure NAT (Forwarding packets from virtual network to physical network):

sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
To install expressInstall and customize your environment, follow the steps below. Update and install necessary tools first:

sudo apt update && sudo apt install -y curl git build-essential gedit dbus-x11 tar hostname jq

Step 1: Create a public DNS name or use an IP

Ensure your machine has a public DNS name or is reachable via a public IP address.

  • Generate DNS name: If available, use a public DNS name (e.g., hooangf4t.lab ). Otherwise, use the machine's public IP address, obtained with:
curl -s eth0.me

image

  • Change hostname permanently:
    1. Change the hostname using the hostnamectl command:
sudo hostnamectl set-hostname hooangf4t.lab
  1. Edit the /etc/hostname file:
sudo gedit /etc/hostname

Replace the contents with:

hooangf4t.lab
  1. Edit the /etc/hosts file:
sudo gedit /etc/hosts

Replace all lines containing the old hostname with:

127.0.0.1 hooangf4t.lab
  1. Restart the hostname service or the system:
sudo systemctl restart systemd-hostnamed
# Or restart the system
sudo reboot

Step 2: Set environment variables

Set the required environment variables for Ziti configuration:

  1. EXTERNAL_DNS:
export EXTERNAL_DNS="hooangf4t.lab"
  1. EXTERNAL_IP:
export EXTERNAL_IP="$(curl -s eth0.me)"
  1. ZITI_CTRL_EDGE_IP_OVERRIDE:
export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
  1. ZITI_CTRL_ADVERTISED_ADDRESS:
export ZITI_CTRL_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
  1. Port Configuration:
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_PORT=8442

Optional: Add these variables to .bashrc for persistence:

sudo gedit ~/.bashrc

Add at the end:

export EXTERNAL_DNS="hooangf4t.lab"
export EXTERNAL_IP="$(curl -s eth0.me)"
export ZITI_CTRL_EDGE_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_CTRL_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_ADVERTISED_PORT=8440
export ZITI_CTRL_EDGE_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
export ZITI_ROUTER_ADVERTISED_ADDRESS="${EXTERNAL_DNS:-${EXTERNAL_IP}}"
export ZITI_ROUTER_IP_OVERRIDE="${EXTERNAL_IP}"
export ZITI_ROUTER_PORT=8442

Reload .bashrc :

source ~/.bashrc

Step 3: Run expressInstall

Install using the following command:

source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"; expressInstall

After installation, verify in the folder:

ls ~/.ziti/quickstart/$(hostname -s)

Step 4: Create systemd files for Controller and Router

Generate systemd files:

createControllerSystemdFile
createRouterSystemdFile "${ZITI_ROUTER_NAME}"

The generated files:

  • Controller: /root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab.service
  • Router: /root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab-edge-router.service

Step 5: Stop running processes

Stop the helper scripts before using systemd:

stopRouter
stopController

Step 6: Install systemd files

Copy files to /etc/systemd/system/ :

sudo cp "${ZITI_HOME}/${ZITI_CTRL_NAME}.service" /etc/systemd/system/ziti-controller.service
sudo cp "${ZITI_HOME}/${ZITI_ROUTER_NAME}.service" /etc/systemd/system/ziti-router.service
sudo systemctl daemon-reload
sudo systemctl enable --now ziti-controller
sudo systemctl enable --now ziti-router

Step 7: Check service status

Verify Controller and Router services:

sudo systemctl -q status ziti-controller --lines=0 --no-pager
sudo systemctl -q status ziti-router --lines=0 --no-pager

Step 8: Reload environment variables

Reload .env file after logging back in:

source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env

For example:

root@hooangf4t:/home/ubuntu/Desktop# source ~/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab.env
root@hooangf4t:/home/ubuntu/Desktop# echo $ZITI_HOME
/root/.ziti/quickstart/hooangf4t.lab

Ziti Admin Panel

Step 1: Download ZAC from GitHub

wget https://github.com/openziti/ziti-console/releases/latest/download/ziti-console.zip

