well, i would still say the intercept depends heavily on IP and port. If you don't have the port intercepted, any extra traffic towards that IP on different ports will effectively be blocked...
As to the next part of your question, I must admit I'm having a hard time visualizing which debian is which...
The intercept.v1 config is used by the tunneler trying to access the service. Whatever address you put in the intercept.v1 will be used by the 'client'.
On the "other side", where the router is that's the "hosting" identity. Any identity can host a service and when you make a 'tunneler enabled' router, you assign an identity to that router so that it can host a service. The entries you put into the host.v1 config are all relative to the identity doing that hosting. In your case that's "Debian 1" i think?
So from "Debian 1" where the edge router is, you offload traffic to "Debian 2" (assuming i have that right)
First, a recap of my testing environment so you can get a better picture of what I would like to do.
Windows laptop with 2 interfaces (onboard Ethernet as 169.254.84.100) connected through a switch to Debian 1 (onboard Ethernet as 169.254.84.101). No gw configured here.
Windows laptop and Debian 1 connected through WiFi (192.168.7.29 and 192.168.7.170 respectively) to a router (interface to the Internet using NAT).
A remote Server somewhere in the Internet (I picked randomly miclaro.claropr.com, one I will never use :o) ).
I created services as www.ziti.com, ftp.ziti.com and ssh.ziti.com, properly intercepted by the Tunneller and correctly sent to Debian 1, where the @ziti-edge-router hosts these 3 services (apache2, ftpd and sshd).
Now I would like to test access to another WWW server, hosted by a "Debian 2" (the server in the Internet). I was thinking in creating another service (claropr.com) in Debian 1 and that the Tunneller would point to miclaro.claropr.com:80 out in the Internet. When I tried this approach I had a DNS solving problem.
I am pretty sure I am missing something important here ...
Assuming you have setup your OpenZiti overlay on your local network this will only work if your local network forwards the OpenZiti traffic through your public IP address to your controller and to your router.
IF you have done that, then the second router (or ziti-edge-tunnel) will be able to connect to your controller and to your edge router.
Can we stop there? Is that the setup? if not, I'm going to need a diagram
Let me digest what you wrote. I assumed I configured my Host Openziti Anywhere correctly as I could reproduce the results you got in your video. During the installation the eth0.me showed the Router's public IP address (assigned to its WAN interface by the carrier via DHCP). Now, if I did something wrong or it is missing something else to get the mentioned test done I don't know yet. I will digest your notes and create a diagram if necessary to clarify.
Unfortunately I don't have rights to Debian 2. I picked that server randomly. Just to see if I could get to that server from my Windows laptop but passing through the tunnel. If not possible this way I can't test the way I want.
OOOOH i think I understand then... You want to have the client intercept something like "clint.ziti" and have it point to "Debian 2" which in your example was miclaro.claropr.com but it could be google.com or whatever...
If you are making a request to an HTTPS resource, it'll be "a problem". HTTP will require the name you dial to match the certificate that's returned or you'll get the scary "security risk" warning that browsers will show you.
Instead, try this. There's a great url out there called http://wttr.in/. It returns back to you the weather but it does this via http OR https. IF you use the http endpoint you won't have any issues.
Yeap! That did the trick! Seems this recipe works for some sites. For my original (claropr.com -> miclaro.claropr.com) it does not. I added 80 and 443 for both host and intercept and it did not work.
This is likely due to your understanding of HTTP or TLS perhaps. Often an HTTP site is backed by a proxy of some kind which looks at the URL you are trying to access and based on that URL certain decisions will be made. The same actually used to be true for wttr.in...
Often it will either be done through something called SNI (server name indication) or by the HTTP server inspecting the http host header.
I can assure you, OpenZiti was working as intended based on your screenshot. The problem is either with SNI or host header, almost certainly but it's not with OpenZiti in that case
I created one entity (sales1) supposed to access just the WEB services in Debian 1 and not in Debian 2. It worked! I created another entity (rh1) supposed to access just the WEB services in Debian 2 and not in Debian 1. It worked!
sales1 is on one laptop (lapsales) and rh1 is on another laptop (laprh).