Step 2: Set the ZITI_HOME environment variable
Make sure that ZITI_HOME is set correctly, pointing to the quickstart working directory. You can reset the quickstart environment variables by running the following command:

source ${HOME}/.ziti/quickstart/$(hostname)/$(hostname).env
echo $ZITI_HOME


Step 3: Unzip Console
Unzip the ziti-console.zip file into the controller's working directory:

unzip -d ${ZITI_HOME}/console ./ziti-console.zip


Step 4: Update YAML configuration file

Open the configuration file ${ZITI_HOME}/$(hostname -s).yaml and add a web API binding for ZAC as follows:

gedit ~/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab.yaml
  • binding: zac

options:
location: ./console
indexFile: index.html

Step 5: Restart the Controller service

After changing the configuration, you need to restart the controller service for the changes to take effect. Use the following command to restart the ziti-controller service:

sudo systemctl restart ziti-controller.service

Step 6: Access ZAC via browser

You can now access ZAC through your web browser. Depending on the implementation, the management API port may differ:

  • With "Local" quickstart, the default port is 1280.
  • With the "Host OpenZiti Anywhere" quickstart, the default port is 8441 and can be configured as desired.

Access ZAC via the corresponding URL:

https://hooangf4t.lab:8441/zac/

Now you can access ZAC to manage and monitor the components of the Ziti controller via the web interface.
controller configuration
$ZITI_HOME/hooangf4t.lab.yaml

v: 3

#trace:
#  path: "hooangf4t.lab.trace"

#profile:
#  memory:
#    path: ctrl.memprof



db:                     "/root/.ziti/quickstart/hooangf4t.lab/db/ctrl.db"
# uncomment and configure to enable HA
# raft:
#   dataDir:         "/root/.ziti/quickstart/hooangf4t.lab/raft"
#   minClusterSize:  1


identity:
  cert:        "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-intermediate/certs/hooangf4t.lab-client.chain.pem"
  server_cert: "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-intermediate/certs/hooangf4t.lab-server.chain.pem"
  key:         "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-intermediate/keys/hooangf4t.lab-server.key"
  ca:          "/root/.ziti/quickstart/hooangf4t.lab/pki/cas.pem"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

# trust domains may be overridden by SPIFFE ID as URI SAN 
#trustDomain: ziti.example.com

# additional trust domains allow for migrating to a new trust domain
#additionalTrustDomains: []

# Network Configuration
#
# Configure how the controller will establish and manage the overlay network, and routing operations on top of
# the network.
#
#network:

  # routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed.
  #routeTimeoutSeconds:  10

  # createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it)
  # for new circuits.
  #createCircuitRetries: 2  

  # pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where
  # there isn't an established link, but a link request has been sent
  #pendingLinkTimeoutSeconds: 10

  # Defines the period that the controller re-evaluates the performance of all of the circuits
  # running on the network.
  #
  #cycleSeconds:         15
  
  # Sets router minimum cost. Defaults to 10
  #minRouterCost: 10

  # Sets how often a new control channel connection can take over for a router with an existing control channel connection
  # Defaults to 1 minute
  #routerConnectChurnLimit: 1m

  # Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually
  # reported from the routers. Defaults to 65 seconds.
  #initialLinkLatency: 65s
  
  #smart:
    #
    # Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If 
    # smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`,
    # then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to 
    # 2 (2% of 100). 
    #
    #rerouteFraction:    0.02
    # 
    # Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart 
    # routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and 
    # `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this 
    # `cycleSeconds` period will be limited to 1.
    #
    #rerouteCap:         4  

# the endpoint that routers will connect to the controller over.
ctrl:
  options:
    advertiseAddress: tls:hooangf4t.lab:8440
  # (optional) settings
  # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
  #maxQueuedConnects:      1
  # the maximum number of connects that have  begun hello synchronization (1 to 1000, default 16)
  #maxOutstandingConnects: 16
  # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 5000ms)
  #connectTimeoutMs:       5000
  listener:             tls:0.0.0.0:8440

#metrics:
#  influxdb:
#    url:                http://localhost:8086
#    database:           ziti

# xctrl_example
#
#example:
#  enabled:              false
#  delay:                5s

healthChecks:
  boltCheck:
    # How often to try entering a bolt read tx. Defaults to 30 seconds
    interval: 30s
    # When to time out the check. Defaults to 20 seconds
    timeout: 20s
    # How long to wait before starting the check. Defaults to 30 seconds
    initialDelay: 30s

# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
# section, commenting out, or altering the name of the section will cause the edge to not run.
edge:
  # This section represents the configuration of the Edge API that is served over HTTPS
  api:
    #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
    # activityUpdateInterval: 90s
    #(optional, default 250) The number of API Sessions updated for last activity per transaction
    # activityUpdateBatchSize: 250
    # sessionTimeout - optional, default 30m
    # The number of minutes before an Edge API session will time out. Timeouts are reset by
    # API requests and connections that are maintained to Edge Routers
    sessionTimeout: 30m
    # address - required
    # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
    # defined in this Controller.WebListener.'s bindPoints.
    address: hooangf4t.lab:8441
  # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities.
  enrollment:
    # signingCert - required
    # A Ziti Identity configuration section that specifically makes use of the cert and key fields to define
    # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert
    # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.
    signingCert:
      cert: /root/.ziti/quickstart/hooangf4t.lab/pki/signing.pem
      key:  /root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-signing-intermediate/keys/hooangf4t.lab-signing-intermediate.key
    # edgeIdentity - optional
    # A section for identity enrollment specific settings
    edgeIdentity:
      # duration - optional, default 180m
      # The length of time that a Ziti Edge Identity enrollment should remain valid. After
      # this duration, the enrollment will expire and no longer be usable.
      duration: 180m
    # edgeRouter - Optional
    # A section for edge router enrollment specific settings.
    edgeRouter:
      # duration - optional, default 180m
      # The length of time that a Ziti Edge Router enrollment should remain valid. After
      # this duration, the enrollment will expire and no longer be usable.
      duration: 180m

# web
# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many
# bind points.
web:
  # name - required
  # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
  - name: client-management
    # bindPoints - required
    # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
    # where on the host machine the webListener will listen and the address (host:port) that should be used to
    # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
    # incoming address resolution as well as used in responses in the API.
    bindPoints:
      #interface - required
      # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
      - interface: 0.0.0.0:8441
        # address - required
        # The public address that external incoming requests will be able to resolve. Used in request processing and
        # response content that requires full host:port/path addresses.
        address: hooangf4t.lab:8441
    # identity - optional
    # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
    identity:
      ca:          "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-edge-controller-root-ca/certs/hooangf4t.lab-edge-controller-root-ca.cert"
      key:         "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-edge-controller-intermediate/keys/hooangf4t.lab-server.key"
      server_cert: "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-edge-controller-intermediate/certs/hooangf4t.lab-server.chain.pem"
      cert:        "/root/.ziti/quickstart/hooangf4t.lab/pki/hooangf4t.lab-edge-controller-intermediate/certs/hooangf4t.lab-client.chain.pem"
      #alt_server_certs:
      #- server_cert: ""
      #  server_key:  ""
      
    # options - optional
    # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
    # used for all http servers started by the current webListener.
    options:
      # idleTimeoutMs - optional, default 5000ms
      # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
      # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
      # will cause clients to reconnect on subsequent HTTPs requests.
      idleTimeout: 5000ms  #http timeouts, new
      # readTimeoutMs - optional, default 5000ms
      # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
      # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
      # or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
      readTimeout: 5000ms
      # writeTimeoutMs - optional, default 100000ms
      # The total maximum time in milliseconds that the http server will wait for a single requests to be received and
      # responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
      # can risk ending requests before the server has a chance to respond.
      writeTimeout: 100000ms
      # minTLSVersion - optional, default TLS1.2
      # The minimum version of TSL to support
      minTLSVersion: TLS1.2
      # maxTLSVersion - optional, default TLS1.3
      # The maximum version of TSL to support
      maxTLSVersion: TLS1.3
    # apis - required
    # Allows one or more APIs to be bound to this webListener
    apis:
      # binding - required
      # Specifies an API to bind to this webListener. Built-in APIs are
      #   - edge-management
      #   - edge-client
      #   - fabric-management
      - binding: edge-management
        # options - arg optional/required
        # This section is used to define values that are specified by the API they are associated with.
        # These settings are per API. The example below is for the 'edge-api' and contains both optional values and
        # required values.
        options: { }
      - binding: edge-client
        options: { }
      - binding: fabric
        options: { }
      - binding: zac
        options:
          location: ./console
          indexFile: index.html