I created a 3rd entity (itguy) and placed in lapsales. I disabled the entity sales1 and tried to ftp ftpd in Debian 1 and Debian 2 with success. I tried to ssh against Debian 1 and Debian 2 and it worked only for Debian 1. I am checking and rechecking the configuration but could not find anything wrong. In /etc/hosts for Debian 1 and Debian 2 I added ssh1.cb.com (169.254.84.101), ssh2.cb.com (169.254.84.102), ftp1.cb.com (169.254.84.101) and ftp2.cb.com (169.254.84.102) so openziti would not look for DNS names. This is the openziti config for ssh2 related service.
I am not following your test.I don't know what it means when you say, "it worked only for Debian 1". I don't know what that means. You need to look at the logs for the router and the logs for the client. The logs have very helpful messages in them.
In my opinion, you really shouldn't do this in this situation. The hosts file is really easy to change and forget about, and then later on wonder why something doesn't work.
I'd offer you two tips that I think will help, use the policy advisor. There's no zac equivalent of that exactly just yet and it presents information in a pretty succinct mannor. It will inform you as to whether or not you've setup the network and your identity correctly.
using policy advisor
With the ziti CLI issue:
ziti edge policy-advisor identities -q
for example from my earlier wttr test i still have:
OKAY : cdaws-oct31 (1) -> wttr.test (2) Common Routers: (1/1) Dial: Y Bind: N
OKAY : ip-172-31-47-200-edge-router (1) -> wttr.test (2) Common Routers: (1/1) Dial: N Bind: Y
You can also run policy advisor for services:
ziti edge policy-advisor services wttr.test -q
OKAY : cdaws-oct31 (1) -> wttr.test (2) Common Routers: (1/1) Dial: Y Bind: N
OKAY : ip-172-31-47-200-edge-router (1) -> wttr.test (2) Common Routers: (1/1) Dial: N Bind: Y
read the logs
The logs have lots of useful errors in them. If you're not seeing errors, OpenZiti is likely "doing what you asked it to do" and there are other issues that you'll have to resolve.
The reason I used /etc/hosts is that I can't create DNS names in my lab.
In regards to the "worked" or "not" in Debian is as follows.
After creating the identities and downloading their jwt to the respective Windows laptops (lapsales for sales1.jwt and itguy.jwt; laprh for rh1.jwt), creating the proper services in ZAC (wwwsales, wwwrh, ftpdebian1, ftpdebian2, sshdebian1 and sshdebian2) I tested from lapsales laptop ...
browse sales.cb.com (no interception for this name). I properly got failure to get the related IP address resolution to reach the page.
Now, I ran your two suggested commands both on my Windows laptop (lapsales) and Debian 1 and got these errors. Maybe they give some light to the problem.
Windows laptop:
PS C:\Users\Nei> ziti edge policy-advisor identities -q
error: error listing https://24.214.87.28:8441/edge/management/v1/identities?filter=true+skip+0+limit+2 in Ziti Edge Controller. Status code: 401 Unauthorized, Server returned: {
"error": {
"code": "UNAUTHORIZED",
"message": "The request could not be completed. The session is not authorized or the credentials are invalid",
"requestId": "wlETGbkQe"
},
"meta": {
"apiEnrollmentVersion": "0.0.1",
"apiVersion": "0.0.1"
}
}
PS C:\Users\Nei>
Debian 1:
nei@ziti:~/.ziti/quickstart/ziti$ ziti edge policy-advisor services wttr.test -q
error: error listing https://24.214.87.28:8441/edge/management/v1/services?filter=id%3D"wttr.test" in Ziti Edge Controller. Status code: 401 Unauthorized, Server returned: {
"error": {
"code": "UNAUTHORIZED",
"message": "The request could not be completed. The session is not authorized or the credentials are invalid",
"requestId": "ZeI5eikDG"
},
"meta": {
"apiEnrollmentVersion": "0.0.1",
"apiVersion": "0.0.1"
}
}
nei@ziti:~/.ziti/quickstart/ziti$
And related to logs, which logs should I look for?