router configuration
$ZITI_HOME/hooangf4t.lab-edge-router.yaml

v: 3

identity:
  cert:             "/root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab-edge-router.cert"
  server_cert:      "/root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab-edge-router.server.chain.cert"
  key:              "/root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab-edge-router.key"
  ca:               "/root/.ziti/quickstart/hooangf4t.lab/hooangf4t.lab-edge-router.cas"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

ctrl:
  endpoint:             tls:hooangf4t.lab:8440

link:
  dialers:
    - binding: transport
  listeners:
    - binding:          transport
      bind:             tls:0.0.0.0:10080
      advertise:        tls:hooangf4t.lab:10080
      options:
        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:8442
    options:
      advertise: hooangf4t.lab:8442
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host



edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost
        - hooangf4t.lab

      ip:
        - "127.0.0.1"
        - "::1"
        - "212.102.51.245"


#transport:
#  ws:
#    writeTimeout: 10
#    readTimeout: 5
#    idleTimeout: 120
#    pongTimeout: 60
#    pingInterval: 54
#    handshakeTimeout: 10
#    readBufferSize: 4096
#    writeBufferSize: 4096
#    enableCompression: true

forwarder:
  latencyProbeInterval: 0
  xgressDialQueueLength: 1000
  xgressDialWorkerCount: 128
  linkDialQueueLength: 1000
  linkDialWorkerCount: 32

Login and use ZAC

At this point, you should be able to navigate to: https://${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}:8441 and see the ZAC login screen. (The TLS warning your browser displays is normal - it's because these steps use a self-signed certificate generated during the installation process)




Add private router with OpenZiti quickstart network – I'm Learning

Youtube link
https://youtu.be/Bgl3w1m9NM4?si=-GK_UpFzF47lUGLG
Document link
Setup new edge router on a separate host


Set up network for private router ( another ubuntu machine connected with VMnet2 card to Controller machine)

Remember to update and install the necessary tools.

sudo apt update && sudo apt install -y curl git build-essential gedit dbus-x11 tar hostname jq

Checklist for connecting edge router to controller in OpenZiti:

  1. Check the controller address and port:
    • Open the controller's configuration file to determine the value of ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT.
    • Use the following command to get the information:
      • On private Router:
      export ZITI_EDGE_CTRL_ADVERTISED_HOST_PORT="hooangf4t.lab:8441"
      
    • Make sure this address is accessible from the edge router (e.g. curl returns JSON):
    curl -vsk -m 5 https://192.168.160.50:8441/
    

  1. Determine the Control Plane port:
    • Make sure the edge router has access to the controller's Control Plane:
    curl -vsk -m 5 https://hooangf4t.lab:8440/
    

Make sure controller and edge-router-1 are running:

curl -vsk -m 5 https://hooangf4t.lab:8440/

  1. Log in to controller:
    • Use the following command to log in:
    ziti edge login hooangf4t.lab:8441
    

- Or use `zitiLogin` on a machine with a controller.
  1. Create Edge Router in controller:
    • Run the following command to create the router:
    ziti edge create edge-router -t ER2 -o $ZITI_HOME/ER2.jwt --tunneler-enabled
    

Set some variables, then decide whether this is a “private” or public border router (see below):

    export ROUTER_NAME=ER2
    export ZITI_CTRL_ADVERTISED_ADDRESS="hooangf4t.lab"
    export ZITI_CTRL_PORT=8440

    # optional - if you want to allow addressing by some specific IP

    export ZITI_EDGE_ROUTER_IP_OVERRIDE="192.168.220.20"
  1. Create configuration file for Edge Router:

    • Decide whether this router will be "private" or "public":

      • Public router: Can link to other routers.
      • Private router: Does not advertise link information.
    • For example, if create "private" configuration:

    ziti create config router edge --routerName $ROUTER_NAME \
    --output $ZITI_HOME/$ROUTER_NAME.yaml \
    --tunnelerMode host \
    --private
    
  2. Edit the Edge Router configuration file (if necessary):

    • Open the file $ZITI_HOME/<router_name>.yaml.
    • Find the ctrl.endpoint section and make sure the value points to the controller (for example):
    ctrl:
      endpoint: tls:hooangf4t.lab:8440
    

    File ER2.yaml hiện tại:

    v: 3
    identity:
      cert: "/root/.ziti/quickstart/edge-router-2/ER2.cert"
      server_cert: "/root/.ziti/quickstart/edge-router-2/ER2.server.chain.cert"
      key: "/root/.ziti/quickstart/edge-router-2/ER2.key"
      ca: "/root/.ziti/quickstart/edge-router-2/ER2.cas"
    
    ctrl:
      endpoint: tls:hooangf4t.lab:8440
    
    listeners:
      - binding: edge
        address: tls:0.0.0.0:3022
        options:
          advertise: edge-router-2:3022
          connectTimeoutMs: 5000
          getSessionTimeout: 60
      - binding: tunnel
        options:
          mode: host
    
    edge:
      csr:
        country: US
        province: NC
        locality: Charlotte
        organization: NetFoundry
        organizationalUnit: Ziti
        sans:
          dns:
            - localhost
            - edge-router-2
          ip:
            - "127.0.0.1"
            - "::1"
    
    forwarder:
      latencyProbeInterval: 0
      xgressDialQueueLength: 1000
      xgressDialWorkerCount: 128
      linkDialQueueLength: 1000
      linkDialWorkerCount: 32
    
  3. Enroll Edge Router:

    • Use the following command to register:
    ziti-router enroll $ZITI_HOME/<router_name>.yaml --jwt $ZITI_HOME/<router_name>.jwt
    

I am having problem here, can't enroll router



Check the path and file name: Make sure that the `$ZITI_HOME` environment variable is set correctly and that the path to the `ER2.jwt` file is correct. You can check by:
```
echo $ZITI_HOME
ls $ZITI_HOME
```
  1. Running Edge Router:

    • Once done, launch Edge Router:
    ziti-router run $ZITI_HOME/<router_name>.yaml
    
  2. Check the status of the Edge Router:

    • Check if Edge Router is online:
    ziti edge list edge-routers
    
    • Check the link between routers:
    ziti fabric list links
    
  3. Configure Service Daemon (optional):

    • Create service file for Edge Router:
    createRouterSystemdFile <router_name>
    
    • Perform the daemon installation steps:
    sudo cp $ZITI_HOME/<router_name>.service /etc/systemd/system/ziti-router.service
    sudo systemctl daemon-reload
    sudo systemctl enable --now ziti-router
    
2 Likes

Wow! That's a ton of great content! thanks for sharing it! I look forward to any insights you might have from your testing/learning!

Thanks again for posting it. :slight_smile:

1 Like

Hi,
I am currently doing the registration of the router that I just registered but got an error


Here is my configuration:
ER2.yaml

v: 3

identity:
  cert:             "/root/.ziti/quickstart/edge-router-2/ER2.cert"
  server_cert:      "/root/.ziti/quickstart/edge-router-2/ER2.server.chain.cert"
  key:              "/root/.ziti/quickstart/edge-router-2/ER2.key"
  ca:               "/root/.ziti/quickstart/edge-router-2/ER2.cas"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

ctrl:
  endpoint:             tls:hooangf4t.lab:8440
link:
  dialers:
    - binding: transport
#  listeners:
#    - binding:          transport
#      bind:             tls:0.0.0.0:10080
#      advertise:        tls:edge-router-2:10080
#      options:
#        outQueueSize:   4

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: edge-router-2:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host



edge:
  csr:
    country: US
    province: NC
    locality: Charlotte
    organization: NetFoundry
    organizationalUnit: Ziti
    sans:
      dns:
        - localhost
        - edge-router-2

      ip:
        - "127.0.0.1"
        - "::1"



#transport:
#  ws:
#    writeTimeout: 10
#    readTimeout: 5
#    idleTimeout: 120
#    pongTimeout: 60
#    pingInterval: 54
#    handshakeTimeout: 10
#    readBufferSize: 4096
#    writeBufferSize: 4096
#    enableCompression: true

forwarder:
  latencyProbeInterval: 0
  xgressDialQueueLength: 1000
  xgressDialWorkerCount: 128
  linkDialQueueLength: 1000
  linkDialWorkerCount: 32

ER2.jwt

eyJhbGciOiJSUzI1NiIsImtpZCI6ImU0YzY5NzUxYzU2N2FmOGE5ZjI4MjJmMGVhYjUwZDMyNTA1ZTZjMDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2hvb2FuZ2Y0dC5sYWI6ODQ0MSIsInN1YiI6InZNZ0xiTWIuRSIsImF1ZCI6WyIiXSwiZXhwIjoxNzM0NTIyNTYzLCJqdGkiOiI4ZDFlNmUxYi0yOTg3LTRmYjQtYjc1ZC1jODIzYjIwZDQ2OTgiLCJlbSI6ImVyb3R0IiwiY3RybHMiOm51bGx9.MO1koBt6NzC1uTKEuhjA161wv_nEavIVJ7VuW59aGQikqJMsvlwsBrLPelj9cSafgt3l4yQRDZu6Voo9QyWDABFiUGWJ-UPKKtrrrtvyE-qgD7Dq-XfL-PzA4l3qlDt7NBAigiVc9fWB3KJxQYdHe-gh8QFO6ZDtmQHyfDBHhrtoOJpMcy8QXDHA3SLJhCx7R9PmHZaeBZEJj9hCpPts0HrJzfNh-_elLmjjqae-3ZcnvYsNSJIvqm7oJ5-vDrTVUBQef5eO4nvPo3-5HvW5EFcILcWpfh-vCwNzhPkUQbxkhRYao3wefuCdUXrAPim2m4zVbkKTlg-7ZTIoLiPOyFnTAhD_8au8ovPViNUdrf4hJ-TlzSmy717NksT2Sj1-3H2FNXRnuFbb2fY2XmEjEUHWuiYHNem7hBo-GKAPkqAl8PoIp2TCUyi-MjCi_00-UdRBAGfnUvQjQqzgov4XNYlcYi5XjRjVAw0gtbfa5M9RQXP4iDvw6hSar7POvkksN7j0b0b4r4BnAnNz5qB65pS-UML7I5UjyePZ3WZRB0q2wbScjgj7W5WsqHM-xOssvEVMG0gBLu5PMrIlH4srRTymCQqPm8Okd7AScNOhUCgBcQsqxjqqX0laRSjo8S7Mt7-GbMrdLhvhE30xiLvEMhQ6SHwpDqm-Z4dISlGYm0k

By the way I checked the overall traffic transfer and found this error, I am trying to find and replace it

hi @HooangF4t,

When you run ziti ops verify-traffic, it looks like you are not on the controller. Also with that version of ziti, the verify-traffic command will require you to supply the host and port:

ziti ops verify-traffic --host hostname.here --port port.here

If you don't supply those, it won't operate properly unless you run it from the controller. However, in my opinion it's better to run the command from the rotuer as you show.


As for the error:

failed to enroll: enrollment method 'erott' is not supported
root@edge-router-2: / home/ ubuntu*

it appears to me that you enrolled an identities .jwt, not a router. You need to create the jwt for the router using something similar to:

ziti edge create edge-router bob -o bob.jwt --tunneler-enabled
2 Likes

hi @TheLumberjack
yes, still enroll router issue :pensive:
I am trying the commands I found on the forum and editing the yaml file accordingly, can you help me?

Configure the private router I just created (router ER2)

Also, why do I have to run ziti edge enroll when everyone can run ziti-router enroll and i think i did the right thing